f8ef3e3b18e72eebb4b18edbc90f7f5851ab0af044473fa2856fc974f0c33d6c

General

Target

6bb40ed95f770955ea7cf27e4785612e.exe
Size

533KB
MD5

6bb40ed95f770955ea7cf27e4785612e
SHA1

db93260f6bdeb2321fd73019af3d6182c97fd2c5
SHA256

f8ef3e3b18e72eebb4b18edbc90f7f5851ab0af044473fa2856fc974f0c33d6c
SHA512

e97a8aa76ebc4e473323cc8e7413fa8536ea57986f1fd4a45ec39bf3c86a817852fa2d9531c1bb622d0611d26e7afb970da9833220fc12b3170417718a1e12aa
SSDEEP

12288:NJsZ3dUdAz1aVlOsBfDtNK+UmDFZIdP03d0cMvNc:rsH6FvOYtNK+HrId03dEvS

Score

8^/10

dave persistence upx

Malware Config

Signatures

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral1/memory/1256-61-0x0000000000130000-0x0000000000145000-memory.dmp	dave

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1456-254-0x0000000004000000-0x000000000408E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6bb40ed95f770955ea7cf27e4785612e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\pigalicapi = "C:\\Users\\Admin\\pigalicapi.exe"	6bb40ed95f770955ea7cf27e4785612e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6bb40ed95f770955ea7cf27e4785612e.exe

description pid process target process

PID 1256 set thread context of 1456 1256 6bb40ed95f770955ea7cf27e4785612e.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6bb40ed95f770955ea7cf27e4785612e.exe

pid process

1256 6bb40ed95f770955ea7cf27e4785612e.exe

description	pid	process	target process
PID 1256 set thread context of 1456	1256	6bb40ed95f770955ea7cf27e4785612e.exe	svchost.exe

pid	process
1256	6bb40ed95f770955ea7cf27e4785612e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6bb40ed95f770955ea7cf27e4785612e.exe

description	pid	process	target process
PID 1256 wrote to memory of 1456	1256	6bb40ed95f770955ea7cf27e4785612e.exe	svchost.exe
PID 1256 wrote to memory of 1456	1256	6bb40ed95f770955ea7cf27e4785612e.exe	svchost.exe
PID 1256 wrote to memory of 1456	1256	6bb40ed95f770955ea7cf27e4785612e.exe	svchost.exe
PID 1256 wrote to memory of 1456	1256	6bb40ed95f770955ea7cf27e4785612e.exe	svchost.exe
PID 1256 wrote to memory of 1456	1256	6bb40ed95f770955ea7cf27e4785612e.exe	svchost.exe
PID 1256 wrote to memory of 1456	1256	6bb40ed95f770955ea7cf27e4785612e.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6bb40ed95f770955ea7cf27e4785612e.exe
"C:\Users\Admin\AppData\Local\Temp\6bb40ed95f770955ea7cf27e4785612e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2961826002-3968192592-354541192-1000\c5d8393293ce2ba62f117b2c2d55bc3e_d22ff74c-717c-4b4c-858a-21b1fcc6aad4
Filesize
1KB

MD5
a7a82f9e73fa730a9eb510e4efcc125d

SHA1
f0d994e6df428c4227013d4c9cab16a24f821c2e

SHA256
2d8c86fcd2bff7aa3fa146d7c920edca2ae134bfe240dd310a576c3adc42acf8

SHA512
ac12cd264ffd385c2c23a732d89e52c36d7ffecf451e08009ed0ac7cd489c8c6aa7ad28a72858c22b79a7cfca129de5070c14666fc6d92eace26448e714eef7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2961826002-3968192592-354541192-1000\c5d8393293ce2ba62f117b2c2d55bc3e_d22ff74c-717c-4b4c-858a-21b1fcc6aad4
Filesize
62B

MD5
60806f4f110a6f85831390dafbb98385

SHA1
9e27b0bad5f13310a1db8a0c155b3ad7c6b6e446

SHA256
219d1a0d4109122414a4ef1b17d392652e94e7492b490ec6ff33ef553d125a4d

SHA512
b56bf9de49451eded9debd004a8fd187e6af54a87ef8a1647b6d2f169fc8ef45fd5c6b118f46a4f587bb7f05a170d10cef80211a22d90612a7b6792d7494b6f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2961826002-3968192592-354541192-1000\c5d8393293ce2ba62f117b2c2d55bc3e_d22ff74c-717c-4b4c-858a-21b1fcc6aad4
Filesize
1KB

MD5
2e54cb504d31b3f004c268901bb98f43

SHA1
6fee3d56da5c4e7537bca564f1840cc1b7cb15f0

SHA256
ac9023e2a66218fb85b87e4575ef5550f2d3246de15c5ddd311e6bb33ce68ae4

SHA512
eca16490dff2ad4e2cc3e59d9793596e7508348cd0fe6a13eddaccdec931e6b30798d54878a3c6704125a16f68867bfa4e70bccbb83d2ea54b0d26066473389d

Download Submit
memory/1256-54-0x0000000000150000-0x0000000000168000-memory.dmp

Filesize
96KB

Download
memory/1256-58-0x0000000004000000-0x0000000004016000-memory.dmp

Filesize
88KB

Download
memory/1256-61-0x0000000000130000-0x0000000000145000-memory.dmp

Filesize
84KB

Download
memory/1456-250-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1456-252-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1456-254-0x0000000004000000-0x000000000408E000-memory.dmp

Filesize
568KB

Download
memory/1456-251-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1456-256-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads