d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe
Size

35KB
MD5

93b4aece31920c0bf354ca949bb6a203
SHA1

2e345c3c19059b71c742def9ec1a11efcf358355
SHA256

d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39
SHA512

c92dcb3c8206ca7dce3405c95b89177be082340480728771fbe8d9e523c49a1b6f1b8cd9932819cef3d7d601f32cd4bb3719bb01611449473a3fa97ac9664d42
SSDEEP

768:QKaLbwvm1JlIFNAHRTvxcOHijo2U9pDoj0Wt:QKW5HtDc7jo9n20

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\5rvc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1tky.exe"	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe

Executes dropped EXE 2 IoCs

pid	Process
496	1tky.exe
2416	1tky.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4236-132-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4236-135-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/files/0x00030000000006d5-143.dat	upx
behavioral2/files/0x00030000000006d5-142.dat	upx
behavioral2/files/0x00030000000006d5-154.dat	upx
behavioral2/memory/4236-156-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/2416-165-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/496-167-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3680	sc.exe
800	sc.exe
664	sc.exe
740	sc.exe
60	sc.exe
1840	sc.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe
4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe
4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe
496	1tky.exe
496	1tky.exe
496	1tky.exe
2416	1tky.exe
2416	1tky.exe
2416	1tky.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 2024	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	82
PID 4236 wrote to memory of 2024	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	82
PID 4236 wrote to memory of 2024	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	82
PID 4236 wrote to memory of 1840	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	84
PID 4236 wrote to memory of 1840	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	84
PID 4236 wrote to memory of 1840	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	84
PID 4236 wrote to memory of 1844	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	85
PID 4236 wrote to memory of 1844	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	85
PID 4236 wrote to memory of 1844	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	85
PID 4236 wrote to memory of 3680	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	88
PID 4236 wrote to memory of 3680	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	88
PID 4236 wrote to memory of 3680	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	88
PID 2024 wrote to memory of 5064	2024	net.exe	91
PID 2024 wrote to memory of 5064	2024	net.exe	91
PID 2024 wrote to memory of 5064	2024	net.exe	91
PID 4236 wrote to memory of 496	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	90
PID 4236 wrote to memory of 496	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	90
PID 4236 wrote to memory of 496	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	90
PID 1844 wrote to memory of 4728	1844	net.exe	92
PID 1844 wrote to memory of 4728	1844	net.exe	92
PID 1844 wrote to memory of 4728	1844	net.exe	92
PID 4236 wrote to memory of 2728	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	93
PID 4236 wrote to memory of 2728	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	93
PID 4236 wrote to memory of 2728	4236	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	93
PID 496 wrote to memory of 1776	496	1tky.exe	103
PID 496 wrote to memory of 1776	496	1tky.exe	103
PID 496 wrote to memory of 1776	496	1tky.exe	103
PID 496 wrote to memory of 800	496	1tky.exe	96
PID 496 wrote to memory of 800	496	1tky.exe	96
PID 496 wrote to memory of 800	496	1tky.exe	96
PID 496 wrote to memory of 3124	496	1tky.exe	98
PID 496 wrote to memory of 3124	496	1tky.exe	98
PID 496 wrote to memory of 3124	496	1tky.exe	98
PID 496 wrote to memory of 664	496	1tky.exe	99
PID 496 wrote to memory of 664	496	1tky.exe	99
PID 496 wrote to memory of 664	496	1tky.exe	99
PID 496 wrote to memory of 2416	496	1tky.exe	101
PID 496 wrote to memory of 2416	496	1tky.exe	101
PID 496 wrote to memory of 2416	496	1tky.exe	101
PID 1776 wrote to memory of 4168	1776	net.exe	104
PID 1776 wrote to memory of 4168	1776	net.exe	104
PID 1776 wrote to memory of 4168	1776	net.exe	104
PID 3124 wrote to memory of 1240	3124	net.exe	105
PID 3124 wrote to memory of 1240	3124	net.exe	105
PID 3124 wrote to memory of 1240	3124	net.exe	105
PID 2416 wrote to memory of 5024	2416	1tky.exe	113
PID 2416 wrote to memory of 5024	2416	1tky.exe	113
PID 2416 wrote to memory of 5024	2416	1tky.exe	113
PID 2416 wrote to memory of 60	2416	1tky.exe	112
PID 2416 wrote to memory of 60	2416	1tky.exe	112
PID 2416 wrote to memory of 60	2416	1tky.exe	112
PID 2416 wrote to memory of 4764	2416	1tky.exe	111
PID 2416 wrote to memory of 4764	2416	1tky.exe	111
PID 2416 wrote to memory of 4764	2416	1tky.exe	111
PID 2416 wrote to memory of 740	2416	1tky.exe	108
PID 2416 wrote to memory of 740	2416	1tky.exe	108
PID 2416 wrote to memory of 740	2416	1tky.exe	108
PID 5024 wrote to memory of 1092	5024	net.exe	114
PID 5024 wrote to memory of 1092	5024	net.exe	114
PID 5024 wrote to memory of 1092	5024	net.exe	114
PID 4764 wrote to memory of 3896	4764	net.exe	115
PID 4764 wrote to memory of 3896	4764	net.exe	115
PID 4764 wrote to memory of 3896	4764	net.exe	115

