75f5e04177f94802bfe4a16f81adf362a663d0cdb95d331b0075f7510293c877

Analysis

max time kernel
5s
max time network
33s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08a5d43c1159f7dd8d57a82373cb3284.exe
Size

128KB
MD5

08a5d43c1159f7dd8d57a82373cb3284
SHA1

adabe6b276207f4858756eeb50a3de93f9b75453
SHA256

75f5e04177f94802bfe4a16f81adf362a663d0cdb95d331b0075f7510293c877
SHA512

8bb088ba84736edeb6477cf2f5c0fcd286e6a708eaa118c9649d535bf2bad19de83c1366cc85abc725ac2479ab56365b9c56a86e1ed5f464a06d16cc8775ebb0
SSDEEP

1536:VlB+ogA9x1dveIl3MFX95k3XOzXwPdQPEK8+sBva11w42bSNSeJ/LBh2yEi9oL1:VlBn9Ldve4OtwXOzjl+edM4FBh1Eimp

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2216	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2984	lqkvjp.exe

Loads dropped DLL 2 IoCs

pid	Process
2216	cmd.exe
2216	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012223-12.dat	upx
behavioral1/memory/2216-13-0x0000000000130000-0x0000000000151000-memory.dmp	upx
behavioral1/memory/2984-16-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/2984-17-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	lqkvjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\lqkvj	lqkvjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\lqkvj	lqkvjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	lqkvjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	lqkvjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	lqkvjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\lqkvj\\command	lqkvjp.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1712	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2216	2268	08a5d43c1159f7dd8d57a82373cb3284.exe	28
PID 2268 wrote to memory of 2216	2268	08a5d43c1159f7dd8d57a82373cb3284.exe	28
PID 2268 wrote to memory of 2216	2268	08a5d43c1159f7dd8d57a82373cb3284.exe	28
PID 2268 wrote to memory of 2216	2268	08a5d43c1159f7dd8d57a82373cb3284.exe	28
PID 2216 wrote to memory of 2984	2216	cmd.exe	30
PID 2216 wrote to memory of 2984	2216	cmd.exe	30
PID 2216 wrote to memory of 2984	2216	cmd.exe	30
PID 2216 wrote to memory of 2984	2216	cmd.exe	30
PID 2216 wrote to memory of 1712	2216	cmd.exe	31
PID 2216 wrote to memory of 1712	2216	cmd.exe	31
PID 2216 wrote to memory of 1712	2216	cmd.exe	31
PID 2216 wrote to memory of 1712	2216	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\08a5d43c1159f7dd8d57a82373cb3284.exe
"C:\Users\Admin\AppData\Local\Temp\08a5d43c1159f7dd8d57a82373cb3284.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\teouygh.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\lqkvjp.exe
    "C:\Users\Admin\AppData\Local\Temp\lqkvjp.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2984
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lqkvjp.exe

Filesize
77KB

MD5
cd579c7d4895fbc338dda375fc083848

SHA1
27152a83966b1a068c1323547e43599c5e6586fe

SHA256
7202e6521a488413a1e109b193673c787f3ceb5d3cb911e1238fafca02c69c56

SHA512
a6a72530721e833f851634a09df640815157d39bafa604f821b6ebfb1816bddec87be910cb4facd42f40da52bf75f9bc2ccb432ed9178c1c721afdf9be522aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nypflw.bat

Filesize
156B

MD5
413e1bbaccc1d206b4b4df8aa8c086fb

SHA1
ee01cdf779bd8f6133a4a25c70bee429edfdf358

SHA256
99080f7229fdacbb2bd54c0644c277edb61e51baaf91c34d586e5b04765c22c9

SHA512
d4b67a2ff6c37093201d7c19748b3633036abe72a3b1014142f7c3a6cfeb0655b4c819b3f234ca129d7b88a38e5b640791a0fdda4c21e21bfe269b122d52be7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\teouygh.bat

Filesize
124B

MD5
d3c1aa7207456aae2315982056794cd1

SHA1
e426a0d312bfd52aaf01afb18ea3b7f4d01eb9bd

SHA256
bc772afb672797110fcb16ea0da47c712129b47105956fe50dfc13517365d60e

SHA512
026b241119e688144ba795b4fa64cc23d37958d9cac57aeb1d157d905e01a6c4929d1f87d0d3245d12d1820dcb58a36dc640ad159d654c0cdd725d7e55911d64

Download Submit
memory/2216-13-0x0000000000130000-0x0000000000151000-memory.dmp

Filesize
132KB

Download
memory/2984-16-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2984-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download