5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2023, 10:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
Size

736KB
MD5

ff2094fd7c2a1a0c184043125709153c
SHA1

124b5fc18c34e4a8eaa980cab55f0be2c133ce79
SHA256

5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147
SHA512

9c930adb19192793612d0ad5e6fdde4055926e2f40b07cc800f1ae4158cac95287e2f5c304f5f42ee926e47ccb97c5afa1d4e348e8e609fc4790fe49c2034381
SSDEEP

12288:VuldXWz7yXxbSBudVOxpdDvi/wdFC4cs06jvCso7ZF9V6p:VuldXWz7yXxGBWVcpd2odo4T0SKsEF9K

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1436	Tool.exe
4480	Yun.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\org.Tool = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Tool\\Tool.exe"	Tool.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\org.Yun = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Tool\\Yun.exe"	Yun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com.Xun = "C:\\Users\\Admin\\AppData\\Local\\XunSDK\\2.98\\Saved\\Files\\Xun.exe"	Tool.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3172	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
3172	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
3172	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
3172	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
1436	Tool.exe
1436	Tool.exe
1436	Tool.exe
1436	Tool.exe
1436	Tool.exe
1436	Tool.exe
1436	Tool.exe
1436	Tool.exe
4480	Yun.exe
4480	Yun.exe
1436	Tool.exe
1436	Tool.exe
4480	Yun.exe
4480	Yun.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3172	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
3172	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
1436	Tool.exe
1436	Tool.exe
4480	Yun.exe
4480	Yun.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 1436	3172	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe	92
PID 3172 wrote to memory of 1436	3172	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe	92
PID 3172 wrote to memory of 1436	3172	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe	92
PID 1436 wrote to memory of 4480	1436	Tool.exe	94
PID 1436 wrote to memory of 4480	1436	Tool.exe	94
PID 1436 wrote to memory of 4480	1436	Tool.exe	94

C:\Users\Admin\AppData\Local\Temp\5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
"C:\Users\Admin\AppData\Local\Temp\5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe
  C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\Programs\Tool\Yun.exe
    Yun.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe

Filesize
3.8MB

MD5
000dd6813401bf1092fa4d71c6532099

SHA1
80de38d44e9bb1d9ef5d15b0e7ca3af1910552a4

SHA256
0e4f53f5bfa7ae8553e6cb3a6f5ed11da4f9034f904c76d8ecf860597c73251f

SHA512
c3e71a2ff3f50e603c95dced8f2ca93354fc7971941944d003c797ec65eeb827a22c66ad461f5a17e82d9970117a48698063d13cecbde923ea7c646768f0be8d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe

Filesize
3.8MB

MD5
000dd6813401bf1092fa4d71c6532099

SHA1
80de38d44e9bb1d9ef5d15b0e7ca3af1910552a4

SHA256
0e4f53f5bfa7ae8553e6cb3a6f5ed11da4f9034f904c76d8ecf860597c73251f

SHA512
c3e71a2ff3f50e603c95dced8f2ca93354fc7971941944d003c797ec65eeb827a22c66ad461f5a17e82d9970117a48698063d13cecbde923ea7c646768f0be8d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Tool\Yun.exe

Filesize
744KB

MD5
f3391341dc27419ca256ceb9e02f5171

SHA1
9d847eb35e9265d35262e906ae7f7f88e1af6f95

SHA256
da2c549c6acff2070a37c8585ab4f1ba07d0172fbf79da50b11e2d53bba58609

SHA512
1edb9ebb68325e58132b825f9015f6318498c2a7cce021a5ef980223dbbf0da7c5c8facbb95784ca50510af0db4bf78a5a6d62404109df8889af4df3ebbc9c07

Download Submit
C:\Users\Admin\AppData\Local\Programs\Tool\Yun.exe

Filesize
744KB

MD5
f3391341dc27419ca256ceb9e02f5171

SHA1
9d847eb35e9265d35262e906ae7f7f88e1af6f95

SHA256
da2c549c6acff2070a37c8585ab4f1ba07d0172fbf79da50b11e2d53bba58609

SHA512
1edb9ebb68325e58132b825f9015f6318498c2a7cce021a5ef980223dbbf0da7c5c8facbb95784ca50510af0db4bf78a5a6d62404109df8889af4df3ebbc9c07

Download Submit