2ed360393aea125731271653f2a3a723b80d60523f3cc17ebc82415073e82c53

Analysis

max time kernel
1189s
max time network
1193s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16/05/2023, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UNBEARABLE.exe
Size

100KB
MD5

4b24954e80736fb8cd77902e1418bbfb
SHA1

1b2b094ad52962750a640ba327b55821f5f732b2
SHA256

b0a6f40bf11dde139df094dbedf3d6f4fc1c644641dcb23ca9e44ca7c2b8d080
SHA512

e297495906d2c9ed54afbab35baa484a7a3f13f139cf36958290a7d8e1e801247233ec1ac3be177506c3697b384092f2c5badaf5bcc0e3c2347c4b49c38acb88
SSDEEP

1536:xYo2rWqYrEPsRpQy8uFHg143hZY7qGvJ/1N+6/MWkFEFhuQMhiswVcDE:xZNdrEPsDQOHLYR10Q/kFEFhRsO

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2384	system32.exe
2764	system32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\systemboot = "\"C:\\windows\\system32.exe\""	system32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1968 set thread context of 2156	1968	UNBEARABLE.exe	66
PID 2384 set thread context of 2764	2384	system32.exe	68

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32.exe	UNBEARABLE.exe
File opened for modification	\??\c:\windows\system32.exe	UNBEARABLE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2764	system32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2156	1968	UNBEARABLE.exe	66
PID 1968 wrote to memory of 2156	1968	UNBEARABLE.exe	66
PID 1968 wrote to memory of 2156	1968	UNBEARABLE.exe	66
PID 1968 wrote to memory of 2156	1968	UNBEARABLE.exe	66
PID 1968 wrote to memory of 2156	1968	UNBEARABLE.exe	66
PID 1968 wrote to memory of 2156	1968	UNBEARABLE.exe	66
PID 1968 wrote to memory of 2156	1968	UNBEARABLE.exe	66
PID 1968 wrote to memory of 2156	1968	UNBEARABLE.exe	66
PID 1968 wrote to memory of 2156	1968	UNBEARABLE.exe	66
PID 1968 wrote to memory of 2156	1968	UNBEARABLE.exe	66
PID 2156 wrote to memory of 2384	2156	UNBEARABLE.exe	67
PID 2156 wrote to memory of 2384	2156	UNBEARABLE.exe	67
PID 2156 wrote to memory of 2384	2156	UNBEARABLE.exe	67
PID 2384 wrote to memory of 2764	2384	system32.exe	68
PID 2384 wrote to memory of 2764	2384	system32.exe	68
PID 2384 wrote to memory of 2764	2384	system32.exe	68
PID 2384 wrote to memory of 2764	2384	system32.exe	68
PID 2384 wrote to memory of 2764	2384	system32.exe	68
PID 2384 wrote to memory of 2764	2384	system32.exe	68
PID 2384 wrote to memory of 2764	2384	system32.exe	68
PID 2384 wrote to memory of 2764	2384	system32.exe	68
PID 2384 wrote to memory of 2764	2384	system32.exe	68
PID 2384 wrote to memory of 2764	2384	system32.exe	68

C:\Users\Admin\AppData\Local\Temp\UNBEARABLE.exe
"C:\Users\Admin\AppData\Local\Temp\UNBEARABLE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\UNBEARABLE.exe
  "{path}"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\windows\system32.exe
    "C:\windows\system32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\windows\system32.exe
      "{path}"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      PID:2764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32.exe

Filesize
100KB

MD5
4b24954e80736fb8cd77902e1418bbfb

SHA1
1b2b094ad52962750a640ba327b55821f5f732b2

SHA256
b0a6f40bf11dde139df094dbedf3d6f4fc1c644641dcb23ca9e44ca7c2b8d080

SHA512
e297495906d2c9ed54afbab35baa484a7a3f13f139cf36958290a7d8e1e801247233ec1ac3be177506c3697b384092f2c5badaf5bcc0e3c2347c4b49c38acb88

Download Submit
C:\Windows\system32.exe

Filesize
100KB

MD5
4b24954e80736fb8cd77902e1418bbfb

SHA1
1b2b094ad52962750a640ba327b55821f5f732b2

SHA256
b0a6f40bf11dde139df094dbedf3d6f4fc1c644641dcb23ca9e44ca7c2b8d080

SHA512
e297495906d2c9ed54afbab35baa484a7a3f13f139cf36958290a7d8e1e801247233ec1ac3be177506c3697b384092f2c5badaf5bcc0e3c2347c4b49c38acb88

Download Submit
C:\windows\system32.exe

Filesize
100KB

MD5
4b24954e80736fb8cd77902e1418bbfb

SHA1
1b2b094ad52962750a640ba327b55821f5f732b2

SHA256
b0a6f40bf11dde139df094dbedf3d6f4fc1c644641dcb23ca9e44ca7c2b8d080

SHA512
e297495906d2c9ed54afbab35baa484a7a3f13f139cf36958290a7d8e1e801247233ec1ac3be177506c3697b384092f2c5badaf5bcc0e3c2347c4b49c38acb88

Download Submit
memory/1968-121-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2156-122-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2156-125-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2156-131-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2764-136-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2764-137-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2764-138-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download