07c73711038e0d36aac6e557e2009b75511b1958e332d89e29b283347f2373b8

General

Target

101ca0df13e8d04c6ed5151e2dea9d31.exe
Size

274KB
MD5

101ca0df13e8d04c6ed5151e2dea9d31
SHA1

d0f2507c6c9eaa9c9005cdaff2037f7cd66d9fca
SHA256

07c73711038e0d36aac6e557e2009b75511b1958e332d89e29b283347f2373b8
SHA512

60724aa0e019138bf3ae7bb677bb2d4d2ea80c91a491c4c8ce14013d61b7a6c87c5e14e8885f8023057d9bf41e8a3d8810ba1c893d29b72ad3ac59d233a3bef9
SSDEEP

6144:OEoFd1LTc4vEKO7iw3Gw3qkjcXKXYUSxteI:FoF/ZvvbEG5Ht

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
224	Favorite.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4208-0-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral2/memory/224-6-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral2/files/0x000700000002322f-5.dat	upx
behavioral2/files/0x000700000002322f-4.dat	upx
behavioral2/memory/4208-8-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral2/memory/224-9-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral2/memory/224-11-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral2/memory/4208-17-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral2/memory/4208-18-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral2/memory/224-20-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral2/memory/224-22-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral2/memory/224-24-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral2/memory/224-26-0x0000000000400000-0x00000000004A7000-memory.dmp	upx
behavioral2/memory/224-28-0x0000000000400000-0x00000000004A7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Favorite = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Favorite.exe"	Favorite.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4208	101ca0df13e8d04c6ed5151e2dea9d31.exe
4208	101ca0df13e8d04c6ed5151e2dea9d31.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 224	4208	101ca0df13e8d04c6ed5151e2dea9d31.exe	86
PID 4208 wrote to memory of 224	4208	101ca0df13e8d04c6ed5151e2dea9d31.exe	86
PID 4208 wrote to memory of 224	4208	101ca0df13e8d04c6ed5151e2dea9d31.exe	86
PID 4208 wrote to memory of 1276	4208	101ca0df13e8d04c6ed5151e2dea9d31.exe	96
PID 4208 wrote to memory of 1276	4208	101ca0df13e8d04c6ed5151e2dea9d31.exe	96
PID 4208 wrote to memory of 1276	4208	101ca0df13e8d04c6ed5151e2dea9d31.exe	96

C:\Users\Admin\AppData\Local\Temp\101ca0df13e8d04c6ed5151e2dea9d31.exe
"C:\Users\Admin\AppData\Local\Temp\101ca0df13e8d04c6ed5151e2dea9d31.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\Favorite.exe
  C:\Users\Admin\AppData\Local\Temp\Favorite.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\deleteself.bat
  2⤵
  PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Favorite.exe

Filesize
5KB

MD5
ded7c4e2614bc7ed2ae85e61883ef4c5

SHA1
2f8fb3bc4ef35dc30c05c501c01cef02e46b0216

SHA256
ea1a1c9d5a626b05ca873f868b6fa91caeb12aa4bc04463919489743fdc7460c

SHA512
d2326e6bcca0089a7a0541acbc5c98738a85a6bcdc18a935ec4fab1b18628b27a24deecfb06b15bb1a4d369a4bf817e94d7434d7db043581171201ee9f28336b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Favorite.exe

Filesize
5KB

MD5
83e7b6477022bf80f67aeeb916268e66

SHA1
7051b13a65f6bec0e302f0f69002c8a49d39ef56

SHA256
bcf53066e2b7e841f986425033fd86ecde8fc5831fd212289152af6fe6b24d63

SHA512
8ba84eb80887051526e597380fc4f5a9194646b2e44d795fb99b64de253708e0b1119b606c911bcee47538f72595119ac958cf08cbf67922e32abdc0154dd220

Download Submit
C:\Users\Admin\AppData\Local\Temp\deleteself.bat

Filesize
232B

MD5
d69aa49c19326e99f00e6de0bc218580

SHA1
41c919f3df3212fb58e322c848ce90dbc9027db4

SHA256
5655c7a4469c67b585a88c4f5ea6ac4079e36811fa4444574640595e00b01cc6

SHA512
f8c1729aa1ea239c2462da453638333afe3512c4925c75584f310b9ac97ddb7aa420fd3aaf3f1c89a50191052e8cac3f65996eaf4a936274183bec4c1fed7876

Download Submit
memory/224-11-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/224-22-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/224-7-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/224-28-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/224-9-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/224-26-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/224-24-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/224-6-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/224-20-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4208-18-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4208-17-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4208-1-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4208-0-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4208-8-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads