19d0f249e30903f9eafbb9de80f9ea52dc0a16f93339c0ee99a397230b2b8189

Analysis

max time kernel
183s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12cecd00181724148ea8fd1dd6c3ef7c.exe
Size

955KB
MD5

12cecd00181724148ea8fd1dd6c3ef7c
SHA1

3d27bdce20ccbd794b57fb17ba5e9efb57dada92
SHA256

19d0f249e30903f9eafbb9de80f9ea52dc0a16f93339c0ee99a397230b2b8189
SHA512

9911a90e892b8181b6eefa4c765a57b76c6574e718f4df375d4e85f929f943ce75cdafa439f143b07e77b263ede7a4b5855e4e5d79b00320e81aa8331d4d01a7
SSDEEP

12288:rbpHYUKy5U1bo9t8DMRSW9vbciUiLuAvOxMt11i27QitjI:r5sJo6YrFUiyAak11LtjI

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3764	svchest425075242507520.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3320-0-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/3320-1-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/files/0x00060000000231fa-9.dat	upx
behavioral2/files/0x00060000000231fa-8.dat	upx
behavioral2/memory/3764-10-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/files/0x00060000000231fa-7.dat	upx
behavioral2/memory/3764-12-0x0000000000400000-0x0000000000597000-memory.dmp	upx
behavioral2/memory/3320-13-0x0000000000400000-0x0000000000597000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\12cecd00181724148ea8fd1dd6c3ef7c.exe"	12cecd00181724148ea8fd1dd6c3ef7c.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3320	12cecd00181724148ea8fd1dd6c3ef7c.exe
3764	svchest425075242507520.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	\??\c:\Windows\BJ.exe	12cecd00181724148ea8fd1dd6c3ef7c.exe
File opened for modification	\??\c:\Windows\BJ.exe	12cecd00181724148ea8fd1dd6c3ef7c.exe
File created	\??\c:\Windows\svchest425075242507520.exe	12cecd00181724148ea8fd1dd6c3ef7c.exe
File opened for modification	\??\c:\Windows\svchest425075242507520.exe	12cecd00181724148ea8fd1dd6c3ef7c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 3764	3320	12cecd00181724148ea8fd1dd6c3ef7c.exe	29
PID 3320 wrote to memory of 3764	3320	12cecd00181724148ea8fd1dd6c3ef7c.exe	29
PID 3320 wrote to memory of 3764	3320	12cecd00181724148ea8fd1dd6c3ef7c.exe	29

C:\Users\Admin\AppData\Local\Temp\12cecd00181724148ea8fd1dd6c3ef7c.exe
"C:\Users\Admin\AppData\Local\Temp\12cecd00181724148ea8fd1dd6c3ef7c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3320
- \??\c:\Windows\svchest425075242507520.exe
  c:\Windows\svchest425075242507520.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchest425075242507520.exe

Filesize
106KB

MD5
87fa2f84d2a855bfc739f8c1e9d0a17d

SHA1
71114a654571ef06b2d0e2511f0365f3a2679622

SHA256
48f9d788ed014d4ea48c237cbbff19eaaa2acb7150ec4f8ec869b107f329ecc7

SHA512
9c69e0fcf72facab06e656066b4924b8ddc083db00d2d3bdb4d422e28ac7d7dbd4297c7cb3171b4807274f2f5031de0d6a63bcec68ef03aa90d5bb7df9c17602

Download Submit
C:\Windows\svchest425075242507520.exe

Filesize
125KB

MD5
b5059783c4744ce7df28c59ab2143e9a

SHA1
50d05edf4b35bfe3c219c8cea5071ef447711359

SHA256
da9ab0cacde0dc4547fa6ee6536151393c675c581e31f593461a9acdde69a75d

SHA512
f7d962b58322cbdfd532f25f9e93a69743dbfc03ad2755fe07de829b2e241b58e0545be832acc381a3c2e2ece804e2387f407d81607769d6678b745c39c93363

Download Submit
\??\c:\Windows\svchest425075242507520.exe

Filesize
65KB

MD5
eb0e9dba250d1bcf0b63ff799b8b61bc

SHA1
b3a5a419f53b10d19dc584feac0210c7752e0dea

SHA256
4a9d1a38b15b5077b4edd4202f7d52a82bf7dd0a3eab19863d7a02542e9a74a8

SHA512
b008104811813550f73628d086ef7cc032cd71adbca0e0e2edf6497286a54dffaa3c2c21ef64148eb7b0b580d8192ebebbbe15ce4ee3e792a7521f31ff996f85

Download Submit
memory/3320-0-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/3320-1-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/3320-13-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/3764-10-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/3764-12-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads