7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7

Analysis

max time kernel
151s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe
Size

460KB
MD5

a2546e26c5bf4dc5c5f3f3e173412618
SHA1

bbe054795a329a9e7bb874cd3714360d75ba7dfe
SHA256

7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7
SHA512

95bf0a97ddf141642d46a64ce79a5f599de0147fd8b9a0fc90acdf00dbf983608cd762055a425e85750f061235f6f0919393a05d90e107fe380fbc1fa3640fb0
SSDEEP

12288:gggZ8iH5Pbd3bik6cT0MPJdpY6qVD6G8Jsyq0Sy22qw4Ea3Ygsfn7nRa:++4tbipCFS6qVD6GEsyqJ14a3+n9a

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1928	ukne.exe

Deletes itself 1 IoCs

pid	Process
1812	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2036	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	ukne.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ukne = "C:\\Users\\Admin\\AppData\\Roaming\\Idju\\ukne.exe"	ukne.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 1812	2036	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	29

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe
1928	ukne.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1928	2036	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	28
PID 2036 wrote to memory of 1928	2036	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	28
PID 2036 wrote to memory of 1928	2036	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	28
PID 2036 wrote to memory of 1928	2036	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	28
PID 1928 wrote to memory of 1120	1928	ukne.exe	12
PID 1928 wrote to memory of 1120	1928	ukne.exe	12
PID 1928 wrote to memory of 1120	1928	ukne.exe	12
PID 1928 wrote to memory of 1120	1928	ukne.exe	12
PID 1928 wrote to memory of 1120	1928	ukne.exe	12
PID 1928 wrote to memory of 1176	1928	ukne.exe	13
PID 1928 wrote to memory of 1176	1928	ukne.exe	13
PID 1928 wrote to memory of 1176	1928	ukne.exe	13
PID 1928 wrote to memory of 1176	1928	ukne.exe	13
PID 1928 wrote to memory of 1176	1928	ukne.exe	13
PID 1928 wrote to memory of 1212	1928	ukne.exe	14
PID 1928 wrote to memory of 1212	1928	ukne.exe	14
PID 1928 wrote to memory of 1212	1928	ukne.exe	14
PID 1928 wrote to memory of 1212	1928	ukne.exe	14
PID 1928 wrote to memory of 1212	1928	ukne.exe	14
PID 1928 wrote to memory of 2036	1928	ukne.exe	27
PID 1928 wrote to memory of 2036	1928	ukne.exe	27
PID 1928 wrote to memory of 2036	1928	ukne.exe	27
PID 1928 wrote to memory of 2036	1928	ukne.exe	27
PID 1928 wrote to memory of 2036	1928	ukne.exe	27
PID 2036 wrote to memory of 1812	2036	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	29
PID 2036 wrote to memory of 1812	2036	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	29
PID 2036 wrote to memory of 1812	2036	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	29
PID 2036 wrote to memory of 1812	2036	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	29
PID 2036 wrote to memory of 1812	2036	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	29
PID 2036 wrote to memory of 1812	2036	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	29
PID 2036 wrote to memory of 1812	2036	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	29
PID 2036 wrote to memory of 1812	2036	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	29
PID 2036 wrote to memory of 1812	2036	7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe	29
PID 1928 wrote to memory of 636	1928	ukne.exe	30
PID 1928 wrote to memory of 636	1928	ukne.exe	30
PID 1928 wrote to memory of 636	1928	ukne.exe	30
PID 1928 wrote to memory of 636	1928	ukne.exe	30
PID 1928 wrote to memory of 636	1928	ukne.exe	30

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe
  "C:\Users\Admin\AppData\Local\Temp\7d90e1de880e7a2bec1f793cf1deca14533d0babecd085bdfa4db49bb5e50cb7.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Roaming\Idju\ukne.exe
    "C:\Users\Admin\AppData\Roaming\Idju\ukne.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\NTVC99.bat"
    3⤵
    - Deletes itself
    PID:1812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20860140562077549294-12936833091875970605-6862444671886358810-707350413-1550065785"
1⤵
PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NTVC99.bat

Filesize
302B

MD5
4e64f3be3972c2629c82e6910db8186b

SHA1
aa048c4c71221841f65155cdeab5e34c00574084

SHA256
890b715b1bb029c10e80d8d289410ac9c884a0487f7c771678ca9e4756f51ff3

SHA512
7841fc1f0ae8e6a996a0b45c70f1b5a235548321268437960502ae168683df7c3be8cc73f326675ee1cb85a24d5d618cdbda9011a65b31d19d0998478e5d8a2e

Download Submit
C:\Users\Admin\AppData\Roaming\Idju\ukne.exe

Filesize
460KB

MD5
6940051ef0e5ed26c78995742b3eb455

SHA1
37d695ae450720b1c72226b7d848690740999091

SHA256
0e1e92d8650eec531a2138481f314a195a77742d3ea51f46647d0e322952313a

SHA512
ea6b47ba740df090cd7f382d0d909183dd32a102846382d942aaa756295bc7d4bc5ed09beadbc590919c4dcf488f9ff74727c8c15d19b67a5f9ab01ced7544a5

Download Submit
C:\Users\Admin\AppData\Roaming\Idju\ukne.exe

Filesize
460KB

MD5
6940051ef0e5ed26c78995742b3eb455

SHA1
37d695ae450720b1c72226b7d848690740999091

SHA256
0e1e92d8650eec531a2138481f314a195a77742d3ea51f46647d0e322952313a

SHA512
ea6b47ba740df090cd7f382d0d909183dd32a102846382d942aaa756295bc7d4bc5ed09beadbc590919c4dcf488f9ff74727c8c15d19b67a5f9ab01ced7544a5

Download Submit
\Users\Admin\AppData\Roaming\Idju\ukne.exe

Filesize
460KB

MD5
6940051ef0e5ed26c78995742b3eb455

SHA1
37d695ae450720b1c72226b7d848690740999091

SHA256
0e1e92d8650eec531a2138481f314a195a77742d3ea51f46647d0e322952313a

SHA512
ea6b47ba740df090cd7f382d0d909183dd32a102846382d942aaa756295bc7d4bc5ed09beadbc590919c4dcf488f9ff74727c8c15d19b67a5f9ab01ced7544a5

Download Submit
memory/636-113-0x0000000001B50000-0x0000000001B99000-memory.dmp

Filesize
292KB

Download
memory/636-115-0x0000000001B50000-0x0000000001B99000-memory.dmp

Filesize
292KB

Download
memory/636-114-0x0000000001B50000-0x0000000001B99000-memory.dmp

Filesize
292KB

Download
memory/636-112-0x0000000001B50000-0x0000000001B99000-memory.dmp

Filesize
292KB

Download
memory/1120-66-0x0000000001D50000-0x0000000001D99000-memory.dmp

Filesize
292KB

Download
memory/1120-65-0x0000000001D50000-0x0000000001D99000-memory.dmp

Filesize
292KB

Download
memory/1120-67-0x0000000001D50000-0x0000000001D99000-memory.dmp

Filesize
292KB

Download
memory/1120-64-0x0000000001D50000-0x0000000001D99000-memory.dmp

Filesize
292KB

Download
memory/1120-62-0x0000000001D50000-0x0000000001D99000-memory.dmp

Filesize
292KB

Download
memory/1176-70-0x0000000001B80000-0x0000000001BC9000-memory.dmp

Filesize
292KB

Download
memory/1176-71-0x0000000001B80000-0x0000000001BC9000-memory.dmp

Filesize
292KB

Download
memory/1176-72-0x0000000001B80000-0x0000000001BC9000-memory.dmp

Filesize
292KB

Download
memory/1176-73-0x0000000001B80000-0x0000000001BC9000-memory.dmp

Filesize
292KB

Download
memory/1212-78-0x0000000002930000-0x0000000002979000-memory.dmp

Filesize
292KB

Download
memory/1212-76-0x0000000002930000-0x0000000002979000-memory.dmp

Filesize
292KB

Download
memory/1212-77-0x0000000002930000-0x0000000002979000-memory.dmp

Filesize
292KB

Download
memory/1212-79-0x0000000002930000-0x0000000002979000-memory.dmp

Filesize
292KB

Download
memory/1812-102-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1812-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1812-99-0x0000000000083B6A-mapping.dmp

Download
memory/1812-104-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1812-109-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1812-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1812-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1812-103-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1812-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1812-94-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1812-96-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1812-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1812-98-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1928-60-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1928-57-0x0000000000000000-mapping.dmp

Download
memory/2036-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2036-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/2036-100-0x00000000006A0000-0x00000000006E9000-memory.dmp

Filesize
292KB

Download
memory/2036-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2036-85-0x00000000006A0000-0x00000000006E9000-memory.dmp

Filesize
292KB

Download
memory/2036-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2036-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2036-87-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2036-83-0x00000000006A0000-0x00000000006E9000-memory.dmp

Filesize
292KB

Download
memory/2036-82-0x00000000006A0000-0x00000000006E9000-memory.dmp

Filesize
292KB

Download
memory/2036-86-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2036-84-0x00000000006A0000-0x00000000006E9000-memory.dmp

Filesize
292KB

Download
memory/2036-55-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download