C:\Users\Admin\AppData\Local\Temp\d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe
"C:\Users\Admin\AppData\Local\Temp\d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe"
1⤵
- Adds policy Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:5064
- C:\Windows\SysWOW64\sc.exe
  sc config wscsvc start= DISABLED
  2⤵
  - Launches sc.exe
  PID:1840
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:4728
- C:\Windows\SysWOW64\sc.exe
  sc config SharedAccess start= DISABLED
  2⤵
  - Launches sc.exe
  PID:3680
- C:\Users\Admin\AppData\Local\Temp\1tky.exe
  C:\Users\Admin\AppData\Local\Temp\1tky.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:496
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= DISABLED
    3⤵
    - Launches sc.exe
    PID:800
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      PID:1240
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= DISABLED
    3⤵
    - Launches sc.exe
    PID:664
- - C:\Users\Admin\AppData\Local\Temp\1tky.exe
    C:\Users\Admin\AppData\Local\Temp\1tky.exe -d4A59E00A9E59D10E23D2DCFB5612EA19528D1F785B7AAF3BCCBC9AEC6E892B777B066077E598AACA91ECAB35A3A4D6CF1B1F20D247312005D9EC542EA4D262C44DCE8E387162C265122FCE4F42B9D9386F450F45B72714E32C9DCABDF41F5B20A4F0BB9B5173F16F1CA3E7B252979CF8539DDEF6D99305405A753E059A1A61D6A6BF78C1D0FD51936451D7822EFD077A0CEDBEAF1917AB9739B7305714F8FD27B8D196EC7C223B11DF85BDEC75D745E7205B1FB32407FF38DDD363E21E5CF7147E0B272D216848B5C243FC760293BDF852E9B2E6E7A93AAB9C78D6ADB60758B3DE637A80CE0950E1817234A6F4331A49A99A697190E8D6610AB4CC5419E16A33FD1D219ACE4D6DDED3384777A7E9438669C075428BAF8A17FCC4C491C36AB58C3F65EE18AFEDF7B6ABE1553AB7AD638817CC47FE85F5517388B980F4711C03B34A1DF0853D91890A4050BFEC03E4E11678428FFD6BAB635502CE017421365CEC038B7A3287C2FA5105F827B4A67368EC916C3E6D6B193974005D87EA108E0AE78EA11BDCD8BA639FB0C16C10FF03DF60A7878685F1C48DF5569F953DBA62958C51C1A61E
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\sc.exe
      sc config SharedAccess start= DISABLED
      4⤵
      Launches sc.exe
      PID:740
  - - C:\Windows\SysWOW64\net.exe
      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4764
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
        5⤵
        
        PID:3896
  - - C:\Windows\SysWOW64\sc.exe
      sc config wscsvc start= DISABLED
      4⤵
      Launches sc.exe
      PID:60
  - - C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        5⤵
        
        PID:1092
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Security Center"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      PID:4168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\slzsmv2rq.bat
  2⤵
  PID:2728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1tky.exe

Filesize
35KB

MD5
93b4aece31920c0bf354ca949bb6a203

SHA1
2e345c3c19059b71c742def9ec1a11efcf358355

SHA256
d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39

SHA512
c92dcb3c8206ca7dce3405c95b89177be082340480728771fbe8d9e523c49a1b6f1b8cd9932819cef3d7d601f32cd4bb3719bb01611449473a3fa97ac9664d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\1tky.exe

Filesize
35KB

MD5
93b4aece31920c0bf354ca949bb6a203

SHA1
2e345c3c19059b71c742def9ec1a11efcf358355

SHA256
d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39

SHA512
c92dcb3c8206ca7dce3405c95b89177be082340480728771fbe8d9e523c49a1b6f1b8cd9932819cef3d7d601f32cd4bb3719bb01611449473a3fa97ac9664d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\1tky.exe

Filesize
35KB

MD5
93b4aece31920c0bf354ca949bb6a203

SHA1
2e345c3c19059b71c742def9ec1a11efcf358355

SHA256
d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39

SHA512
c92dcb3c8206ca7dce3405c95b89177be082340480728771fbe8d9e523c49a1b6f1b8cd9932819cef3d7d601f32cd4bb3719bb01611449473a3fa97ac9664d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\slzsmv2rq.bat

Filesize
254B

MD5
c320c9cbae74d23b1304815826719f11

SHA1
b61739fb4c2144dc7c786aeaf3df4976db2235b4

SHA256
27d1a39937026f1530fd10b9acc5923074c8cb5e5aad21a73a24b2ef0014d24c

SHA512
401efdf9b7359117bafe1a348ff71a6150e4976ce5c2415689acc87043d586fdbfd56738a2367171452e85008925af9f44c41b994275d89771ce58402aac2620

Download Submit
memory/496-167-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2416-165-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4236-132-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4236-156-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4236-135-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download