0c7ba0ec1fb87d57323ad374f3fdf7ff8628b4965952481e76beef7d4b8d9b4f

Analysis

max time kernel
216s
max time network
39s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cfacc1a5f0b4823da0c8977faa2e9e2.exe
Size

13KB
MD5

0cfacc1a5f0b4823da0c8977faa2e9e2
SHA1

132b60f4c5ae83e7598cb7df94254b72f3c6b001
SHA256

0c7ba0ec1fb87d57323ad374f3fdf7ff8628b4965952481e76beef7d4b8d9b4f
SHA512

e7bb585f078e892b4761772da26d65c17992daf7c178ee1e3bb5cbdad7eee9ce2ceaa3751bc797db60e3c604f4fd020cea1328bb72e236115df6b24abe68bff0
SSDEEP

384:d/Bz3WYceWdiJHsIljdMEuw4Lo8Sb2e59eC/7:dISfxdjuw4LWyS/

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
584	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2572	woodkenk.exe

Loads dropped DLL 2 IoCs

pid	Process
2664	0cfacc1a5f0b4823da0c8977faa2e9e2.exe
2664	0cfacc1a5f0b4823da0c8977faa2e9e2.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2664-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x001000000000b1f5-3.dat	upx
behavioral1/memory/2664-4-0x0000000000230000-0x000000000023F000-memory.dmp	upx
behavioral1/memory/2664-5-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2572-14-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\woodken.dll	0cfacc1a5f0b4823da0c8977faa2e9e2.exe
File created	C:\Windows\SysWOW64\woodkenk.exe	0cfacc1a5f0b4823da0c8977faa2e9e2.exe
File opened for modification	C:\Windows\SysWOW64\woodkenk.exe	0cfacc1a5f0b4823da0c8977faa2e9e2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2572	2664	0cfacc1a5f0b4823da0c8977faa2e9e2.exe	28
PID 2664 wrote to memory of 2572	2664	0cfacc1a5f0b4823da0c8977faa2e9e2.exe	28
PID 2664 wrote to memory of 2572	2664	0cfacc1a5f0b4823da0c8977faa2e9e2.exe	28
PID 2664 wrote to memory of 2572	2664	0cfacc1a5f0b4823da0c8977faa2e9e2.exe	28
PID 2664 wrote to memory of 584	2664	0cfacc1a5f0b4823da0c8977faa2e9e2.exe	29
PID 2664 wrote to memory of 584	2664	0cfacc1a5f0b4823da0c8977faa2e9e2.exe	29
PID 2664 wrote to memory of 584	2664	0cfacc1a5f0b4823da0c8977faa2e9e2.exe	29
PID 2664 wrote to memory of 584	2664	0cfacc1a5f0b4823da0c8977faa2e9e2.exe	29

C:\Users\Admin\AppData\Local\Temp\0cfacc1a5f0b4823da0c8977faa2e9e2.exe
"C:\Users\Admin\AppData\Local\Temp\0cfacc1a5f0b4823da0c8977faa2e9e2.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\woodkenk.exe
  C:\Windows\system32\woodkenk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\0cfacc1a5f0b4823da0c8977faa2e9e2.exe.bat
  2⤵
  - Deletes itself
  PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0cfacc1a5f0b4823da0c8977faa2e9e2.exe.bat

Filesize
182B

MD5
2f0748fa5b0d7776f625d6178aecb13b

SHA1
26febdc8bec621cbf9fcdede548c0c1b5cafecef

SHA256
b4749a6c185b6e61210a535f246cba45dfe8a60b896f218c42e2d928562137dd

SHA512
8f48b811d5d5edf6101979499e0188397857152a2009ece58e7057c5ccc5ec115c9fe49a97e2766fc1dafcc6de1b29cbbe0fcc4ec3f33588d985a796da37b019

Download Submit
\Windows\SysWOW64\woodkenk.exe

Filesize
13KB

MD5
0cfacc1a5f0b4823da0c8977faa2e9e2

SHA1
132b60f4c5ae83e7598cb7df94254b72f3c6b001

SHA256
0c7ba0ec1fb87d57323ad374f3fdf7ff8628b4965952481e76beef7d4b8d9b4f

SHA512
e7bb585f078e892b4761772da26d65c17992daf7c178ee1e3bb5cbdad7eee9ce2ceaa3751bc797db60e3c604f4fd020cea1328bb72e236115df6b24abe68bff0

Download Submit
memory/2572-14-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2664-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2664-4-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2664-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2664-13-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2664-20-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download