79ff137be022e7e2034c77fad92844d6c8b1457714271af019c2fab2a0db1df9

Analysis

max time kernel
154s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10eced74b11b17971d55c86b3b0ba45d.exe
Size

28KB
MD5

10eced74b11b17971d55c86b3b0ba45d
SHA1

c38779cdc00f4f76e7ca07372350800a6c4048ea
SHA256

79ff137be022e7e2034c77fad92844d6c8b1457714271af019c2fab2a0db1df9
SHA512

7af450e5dfc97394f0bc19f70ff36e487fc7d01e6f31cb2f6b0eeeb13a28bc86551ca4a0bc54ab00b8afd958ee56d9a47412cdd16c178c19f5bc459863120dc0
SSDEEP

768:4P05XnhsPWQNWk6zLJiJvhdl8OmONDz/+MPALEdLTMlXT9VH+KCPbUVaS:qNrnlALEpTMp+PMaS

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	10eced74b11b17971d55c86b3b0ba45d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\rare = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10eced74b11b17971d55c86b3b0ba45d.exe"	10eced74b11b17971d55c86b3b0ba45d.exe

Executes dropped EXE 1 IoCs

pid	Process
4508	imsmn.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4508-3-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000600000002313c-4.dat	upx
behavioral2/memory/4508-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4508	imsmn.exe
4508	imsmn.exe
4508	imsmn.exe
4508	imsmn.exe
4508	imsmn.exe
4508	imsmn.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4508	imsmn.exe
4508	imsmn.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4508	imsmn.exe
4508	imsmn.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4508	imsmn.exe
4508	imsmn.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4508	imsmn.exe
4508	imsmn.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4508	imsmn.exe
4508	imsmn.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4508	imsmn.exe
4508	imsmn.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4508	imsmn.exe
4508	imsmn.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4508	imsmn.exe
4508	imsmn.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4508	imsmn.exe
4508	imsmn.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4508	imsmn.exe
4508	imsmn.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4508	imsmn.exe
4508	imsmn.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4508	imsmn.exe
4508	imsmn.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4508	imsmn.exe
4508	imsmn.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4972	10eced74b11b17971d55c86b3b0ba45d.exe
4508	imsmn.exe
4508	imsmn.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4508	4972	10eced74b11b17971d55c86b3b0ba45d.exe	91
PID 4972 wrote to memory of 4508	4972	10eced74b11b17971d55c86b3b0ba45d.exe	91
PID 4972 wrote to memory of 4508	4972	10eced74b11b17971d55c86b3b0ba45d.exe	91

C:\Users\Admin\AppData\Local\Temp\10eced74b11b17971d55c86b3b0ba45d.exe
"C:\Users\Admin\AppData\Local\Temp\10eced74b11b17971d55c86b3b0ba45d.exe"
1⤵
- Adds policy Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\imsmn.exe
  C:\Users\Admin\AppData\Local\Temp\imsmn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\imsmn.exe

Filesize
7KB

MD5
598b9fcb353df2796c3714062058666d

SHA1
5adaf6213bafdeb327626ef821c3e7595765c267

SHA256
36e043b76b293b5261c0ae6fba1fd6bd8e61e39d8ef11ccff135fe171cb2a348

SHA512
89b83ee72b8c236749a640876c24858be676bc43d1bb4cd1c0a3c9740bebacdd51a0d12d192cc6d42995debafb29d74cc2dcfa41b15cf9aa131806c3d79dd483

Download Submit
memory/4508-3-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4508-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download