fa79e18e4520f58da274cb3e5981375ec92cb2101796797656536fd50de85978

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2023, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa79e18e4520f58da274cb3e5981375ec92cb2101796797656536fd50de85978.exe
Size

736KB
MD5

7e68774f6824e0f1615cd826c36d6033
SHA1

e3171208b6baae1b7b982c03977d02761ffbc543
SHA256

fa79e18e4520f58da274cb3e5981375ec92cb2101796797656536fd50de85978
SHA512

4eff7327bf55c961b108b32250c450ab93cb8f655d33d20757c7f4303e78cddb1155e552dcd52e620396bda7cb7a249614b169f18f6f531259ade565770f99f5
SSDEEP

12288:VuldXWz7yXxbSBudVOxpdDvi/wdFC4cs06jvCso7ZF9V6w:VuldXWz7yXxGBWVcpd2odo4T0SKsEF9z

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4952	Tool.exe
424	Yun.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\org.Tool = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Tool\\Tool.exe"	Tool.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\org.Yun = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Tool\\Yun.exe"	Yun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\com.Xun = "C:\\Users\\Admin\\AppData\\Local\\XunSDK\\2.98\\Saved\\Files\\Xun.exe"	Tool.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2244	fa79e18e4520f58da274cb3e5981375ec92cb2101796797656536fd50de85978.exe
2244	fa79e18e4520f58da274cb3e5981375ec92cb2101796797656536fd50de85978.exe
2244	fa79e18e4520f58da274cb3e5981375ec92cb2101796797656536fd50de85978.exe
2244	fa79e18e4520f58da274cb3e5981375ec92cb2101796797656536fd50de85978.exe
4952	Tool.exe
4952	Tool.exe
4952	Tool.exe
4952	Tool.exe
4952	Tool.exe
4952	Tool.exe
4952	Tool.exe
4952	Tool.exe
424	Yun.exe
424	Yun.exe
4952	Tool.exe
4952	Tool.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2244	fa79e18e4520f58da274cb3e5981375ec92cb2101796797656536fd50de85978.exe
2244	fa79e18e4520f58da274cb3e5981375ec92cb2101796797656536fd50de85978.exe
4952	Tool.exe
4952	Tool.exe
424	Yun.exe
424	Yun.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 4952	2244	fa79e18e4520f58da274cb3e5981375ec92cb2101796797656536fd50de85978.exe	92
PID 2244 wrote to memory of 4952	2244	fa79e18e4520f58da274cb3e5981375ec92cb2101796797656536fd50de85978.exe	92
PID 2244 wrote to memory of 4952	2244	fa79e18e4520f58da274cb3e5981375ec92cb2101796797656536fd50de85978.exe	92
PID 4952 wrote to memory of 424	4952	Tool.exe	94
PID 4952 wrote to memory of 424	4952	Tool.exe	94
PID 4952 wrote to memory of 424	4952	Tool.exe	94

C:\Users\Admin\AppData\Local\Temp\fa79e18e4520f58da274cb3e5981375ec92cb2101796797656536fd50de85978.exe
"C:\Users\Admin\AppData\Local\Temp\fa79e18e4520f58da274cb3e5981375ec92cb2101796797656536fd50de85978.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe
  C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Users\Admin\AppData\Local\Programs\Tool\Yun.exe
    Yun.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe

Filesize
3.8MB

MD5
000dd6813401bf1092fa4d71c6532099

SHA1
80de38d44e9bb1d9ef5d15b0e7ca3af1910552a4

SHA256
0e4f53f5bfa7ae8553e6cb3a6f5ed11da4f9034f904c76d8ecf860597c73251f

SHA512
c3e71a2ff3f50e603c95dced8f2ca93354fc7971941944d003c797ec65eeb827a22c66ad461f5a17e82d9970117a48698063d13cecbde923ea7c646768f0be8d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe

Filesize
3.8MB

MD5
000dd6813401bf1092fa4d71c6532099

SHA1
80de38d44e9bb1d9ef5d15b0e7ca3af1910552a4

SHA256
0e4f53f5bfa7ae8553e6cb3a6f5ed11da4f9034f904c76d8ecf860597c73251f

SHA512
c3e71a2ff3f50e603c95dced8f2ca93354fc7971941944d003c797ec65eeb827a22c66ad461f5a17e82d9970117a48698063d13cecbde923ea7c646768f0be8d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Tool\Yun.exe

Filesize
744KB

MD5
f3391341dc27419ca256ceb9e02f5171

SHA1
9d847eb35e9265d35262e906ae7f7f88e1af6f95

SHA256
da2c549c6acff2070a37c8585ab4f1ba07d0172fbf79da50b11e2d53bba58609

SHA512
1edb9ebb68325e58132b825f9015f6318498c2a7cce021a5ef980223dbbf0da7c5c8facbb95784ca50510af0db4bf78a5a6d62404109df8889af4df3ebbc9c07

Download Submit
C:\Users\Admin\AppData\Local\Programs\Tool\Yun.exe

Filesize
744KB

MD5
f3391341dc27419ca256ceb9e02f5171

SHA1
9d847eb35e9265d35262e906ae7f7f88e1af6f95

SHA256
da2c549c6acff2070a37c8585ab4f1ba07d0172fbf79da50b11e2d53bba58609

SHA512
1edb9ebb68325e58132b825f9015f6318498c2a7cce021a5ef980223dbbf0da7c5c8facbb95784ca50510af0db4bf78a5a6d62404109df8889af4df3ebbc9c07

Download Submit