73f6cd833ecea15731452fba88c1ead3d6073b60f97a98f6a9c10d208b9a50af

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

782b1355b6a487ece53107f96a0560d5.exe
Size

12KB
MD5

782b1355b6a487ece53107f96a0560d5
SHA1

595f00e6e2c3ef3f8e4774c1b62505cb85551d36
SHA256

73f6cd833ecea15731452fba88c1ead3d6073b60f97a98f6a9c10d208b9a50af
SHA512

34fc752c382e5cdf43065011f63090adef06cd6a0e41053148865b3162d4fd264f734f5c18ce73f5f06b0020d149832e785fd0d4f6f529933adc04cf0143a97a
SSDEEP

192:GzWzF1QsL5TvBJ4XDfkB44rNqhza1oJHX5IG3pVns+KS1+:jF1QGTvB64rYguJJXs+V+

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3056	xuntxnk.exe

Loads dropped DLL 2 IoCs

pid	Process
3040	782b1355b6a487ece53107f96a0560d5.exe
3040	782b1355b6a487ece53107f96a0560d5.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3040-1-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0009000000012270-3.dat	upx
behavioral1/memory/3040-4-0x0000000000220000-0x000000000022F000-memory.dmp	upx
behavioral1/memory/3056-11-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/3040-19-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/3056-21-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xuntxn.dll	782b1355b6a487ece53107f96a0560d5.exe
File created	C:\Windows\SysWOW64\xuntxnk.exe	782b1355b6a487ece53107f96a0560d5.exe
File opened for modification	C:\Windows\SysWOW64\xuntxnk.exe	782b1355b6a487ece53107f96a0560d5.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3040	782b1355b6a487ece53107f96a0560d5.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 3056	3040	782b1355b6a487ece53107f96a0560d5.exe	28
PID 3040 wrote to memory of 3056	3040	782b1355b6a487ece53107f96a0560d5.exe	28
PID 3040 wrote to memory of 3056	3040	782b1355b6a487ece53107f96a0560d5.exe	28
PID 3040 wrote to memory of 3056	3040	782b1355b6a487ece53107f96a0560d5.exe	28
PID 3040 wrote to memory of 2720	3040	782b1355b6a487ece53107f96a0560d5.exe	29
PID 3040 wrote to memory of 2720	3040	782b1355b6a487ece53107f96a0560d5.exe	29
PID 3040 wrote to memory of 2720	3040	782b1355b6a487ece53107f96a0560d5.exe	29
PID 3040 wrote to memory of 2720	3040	782b1355b6a487ece53107f96a0560d5.exe	29

C:\Users\Admin\AppData\Local\Temp\782b1355b6a487ece53107f96a0560d5.exe
"C:\Users\Admin\AppData\Local\Temp\782b1355b6a487ece53107f96a0560d5.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\xuntxnk.exe
  C:\Windows\system32\xuntxnk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\782b1355b6a487ece53107f96a0560d5.exe.bat
  2⤵
  - Deletes itself
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\782b1355b6a487ece53107f96a0560d5.exe.bat

Filesize
182B

MD5
bfb45efdcbd1d0addab1a1d4ca524a6e

SHA1
2fe051b694202e953e217dc698a778089eef821b

SHA256
04846382f48b91ef0673e2a9aa82957055a8b22e70ec43fccadcfacc83087565

SHA512
53cb2dc25251188cfb7ce239064a12844b901a88e2f018943004d3147c1c528e1b959ce09597adf8ccd9f380ccbb97e2ab4b861726191b0056628d71807523b8

Download Submit
\Windows\SysWOW64\xuntxnk.exe

Filesize
12KB

MD5
782b1355b6a487ece53107f96a0560d5

SHA1
595f00e6e2c3ef3f8e4774c1b62505cb85551d36

SHA256
73f6cd833ecea15731452fba88c1ead3d6073b60f97a98f6a9c10d208b9a50af

SHA512
34fc752c382e5cdf43065011f63090adef06cd6a0e41053148865b3162d4fd264f734f5c18ce73f5f06b0020d149832e785fd0d4f6f529933adc04cf0143a97a

Download Submit
memory/3040-1-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3040-4-0x0000000000220000-0x000000000022F000-memory.dmp

Filesize
60KB

Download
memory/3040-19-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3056-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3056-21-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download