580e46c98e735d845f87e74d80e7d8f7e0db6e572aaa11276b2e1cad4c095a94

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10407ecfc3d186af1326c643148c8371.exe
Size

22KB
MD5

10407ecfc3d186af1326c643148c8371
SHA1

47e894dbbae9c39fc1816155422b68b16fc907ee
SHA256

580e46c98e735d845f87e74d80e7d8f7e0db6e572aaa11276b2e1cad4c095a94
SHA512

fceb0637cbaae56e7da1a48d23f7feab33bd12695f8e4fdf25d1c277dd87f353be06e09f702e29787661e7ba66c1bf8bb6eaa9947e27607e90f82e79a7ffb943
SSDEEP

384:UXFqNj8ctFjFrmTekd3FuiFpTaTKEd+JIQdZFaZyLohNXOWZWGEhrg:UVqNj8ctRoeC3FlF6Kw+yUzCyLogRg

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1224	regsvr.exe
1228	regsvr.exe

Loads dropped DLL 4 IoCs

pid	Process
2196	10407ecfc3d186af1326c643148c8371.exe
2196	10407ecfc3d186af1326c643148c8371.exe
1224	regsvr.exe
1224	regsvr.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2196-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x000a0000000155f7-6.dat	upx
behavioral1/memory/2196-7-0x00000000003E0000-0x00000000003F2000-memory.dmp	upx
behavioral1/memory/1224-16-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1228-30-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2196-29-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1224-28-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr.exe	regsvr.exe
File created	C:\Windows\SysWOW64\regsvr.exe	10407ecfc3d186af1326c643148c8371.exe
File opened for modification	C:\Windows\SysWOW64\regsvr.exe	10407ecfc3d186af1326c643148c8371.exe
File opened for modification	C:\Windows\SysWOW64\regsvr.exe	regsvr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2196	10407ecfc3d186af1326c643148c8371.exe
1224	regsvr.exe
1228	regsvr.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1224	2196	10407ecfc3d186af1326c643148c8371.exe	28
PID 2196 wrote to memory of 1224	2196	10407ecfc3d186af1326c643148c8371.exe	28
PID 2196 wrote to memory of 1224	2196	10407ecfc3d186af1326c643148c8371.exe	28
PID 2196 wrote to memory of 1224	2196	10407ecfc3d186af1326c643148c8371.exe	28
PID 1224 wrote to memory of 1228	1224	regsvr.exe	29
PID 1224 wrote to memory of 1228	1224	regsvr.exe	29
PID 1224 wrote to memory of 1228	1224	regsvr.exe	29
PID 1224 wrote to memory of 1228	1224	regsvr.exe	29

C:\Users\Admin\AppData\Local\Temp\10407ecfc3d186af1326c643148c8371.exe
"C:\Users\Admin\AppData\Local\Temp\10407ecfc3d186af1326c643148c8371.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\regsvr.exe
  C:\Windows\system32/regsvr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\regsvr.exe
    C:\Windows\system32/regsvr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\bndFile

Filesize
1B

MD5
93b885adfe0da089cdf634904fd59f71

SHA1
5ba93c9db0cff93f52b521d7420e43f6eda2784f

SHA256
6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d

SHA512
b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

Download Submit
\Windows\SysWOW64\regsvr.exe

Filesize
22KB

MD5
10407ecfc3d186af1326c643148c8371

SHA1
47e894dbbae9c39fc1816155422b68b16fc907ee

SHA256
580e46c98e735d845f87e74d80e7d8f7e0db6e572aaa11276b2e1cad4c095a94

SHA512
fceb0637cbaae56e7da1a48d23f7feab33bd12695f8e4fdf25d1c277dd87f353be06e09f702e29787661e7ba66c1bf8bb6eaa9947e27607e90f82e79a7ffb943

Download Submit
memory/1224-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1224-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1224-25-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/1224-24-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/1228-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2196-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2196-7-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2196-29-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2196-14-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download