54f7c10156e84b037139f2de4762673b6fa87597a574a8724cf1cf22b1a5af42

Analysis

max time kernel
137s
max time network
144s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 09:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

632e614896158c3011c616bd2f6695e6.exe
Size

414KB
MD5

632e614896158c3011c616bd2f6695e6
SHA1

8c1098a9599ee4102a0ecb00d44b5aad24c03145
SHA256

54f7c10156e84b037139f2de4762673b6fa87597a574a8724cf1cf22b1a5af42
SHA512

64cd6b280ef0c63203f3d78af0bd44f12c77f32acde74c6bf3db6cb07c61b845e56c44cddabb5515a0b5097e86fe29f79c70c94ea3a75ee0ff256e2952434c4f
SSDEEP

6144:u5CFwkzdy8ly0ZYv56234BBWDoP1e6A6CJsaE+N8PVT5BcOsfwm:++wqdyjEYv562IADoP1pJ4YBBWwm

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1520	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2192	iwup.exe

Loads dropped DLL 2 IoCs

pid	Process
3020	632e614896158c3011c616bd2f6695e6.exe
3020	632e614896158c3011c616bd2f6695e6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E705BD28-DA76-AD4E-D262-B4D1F82197CC} = "C:\\Users\\Admin\\AppData\\Roaming\\Ewyxji\\iwup.exe"	iwup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3020 set thread context of 1520	3020	632e614896158c3011c616bd2f6695e6.exe	14

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe
2192	iwup.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3020	632e614896158c3011c616bd2f6695e6.exe
2192	iwup.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2192	3020	632e614896158c3011c616bd2f6695e6.exe	16
PID 3020 wrote to memory of 2192	3020	632e614896158c3011c616bd2f6695e6.exe	16
PID 3020 wrote to memory of 2192	3020	632e614896158c3011c616bd2f6695e6.exe	16
PID 3020 wrote to memory of 2192	3020	632e614896158c3011c616bd2f6695e6.exe	16
PID 2192 wrote to memory of 1228	2192	iwup.exe	25
PID 2192 wrote to memory of 1228	2192	iwup.exe	25
PID 2192 wrote to memory of 1228	2192	iwup.exe	25
PID 2192 wrote to memory of 1228	2192	iwup.exe	25
PID 2192 wrote to memory of 1228	2192	iwup.exe	25
PID 2192 wrote to memory of 1320	2192	iwup.exe	24
PID 2192 wrote to memory of 1320	2192	iwup.exe	24
PID 2192 wrote to memory of 1320	2192	iwup.exe	24
PID 2192 wrote to memory of 1320	2192	iwup.exe	24
PID 2192 wrote to memory of 1320	2192	iwup.exe	24
PID 2192 wrote to memory of 1368	2192	iwup.exe	23
PID 2192 wrote to memory of 1368	2192	iwup.exe	23
PID 2192 wrote to memory of 1368	2192	iwup.exe	23
PID 2192 wrote to memory of 1368	2192	iwup.exe	23
PID 2192 wrote to memory of 1368	2192	iwup.exe	23
PID 2192 wrote to memory of 1948	2192	iwup.exe	21
PID 2192 wrote to memory of 1948	2192	iwup.exe	21
PID 2192 wrote to memory of 1948	2192	iwup.exe	21
PID 2192 wrote to memory of 1948	2192	iwup.exe	21
PID 2192 wrote to memory of 1948	2192	iwup.exe	21
PID 2192 wrote to memory of 3020	2192	iwup.exe	17
PID 2192 wrote to memory of 3020	2192	iwup.exe	17
PID 2192 wrote to memory of 3020	2192	iwup.exe	17
PID 2192 wrote to memory of 3020	2192	iwup.exe	17
PID 2192 wrote to memory of 3020	2192	iwup.exe	17
PID 3020 wrote to memory of 1520	3020	632e614896158c3011c616bd2f6695e6.exe	14
PID 3020 wrote to memory of 1520	3020	632e614896158c3011c616bd2f6695e6.exe	14
PID 3020 wrote to memory of 1520	3020	632e614896158c3011c616bd2f6695e6.exe	14
PID 3020 wrote to memory of 1520	3020	632e614896158c3011c616bd2f6695e6.exe	14
PID 3020 wrote to memory of 1520	3020	632e614896158c3011c616bd2f6695e6.exe	14
PID 3020 wrote to memory of 1520	3020	632e614896158c3011c616bd2f6695e6.exe	14
PID 3020 wrote to memory of 1520	3020	632e614896158c3011c616bd2f6695e6.exe	14
PID 3020 wrote to memory of 1520	3020	632e614896158c3011c616bd2f6695e6.exe	14
PID 3020 wrote to memory of 1520	3020	632e614896158c3011c616bd2f6695e6.exe	14

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1f73d194.bat"
1⤵
- Deletes itself
PID:1520

C:\Users\Admin\AppData\Roaming\Ewyxji\iwup.exe
"C:\Users\Admin\AppData\Roaming\Ewyxji\iwup.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Temp\632e614896158c3011c616bd2f6695e6.exe
"C:\Users\Admin\AppData\Local\Temp\632e614896158c3011c616bd2f6695e6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1948

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1228-24-0x0000000001F10000-0x0000000001F5C000-memory.dmp

Filesize
304KB

Download
memory/1228-16-0x0000000001F10000-0x0000000001F5C000-memory.dmp

Filesize
304KB

Download
memory/1228-17-0x0000000001F10000-0x0000000001F5C000-memory.dmp

Filesize
304KB

Download
memory/1228-20-0x0000000001F10000-0x0000000001F5C000-memory.dmp

Filesize
304KB

Download
memory/1228-22-0x0000000001F10000-0x0000000001F5C000-memory.dmp

Filesize
304KB

Download
memory/1320-27-0x0000000001EC0000-0x0000000001F0C000-memory.dmp

Filesize
304KB

Download
memory/1320-28-0x0000000001EC0000-0x0000000001F0C000-memory.dmp

Filesize
304KB

Download
memory/1320-29-0x0000000001EC0000-0x0000000001F0C000-memory.dmp

Filesize
304KB

Download
memory/1320-30-0x0000000001EC0000-0x0000000001F0C000-memory.dmp

Filesize
304KB

Download
memory/1368-35-0x0000000002900000-0x000000000294C000-memory.dmp

Filesize
304KB

Download
memory/1368-32-0x0000000002900000-0x000000000294C000-memory.dmp

Filesize
304KB

Download
memory/1368-33-0x0000000002900000-0x000000000294C000-memory.dmp

Filesize
304KB

Download
memory/1368-34-0x0000000002900000-0x000000000294C000-memory.dmp

Filesize
304KB

Download
memory/1520-165-0x0000000077290000-0x0000000077291000-memory.dmp

Filesize
4KB

Download
memory/1520-163-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/1520-227-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/1948-39-0x0000000001BA0000-0x0000000001BEC000-memory.dmp

Filesize
304KB

Download
memory/1948-40-0x0000000001BA0000-0x0000000001BEC000-memory.dmp

Filesize
304KB

Download
memory/1948-37-0x0000000001BA0000-0x0000000001BEC000-memory.dmp

Filesize
304KB

Download
memory/1948-38-0x0000000001BA0000-0x0000000001BEC000-memory.dmp

Filesize
304KB

Download
memory/2192-228-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2192-15-0x00000000004E0000-0x000000000052C000-memory.dmp

Filesize
304KB

Download
memory/2192-18-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3020-72-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3020-149-0x0000000000280000-0x00000000002CC000-memory.dmp

Filesize
304KB

Download
memory/3020-49-0x0000000001FA0000-0x0000000001FEC000-memory.dmp

Filesize
304KB

Download
memory/3020-47-0x0000000001FA0000-0x0000000001FEC000-memory.dmp

Filesize
304KB

Download
memory/3020-45-0x0000000001FA0000-0x0000000001FEC000-memory.dmp

Filesize
304KB

Download
memory/3020-43-0x0000000001FA0000-0x0000000001FEC000-memory.dmp

Filesize
304KB

Download
memory/3020-52-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3020-54-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3020-56-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3020-70-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3020-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3020-58-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3020-60-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3020-51-0x0000000001FA0000-0x0000000001FEC000-memory.dmp

Filesize
304KB

Download
memory/3020-150-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3020-74-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3020-78-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3020-79-0x0000000077290000-0x0000000077291000-memory.dmp

Filesize
4KB

Download
memory/3020-139-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3020-76-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3020-62-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3020-64-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3020-66-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/3020-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3020-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3020-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3020-0-0x0000000000280000-0x00000000002CC000-memory.dmp

Filesize
304KB

Download
memory/3020-68-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download