46d60da38b233cf515c741f14967076191de07fa773b83b95da94dd4822c240c

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 13:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

197457e67839237b37ba89c3a60f86be.exe
Size

132KB
MD5

197457e67839237b37ba89c3a60f86be
SHA1

99b9f02fc17f9da72cc6e92050532580d213498c
SHA256

46d60da38b233cf515c741f14967076191de07fa773b83b95da94dd4822c240c
SHA512

9f292c1a5e8e3ec1083a3474d0fd6263a2ffb65d936153acf8afbc3855537a7e08c26dbdce861fdf914839547d587590bc33b4624dc85773ae75a2ef7246cad6
SSDEEP

1536:bHFjwOqUuflO+6peVdM/d2yv6n0APB8qFE0OSqHW2PYoPPrCLaC46lxIDCwMZOD7:ryOqxY+6pejzNB8A4xAo784KmMMDLH

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1820	indiagamcaa.exe
3020	indiagamcaa.exe

Loads dropped DLL 5 IoCs

pid	Process
584	197457e67839237b37ba89c3a60f86be.exe
584	197457e67839237b37ba89c3a60f86be.exe
584	197457e67839237b37ba89c3a60f86be.exe
584	197457e67839237b37ba89c3a60f86be.exe
584	197457e67839237b37ba89c3a60f86be.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/584-197-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/584-194-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/3020-435-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/584-465-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/3020-468-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\indiagamcaaa = "C:\\Users\\Admin\\AppData\\Roaming\\india gamcaa\\indiagamcaa.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 584	2336	197457e67839237b37ba89c3a60f86be.exe	28
PID 1820 set thread context of 3020	1820	indiagamcaa.exe	33
PID 1820 set thread context of 0	1820	indiagamcaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe
Token: SeDebugPrivilege	3020	indiagamcaa.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2336	197457e67839237b37ba89c3a60f86be.exe
584	197457e67839237b37ba89c3a60f86be.exe
1820	indiagamcaa.exe
3020	indiagamcaa.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 584	2336	197457e67839237b37ba89c3a60f86be.exe	28
PID 2336 wrote to memory of 584	2336	197457e67839237b37ba89c3a60f86be.exe	28
PID 2336 wrote to memory of 584	2336	197457e67839237b37ba89c3a60f86be.exe	28
PID 2336 wrote to memory of 584	2336	197457e67839237b37ba89c3a60f86be.exe	28
PID 2336 wrote to memory of 584	2336	197457e67839237b37ba89c3a60f86be.exe	28
PID 2336 wrote to memory of 584	2336	197457e67839237b37ba89c3a60f86be.exe	28
PID 2336 wrote to memory of 584	2336	197457e67839237b37ba89c3a60f86be.exe	28
PID 2336 wrote to memory of 584	2336	197457e67839237b37ba89c3a60f86be.exe	28
PID 584 wrote to memory of 844	584	197457e67839237b37ba89c3a60f86be.exe	29
PID 584 wrote to memory of 844	584	197457e67839237b37ba89c3a60f86be.exe	29
PID 584 wrote to memory of 844	584	197457e67839237b37ba89c3a60f86be.exe	29
PID 584 wrote to memory of 844	584	197457e67839237b37ba89c3a60f86be.exe	29
PID 844 wrote to memory of 2140	844	cmd.exe	31
PID 844 wrote to memory of 2140	844	cmd.exe	31
PID 844 wrote to memory of 2140	844	cmd.exe	31
PID 844 wrote to memory of 2140	844	cmd.exe	31
PID 584 wrote to memory of 1820	584	197457e67839237b37ba89c3a60f86be.exe	32
PID 584 wrote to memory of 1820	584	197457e67839237b37ba89c3a60f86be.exe	32
PID 584 wrote to memory of 1820	584	197457e67839237b37ba89c3a60f86be.exe	32
PID 584 wrote to memory of 1820	584	197457e67839237b37ba89c3a60f86be.exe	32
PID 1820 wrote to memory of 3020	1820	indiagamcaa.exe	33
PID 1820 wrote to memory of 3020	1820	indiagamcaa.exe	33
PID 1820 wrote to memory of 3020	1820	indiagamcaa.exe	33
PID 1820 wrote to memory of 3020	1820	indiagamcaa.exe	33
PID 1820 wrote to memory of 3020	1820	indiagamcaa.exe	33
PID 1820 wrote to memory of 3020	1820	indiagamcaa.exe	33
PID 1820 wrote to memory of 3020	1820	indiagamcaa.exe	33
PID 1820 wrote to memory of 3020	1820	indiagamcaa.exe	33

C:\Users\Admin\AppData\Local\Temp\197457e67839237b37ba89c3a60f86be.exe
"C:\Users\Admin\AppData\Local\Temp\197457e67839237b37ba89c3a60f86be.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\197457e67839237b37ba89c3a60f86be.exe
  "C:\Users\Admin\AppData\Local\Temp\197457e67839237b37ba89c3a60f86be.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\NJHXV.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "indiagamcaaa" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe" /f
      4⤵
      Adds Run key to start application
      PID:2140
- - C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe
    "C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe
      "C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NJHXV.bat

Filesize
158B

MD5
033ff48e13742ca54269e0846484b830

SHA1
082ce1eed215dda59ea75a8227f8cd0e1b15d36f

SHA256
597efbff7588882d8866604df4e7a4f715418a7d9bae4736029412fda3bfa455

SHA512
8727692731b3788a5f8a5b5d4e79f009a8953d9a236f66e4cdc963c82c9aff3b6e833a491f78f88d55d8bad4d46f5d81e279974600ddbe5ea2c42003f043adda

Download Submit
\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe

Filesize
132KB

MD5
42e5f8d602f0285d514c40d5b6d52117

SHA1
b493076ba775765fa3638a1ccb327ff64711428a

SHA256
53dfb90aed613d90e3e2e858fb02d3cf10c0eb4caf0afd59d589f147dc1f1882

SHA512
d093666c5813e7dd5e15dc86418e9e04ef6b0e07f9feeead1f6b8a26589009330f418e2c56440b1a7a9acf9a4f12105c2d367f047b28d1c504569138980cdab0

Download Submit
memory/584-197-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/584-194-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/584-465-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2336-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2336-8-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2336-10-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2336-20-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2336-64-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/3020-435-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3020-468-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads