bedac3118d59b43e8479c416de7c5a7792562ec9163ce844930587dbe3b4b4ba

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f774e6463e3130389ba2b69c95e597a.exe
Size

1.0MB
MD5

1f774e6463e3130389ba2b69c95e597a
SHA1

7ed859ef94dfb64bd4605dd72ef7e73cd7f66d35
SHA256

bedac3118d59b43e8479c416de7c5a7792562ec9163ce844930587dbe3b4b4ba
SHA512

3be45c9f8c99aa62d805f66ba1a4c0b757c735308883f8ad57f4fbb3ba565e6656ec60c652032991138d3b2a58d6c7cdcc3d04fe6206fdb03bc929055671480c
SSDEEP

12288:rbpHYUKy5U1bo9t8DMRSW9vbciUiLuAvOxMt11i27QitjF9:r5sJo6YrFUiyAak11LtjF9

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2136	svchest000.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2648-0-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral1/memory/2648-1-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral1/memory/2136-10-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral1/memory/2648-9-0x0000000002810000-0x00000000029A7000-memory.dmp	upx
behavioral1/memory/2136-13-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral1/files/0x000b000000014ab3-8.dat	upx
behavioral1/files/0x000b000000014ab3-7.dat	upx
behavioral1/memory/2648-14-0x0000000000400000-0x0000000000597000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1f774e6463e3130389ba2b69c95e597a.exe"	1f774e6463e3130389ba2b69c95e597a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2648	1f774e6463e3130389ba2b69c95e597a.exe
2136	svchest000.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\BJ.exe	1f774e6463e3130389ba2b69c95e597a.exe
File created	\??\c:\Windows\BJ.exe	1f774e6463e3130389ba2b69c95e597a.exe
File created	\??\c:\Windows\svchest000.exe	1f774e6463e3130389ba2b69c95e597a.exe
File opened for modification	\??\c:\Windows\svchest000.exe	1f774e6463e3130389ba2b69c95e597a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2136	2648	1f774e6463e3130389ba2b69c95e597a.exe	28
PID 2648 wrote to memory of 2136	2648	1f774e6463e3130389ba2b69c95e597a.exe	28
PID 2648 wrote to memory of 2136	2648	1f774e6463e3130389ba2b69c95e597a.exe	28
PID 2648 wrote to memory of 2136	2648	1f774e6463e3130389ba2b69c95e597a.exe	28

C:\Users\Admin\AppData\Local\Temp\1f774e6463e3130389ba2b69c95e597a.exe
"C:\Users\Admin\AppData\Local\Temp\1f774e6463e3130389ba2b69c95e597a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2648
- \??\c:\Windows\svchest000.exe
  c:\Windows\svchest000.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchest000.exe

Filesize
385KB

MD5
3edec39ff5923a519e82bcb3d6bbb477

SHA1
91dd8fa6d527e62b7c1c1d79e67781a51d6146f6

SHA256
e2bcb7cfa6701490866aa6add661692cfffbc69975d506f7079ea0e50f6b1b7d

SHA512
0d8c67ae86322b849b57840d1a84fd0ef53888309e7a8accfb95b2775fbb684b9755f0399648e073f2f9c62fef1bde6b903fdaad958f5936e79d776c2c10d316

Download Submit
C:\Windows\svchest000.exe

Filesize
382KB

MD5
721f7347c2497b358d8a5630b9d4c216

SHA1
575ab6b372aa9eefb9b5180454953886da2f9890

SHA256
747367ff3008756be25833914806a0ecc100bbc15e0a6f0ff806349ec52a2978

SHA512
eed41242be78255245a9ff1ff006a750d045067b0da3af91d6dd681cd6a20104f4e9a287a72572067bd187f570bc890dd25106cca32018967eaeae2c9e20fe5d

Download Submit
memory/2136-10-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/2136-13-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/2648-0-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/2648-1-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/2648-9-0x0000000002810000-0x00000000029A7000-memory.dmp

Filesize
1.6MB

Download
memory/2648-14-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/2648-15-0x0000000002810000-0x00000000029A7000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads