a33443c6603faec9d3bd8d8afd97259308fa4cf7c52332746eca9399c1b97194

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
20-09-2023 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

隔離區文件/PROUnstl.exe
Size

1.1MB
MD5

a9fef14605fefa4dc6f6d38e1eeb2d35
SHA1

42a6da6d0a38bc440d4f1fe8059eae6961ac188f
SHA256

0c9b801af046fbcce664b9d1c1eaa064e15b93d7cb10e071e5da17cfc3184b93
SHA512

c8f46f021a1a00457915317224085c0828380de4027ea8fc791de66cfabb449172b60df8554c3020fbae9c9a271029f88764237ee6048cbb27d37f01a71afd3f
SSDEEP

24576:VnsJ39LyjbJkQFMhmC+6GD9D6x+LH1QQQQQQQQQAdddddddddF:VnsHyjtk2MYC5GDox+73

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2784	._cache_PROUnstl.exe

Loads dropped DLL 1 IoCs

pid	Process
1748	PROUnstl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	PROUnstl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2784	1748	PROUnstl.exe	28
PID 1748 wrote to memory of 2784	1748	PROUnstl.exe	28
PID 1748 wrote to memory of 2784	1748	PROUnstl.exe	28
PID 1748 wrote to memory of 2784	1748	PROUnstl.exe	28
PID 1748 wrote to memory of 2784	1748	PROUnstl.exe	28
PID 1748 wrote to memory of 2784	1748	PROUnstl.exe	28
PID 1748 wrote to memory of 2784	1748	PROUnstl.exe	28

C:\Users\Admin\AppData\Local\Temp\隔離區文件\PROUnstl.exe
"C:\Users\Admin\AppData\Local\Temp\隔離區文件\PROUnstl.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\._cache_PROUnstl.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_PROUnstl.exe"
  2⤵
  - Executes dropped EXE
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_PROUnstl.exe

Filesize
348KB

MD5
650e7c97e60d3d1e6fd70a5d70a720bd

SHA1
607d32338f1d0649740a8ba6884357319c2a1e65

SHA256
908c1c677e39be9c3018f529e3d4d1cbda99ca3c786bcdde7e67a56d2f2020a1

SHA512
8bc3d9ad738d898ddef41b48f99c2ea5b3f6c732d97412a811966fdb901163a386a9c2da431adfb18ea86026c35e12e6311fad666ff4cf75ce7d7df78f4ba789

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_PROUnstl.exe

Filesize
348KB

MD5
650e7c97e60d3d1e6fd70a5d70a720bd

SHA1
607d32338f1d0649740a8ba6884357319c2a1e65

SHA256
908c1c677e39be9c3018f529e3d4d1cbda99ca3c786bcdde7e67a56d2f2020a1

SHA512
8bc3d9ad738d898ddef41b48f99c2ea5b3f6c732d97412a811966fdb901163a386a9c2da431adfb18ea86026c35e12e6311fad666ff4cf75ce7d7df78f4ba789

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_PROUnstl.exe

Filesize
348KB

MD5
650e7c97e60d3d1e6fd70a5d70a720bd

SHA1
607d32338f1d0649740a8ba6884357319c2a1e65

SHA256
908c1c677e39be9c3018f529e3d4d1cbda99ca3c786bcdde7e67a56d2f2020a1

SHA512
8bc3d9ad738d898ddef41b48f99c2ea5b3f6c732d97412a811966fdb901163a386a9c2da431adfb18ea86026c35e12e6311fad666ff4cf75ce7d7df78f4ba789

Download Submit
memory/1748-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1748-8-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1748-9-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads