c5ae060ed4b77cc70901f44f187570915ae3ee67a0fc71440ffb43c6114c6980

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a282b5d0d5420f94989a87b21e5b149.exe
Size

448KB
MD5

1a282b5d0d5420f94989a87b21e5b149
SHA1

206df1eeddddbff9bf6a9e678a6122dcc2b59a67
SHA256

c5ae060ed4b77cc70901f44f187570915ae3ee67a0fc71440ffb43c6114c6980
SHA512

c4de17b72a6e2dcc7e47a06b1b70db7915a73d7c86c2aa1dab1f20b60138130dc061d3577eeaf9bbebbf8738ee9a0c265c8ea4ac4be0552cbf0fd2a0f92bba8c
SSDEEP

6144:/gZUzJg5m05lmVcNNij/BVfMe7yz6GVnwmkSY8lgbtjabm4BwY3tuvLmzMEGqFA7:/yUdg5XAjDfD7gwmou6Y9uT4LOEIFU2

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1808	kP01803NlOmI01803.exe

Executes dropped EXE 1 IoCs

pid	Process
1808	kP01803NlOmI01803.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2324-14-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/1808-25-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/1808-33-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\kP01803NlOmI01803 = "C:\\ProgramData\\kP01803NlOmI01803\\kP01803NlOmI01803.exe"	kP01803NlOmI01803.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2324	1a282b5d0d5420f94989a87b21e5b149.exe
2324	1a282b5d0d5420f94989a87b21e5b149.exe
2324	1a282b5d0d5420f94989a87b21e5b149.exe
2324	1a282b5d0d5420f94989a87b21e5b149.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	1a282b5d0d5420f94989a87b21e5b149.exe
Token: SeDebugPrivilege	1808	kP01803NlOmI01803.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1808	kP01803NlOmI01803.exe
1808	kP01803NlOmI01803.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1808	2324	1a282b5d0d5420f94989a87b21e5b149.exe	91
PID 2324 wrote to memory of 1808	2324	1a282b5d0d5420f94989a87b21e5b149.exe	91
PID 2324 wrote to memory of 1808	2324	1a282b5d0d5420f94989a87b21e5b149.exe	91

C:\Users\Admin\AppData\Local\Temp\1a282b5d0d5420f94989a87b21e5b149.exe
"C:\Users\Admin\AppData\Local\Temp\1a282b5d0d5420f94989a87b21e5b149.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\ProgramData\kP01803NlOmI01803\kP01803NlOmI01803.exe
  "C:\ProgramData\kP01803NlOmI01803\kP01803NlOmI01803.exe" "C:\Users\Admin\AppData\Local\Temp\1a282b5d0d5420f94989a87b21e5b149.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kP01803NlOmI01803\kP01803NlOmI01803

Filesize
192B

MD5
3fccf7d604928788c118bd024ba34ec6

SHA1
606a850994dbcf0ac143f8f466ad620061d28f7c

SHA256
88aaf4d49f40ba9d3d7ecf9df0235357608e53cd53ce036dabf65c5c7348e17c

SHA512
bb55acf6d414504ae3ab7a487117ba040234a07aec4622c6a20ae3d557f9fccc6f82897fbdde7e72f6ef05d373f812598d506df3fc2c55a2736bd9f017fdffda

Download Submit
C:\ProgramData\kP01803NlOmI01803\kP01803NlOmI01803.exe

Filesize
448KB

MD5
9bc26400252031c5991975f8fe80ca9b

SHA1
51eb61fee15d92a6f7e9c4c22d8e28d1db0d68cf

SHA256
4b61b83b601a09815d0449edf6e3058c3fd47ad41b679920436f42f1cd79fb82

SHA512
b3a5cc010892dd37a33a7e1f9324d2f09c3af33801c904a7ed69a39cb6071e87e31d2d065840a509e70f1d84e1f346106b370070fb7200a8ae51e4bdcef58d55

Download Submit
C:\ProgramData\kP01803NlOmI01803\kP01803NlOmI01803.exe

Filesize
194KB

MD5
adb388af45e31d4936a822cefdcbf2f1

SHA1
1f47412b01789f34f6af462064987e292da84d18

SHA256
fd5b47f2d8fc6730fffd52db4e1fc69b16aa22bf210986fd5409563c7fd560b0

SHA512
9950f63e8498db06b1b13e895e395a7a950a2da5b7dd19df934a90a1057d02233c16cdc52bf96c0183216d3a0d127965484f325a28ecc63553fe1656dd7ccee7

Download Submit
memory/1808-16-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1808-17-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1808-25-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1808-27-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1808-33-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2324-2-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2324-1-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2324-14-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download