863e447de35d57218996cdd32b1a689554ecec35f6bfe0e51b7cd4a54a39539f

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25ae676436992c873161f3b3568d2d35.exe
Size

37KB
MD5

25ae676436992c873161f3b3568d2d35
SHA1

45ef3a35c87a6765c39a6710e10a05f4dfe8b2b6
SHA256

863e447de35d57218996cdd32b1a689554ecec35f6bfe0e51b7cd4a54a39539f
SHA512

839c6eac2ff1fb31c558dfa40b9868675ca8e9e8e383762e0d7950bf4341f3a2bba7e0b2809ef52b8c0c86d25301a161daa6ed3cf8437565295d4953a603c4e7
SSDEEP

768:me7peWyJ0OBwpuuf5h4IiyQa9aRd3QLHrkG0gvxnkOt:rqJUQufPxi+OQbwppOt

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2240	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2848-1-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2848-9-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\PLUGINS\new123.sys	25ae676436992c873161f3b3568d2d35.exe
File created	C:\Program Files\Internet Explorer\PLUGINS\new123.dll	25ae676436992c873161f3b3568d2d35.exe
File opened for modification	C:\Program Files\Internet Explorer\PLUGINS\new123.dll	25ae676436992c873161f3b3568d2d35.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D422-CE6D-47B3-9CE6-C54DD63F1ADB}	25ae676436992c873161f3b3568d2d35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D422-CE6D-47B3-9CE6-C54DD63F1ADB}\	25ae676436992c873161f3b3568d2d35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D422-CE6D-47B3-9CE6-C54DD63F1ADB}\InProcServer32	25ae676436992c873161f3b3568d2d35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D422-CE6D-47B3-9CE6-C54DD63F1ADB}\InProcServer32\ = "C:\\Program Files\\Internet Explorer\\PLUGINS\\new123.sys"	25ae676436992c873161f3b3568d2d35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D422-CE6D-47B3-9CE6-C54DD63F1ADB}\InProcServer32\ThreadingModel = "Apartment"	25ae676436992c873161f3b3568d2d35.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2240	2848	25ae676436992c873161f3b3568d2d35.exe	29
PID 2848 wrote to memory of 2240	2848	25ae676436992c873161f3b3568d2d35.exe	29
PID 2848 wrote to memory of 2240	2848	25ae676436992c873161f3b3568d2d35.exe	29
PID 2848 wrote to memory of 2240	2848	25ae676436992c873161f3b3568d2d35.exe	29

C:\Users\Admin\AppData\Local\Temp\25ae676436992c873161f3b3568d2d35.exe
"C:\Users\Admin\AppData\Local\Temp\25ae676436992c873161f3b3568d2d35.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\MicroSoft.bat" "
  2⤵
  - Deletes itself
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MicroSoft.bat

Filesize
184B

MD5
5a4d367397c9a88e04638ac3c4172bbf

SHA1
3d67cb3af8056fcf931c7892578ac3f0f0441302

SHA256
fa2b274d27e24921c42f556b2f5c5924f591e81b88a0873bb21e989550a0f06f

SHA512
9656c2da9c03879777bc078cae3dde1e6bf849217472cc104c217b5287416b4f07a3379ab9189f753ff937f19d41782acd498bfa97d9a230ca5a74403fe49522

Download Submit
memory/2848-1-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2848-9-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download