92d84a7e7f14008b3dd54b765b5ff42a44047fe0ca014e56ab4febc83269b91b

Analysis

max time kernel
161s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1710fcd61514c30c6cb4c15fed3f184b.exe
Size

13KB
MD5

1710fcd61514c30c6cb4c15fed3f184b
SHA1

9e59d7284c624b371eab4eeadc4c40eb94ae7f31
SHA256

92d84a7e7f14008b3dd54b765b5ff42a44047fe0ca014e56ab4febc83269b91b
SHA512

3d861f79e2e4edc84c080ceaff1d03db91ca2f10398f7b4278871693026c9d5b6054d0d31356b1f749368d20e5dfbfc28902cb529ca11dd9f0cc0d877403176a
SSDEEP

192:kt4mE6v7tOr1rc+V9Qjx1Ks3k6btsAHPbzecuSU/vHaIQXMe3qnQcU:G4hfr5VMKePLHP7lkahXX3qQ

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2232	micsusk.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4820-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x000400000001e7de-4.dat	upx
behavioral2/memory/4820-5-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2232-8-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\micsus.dll	1710fcd61514c30c6cb4c15fed3f184b.exe
File created	C:\Windows\SysWOW64\micsusk.exe	1710fcd61514c30c6cb4c15fed3f184b.exe
File opened for modification	C:\Windows\SysWOW64\micsusk.exe	1710fcd61514c30c6cb4c15fed3f184b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 2232	4820	1710fcd61514c30c6cb4c15fed3f184b.exe	91
PID 4820 wrote to memory of 2232	4820	1710fcd61514c30c6cb4c15fed3f184b.exe	91
PID 4820 wrote to memory of 2232	4820	1710fcd61514c30c6cb4c15fed3f184b.exe	91
PID 4820 wrote to memory of 4896	4820	1710fcd61514c30c6cb4c15fed3f184b.exe	96
PID 4820 wrote to memory of 4896	4820	1710fcd61514c30c6cb4c15fed3f184b.exe	96
PID 4820 wrote to memory of 4896	4820	1710fcd61514c30c6cb4c15fed3f184b.exe	96

C:\Users\Admin\AppData\Local\Temp\1710fcd61514c30c6cb4c15fed3f184b.exe
"C:\Users\Admin\AppData\Local\Temp\1710fcd61514c30c6cb4c15fed3f184b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\micsusk.exe
  C:\Windows\system32\micsusk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1710fcd61514c30c6cb4c15fed3f184b.exe.bat
  2⤵
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1710fcd61514c30c6cb4c15fed3f184b.exe.bat

Filesize
182B

MD5
92f6daea47d73cc69e445847f04f383b

SHA1
be8ac31ae99e453607e650c5f45ac5f47c701d7c

SHA256
631d7e9ad526b1797d651bf6b9c02e1e3fd00911825c02810f23846d67211959

SHA512
c0bdc459a6aaff6c520921965ffe3315fb10904e0cb3b6034b75fba7d6ad1df6e3b64f09a954c28648c0afdad0a248e1c4247a2c3b3483e452f18fc5f3bda94b

Download Submit
C:\Windows\SysWOW64\micsusk.exe

Filesize
13KB

MD5
1710fcd61514c30c6cb4c15fed3f184b

SHA1
9e59d7284c624b371eab4eeadc4c40eb94ae7f31

SHA256
92d84a7e7f14008b3dd54b765b5ff42a44047fe0ca014e56ab4febc83269b91b

SHA512
3d861f79e2e4edc84c080ceaff1d03db91ca2f10398f7b4278871693026c9d5b6054d0d31356b1f749368d20e5dfbfc28902cb529ca11dd9f0cc0d877403176a

Download Submit
memory/2232-8-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4820-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4820-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download