4d299228515385bfcb466fda99819998122fb1c491cf4c50ab41c32989cf33bd

Analysis

max time kernel
169s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25d583fbc78dfa8db63697d534560673.exe
Size

11KB
MD5

25d583fbc78dfa8db63697d534560673
SHA1

31b2f621e43b746d183a07d3548ccc93747659c8
SHA256

4d299228515385bfcb466fda99819998122fb1c491cf4c50ab41c32989cf33bd
SHA512

96c7aafc8ff92f7cbe392cf7cc37ac63e51e0d88d547e0d67c21b07f86d2ca7789a0d1b3e63bedb5d4fee529cbeb8dbf7d53ca7007efb3295f10b20c3997ec8f
SSDEEP

192:KhsbfWNbbjBiZ/GB1BY03dP7npUs6e17A9PxoeTW7aRIgIic1Vy3bu+:Msbfabb1iZeBciWs6e17YPxxTS06iuV0

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
1900	axclik.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1324-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0007000000023234-4.dat	upx
behavioral2/memory/1324-8-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1900-10-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\axcli.dll	25d583fbc78dfa8db63697d534560673.exe
File created	C:\Windows\SysWOW64\axclik.exe	25d583fbc78dfa8db63697d534560673.exe
File opened for modification	C:\Windows\SysWOW64\axclik.exe	25d583fbc78dfa8db63697d534560673.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1900	1324	25d583fbc78dfa8db63697d534560673.exe	88
PID 1324 wrote to memory of 1900	1324	25d583fbc78dfa8db63697d534560673.exe	88
PID 1324 wrote to memory of 1900	1324	25d583fbc78dfa8db63697d534560673.exe	88
PID 1324 wrote to memory of 3460	1324	25d583fbc78dfa8db63697d534560673.exe	91
PID 1324 wrote to memory of 3460	1324	25d583fbc78dfa8db63697d534560673.exe	91
PID 1324 wrote to memory of 3460	1324	25d583fbc78dfa8db63697d534560673.exe	91

C:\Users\Admin\AppData\Local\Temp\25d583fbc78dfa8db63697d534560673.exe
"C:\Users\Admin\AppData\Local\Temp\25d583fbc78dfa8db63697d534560673.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\SysWOW64\axclik.exe
  C:\Windows\system32\axclik.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\25d583fbc78dfa8db63697d534560673.exe.bat
  2⤵
  PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25d583fbc78dfa8db63697d534560673.exe.bat

Filesize
182B

MD5
ec30dc5b75a2a3a44ce0a5b2806bea26

SHA1
4e1c9d31620e86cadc8edc7178f48eb9dc616a02

SHA256
a87cf9049939b838c72af39efa88f2684744c8ea08f1da1b24ff7c8310c222dc

SHA512
14350b21d826853d9426c7045f8948a4c78d0d70cd18cea30dcfdeb4c21946cc134acbda875cb4da045955dc3800505d0cc5a37394acb7b2dd60d6b8d35b471d

Download Submit
C:\Windows\SysWOW64\axclik.exe

Filesize
11KB

MD5
25d583fbc78dfa8db63697d534560673

SHA1
31b2f621e43b746d183a07d3548ccc93747659c8

SHA256
4d299228515385bfcb466fda99819998122fb1c491cf4c50ab41c32989cf33bd

SHA512
96c7aafc8ff92f7cbe392cf7cc37ac63e51e0d88d547e0d67c21b07f86d2ca7789a0d1b3e63bedb5d4fee529cbeb8dbf7d53ca7007efb3295f10b20c3997ec8f

Download Submit
memory/1324-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1324-8-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1900-10-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download