8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9

Analysis

max time kernel
183s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9.exe
Size

13KB
MD5

ddd316358e1379f1dc9251f85870d5e9
SHA1

68cd37080c4b7661616b4a56dd0687b1e2c6ecaf
SHA256

8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9
SHA512

6d638b4ed93c7b6f1167382fe937212cff1ec1cb914db3f7e6f50eedb3ef91fdcd3eaab5e5f8994727960bdbcd5d0d34e8327d60eb6aa4a09f9d5f661461782d
SSDEEP

384:hbAi/kAaNJawcudoD7UF91eOPA3kaQPAIH:FAi/SnbcuyD7Uj1

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4960-132-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4960-135-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
4960	8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Neson.sys	8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9.exe
File created	C:\Windows\SysWOW64\Centec61.dll	8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4960	8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9.exe
4960	8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4960	8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4960	8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9.exe
4960	8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9.exe
4960	8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 5096	4960	8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9.exe	82
PID 4960 wrote to memory of 5096	4960	8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9.exe	82
PID 4960 wrote to memory of 5096	4960	8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9.exe	82

C:\Users\Admin\AppData\Local\Temp\8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9.exe
"C:\Users\Admin\AppData\Local\Temp\8fad339a96dcbe59fc944ec0c564f18b07cdd99a8f02df3590b6eac0d1aac7d9.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8FAD33~1.EXE > nul
  2⤵
  PID:5096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Centec61.dll

Filesize
7KB

MD5
b473d5b33eaa5bfe136b5d90dfc8fca9

SHA1
be1e63897ea0464786f1e4c88f3f53ece7d0bd8c

SHA256
78824948d9c962aa03f6da86e4b4ea19425a16658f9cc7589c5cde7de681ef64

SHA512
5b03cc8e7cac98afcab58f6bf04fb66bf1715a17a583ba34a07874c02d57f5b60f369b5957371ff99d4ad2c1382a23e08913fdc51f81ba9a1062d1fcd5bbcadf

Download Submit
memory/4960-132-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4960-135-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4960-136-0x0000000010000000-0x0000000010100000-memory.dmp

Filesize
1024KB

Download