17cacad7f24da5a7c563c65bf76373fe323d2040578984e6ad90d230004faeee

Analysis

max time kernel
156s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

206aebca5ac47821a32ba20a82ed70ce.exe
Size

816KB
MD5

206aebca5ac47821a32ba20a82ed70ce
SHA1

b2f481dcbc7fcbd4b90be4d70ea324376d6d9ff5
SHA256

17cacad7f24da5a7c563c65bf76373fe323d2040578984e6ad90d230004faeee
SHA512

77064575fa7b497ca33f9fb838ebbf1bfa23ebe613e9708f8e1e7b032be07763bab48eddddf64c4ce3ecedaef320fdeeb192e9003f71d4067678e55f46feb942
SSDEEP

12288:rbpHYUKy5U1bo9t8DMRSW9vbciUiLuAvOxMt11i27Qitjeem:r5sJo6YrFUiyAak11Ltjeem

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2236	svchest000.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2408-0-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral1/memory/2408-1-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral1/files/0x000800000001559d-8.dat	upx
behavioral1/memory/2236-10-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral1/memory/2236-9-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral1/files/0x000800000001559d-7.dat	upx
behavioral1/memory/2236-13-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral1/memory/2408-14-0x0000000000400000-0x0000000000597000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\206aebca5ac47821a32ba20a82ed70ce.exe"	206aebca5ac47821a32ba20a82ed70ce.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2408	206aebca5ac47821a32ba20a82ed70ce.exe
2236	svchest000.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	\??\c:\Windows\BJ.exe	206aebca5ac47821a32ba20a82ed70ce.exe
File opened for modification	\??\c:\Windows\BJ.exe	206aebca5ac47821a32ba20a82ed70ce.exe
File created	\??\c:\Windows\svchest000.exe	206aebca5ac47821a32ba20a82ed70ce.exe
File opened for modification	\??\c:\Windows\svchest000.exe	206aebca5ac47821a32ba20a82ed70ce.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2236	2408	206aebca5ac47821a32ba20a82ed70ce.exe	27
PID 2408 wrote to memory of 2236	2408	206aebca5ac47821a32ba20a82ed70ce.exe	27
PID 2408 wrote to memory of 2236	2408	206aebca5ac47821a32ba20a82ed70ce.exe	27
PID 2408 wrote to memory of 2236	2408	206aebca5ac47821a32ba20a82ed70ce.exe	27

C:\Users\Admin\AppData\Local\Temp\206aebca5ac47821a32ba20a82ed70ce.exe
"C:\Users\Admin\AppData\Local\Temp\206aebca5ac47821a32ba20a82ed70ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2408
- \??\c:\Windows\svchest000.exe
  c:\Windows\svchest000.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchest000.exe

Filesize
339KB

MD5
311530b65fb04dbcd41c20eeed80ecd2

SHA1
d1bd52c693b11639aa0857d78fe4b5edcb9205dd

SHA256
66e9d617ba3e5f34d70e63cbb5decc9f38f9d332980297c22d23b7ec77d29da1

SHA512
7ce61d47b4dc8f16bfde36a32825bcad92aae40bb48ec8ed947c79da40a472ff8a39057d0e9eeed9bae4443790fc3e8647a17f7088c2991e40fb23f2108e2f7c

Download Submit
C:\Windows\svchest000.exe

Filesize
125KB

MD5
8dcfc5814c7b05caa0a391b7bb1ebd16

SHA1
692c63364089daca38a6a89ca6fbd5d40b8dfe74

SHA256
c01f02f1d9db4e298bccdf2c824fd60a1256ec04fb7a6aaba4068c69eb41f1df

SHA512
6b84887e6d6b6f8cc94607b3afd4125fd2c1a1b42360a2312ff24397fb3dc18ef7a26ef8ff238a18f71e60c0a4373d7725f774314b196e3bdc35b49ce32617b0

Download Submit
memory/2236-10-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/2236-9-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/2236-13-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/2408-0-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/2408-1-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/2408-14-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/2408-15-0x00000000026F0000-0x0000000002887000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads