e6fc16832bfea3a36cddafcb29380e31aad6a1e0c867952705b1ea33792312a5

Analysis

max time kernel
151s
max time network
162s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45f5982659f8859a571e5e7428212d71.exe
Size

134KB
MD5

45f5982659f8859a571e5e7428212d71
SHA1

44311718558d59126bf46ff11373fb3b65cfb338
SHA256

e6fc16832bfea3a36cddafcb29380e31aad6a1e0c867952705b1ea33792312a5
SHA512

7b8a8fde89298304b73ebeb37c32d2ab57b5354d781e09e39b855ff9f753b8b3b944ad258af3741b60b77af5d0a09c9df4e355a19659e0d1f017ba0c2f0d1e78
SSDEEP

3072:z6Y86ICOgKZBEt3t04XaWxIBUFCneGFYYBuVTCFDQ:OY86kgKs3t0PWWBCUeukCFE

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2668	Sxypia.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2092-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x002d000000016c14-7.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\KCSCPW1HKH = "C:\\Windows\\Sxypia.exe"	Sxypia.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Sxypia.exe	45f5982659f8859a571e5e7428212d71.exe
File opened for modification	C:\Windows\Sxypia.exe	45f5982659f8859a571e5e7428212d71.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	45f5982659f8859a571e5e7428212d71.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	45f5982659f8859a571e5e7428212d71.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	Sxypia.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\International	Sxypia.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe
2668	Sxypia.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2668	2092	45f5982659f8859a571e5e7428212d71.exe	28
PID 2092 wrote to memory of 2668	2092	45f5982659f8859a571e5e7428212d71.exe	28
PID 2092 wrote to memory of 2668	2092	45f5982659f8859a571e5e7428212d71.exe	28
PID 2092 wrote to memory of 2668	2092	45f5982659f8859a571e5e7428212d71.exe	28

C:\Users\Admin\AppData\Local\Temp\45f5982659f8859a571e5e7428212d71.exe
"C:\Users\Admin\AppData\Local\Temp\45f5982659f8859a571e5e7428212d71.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\Sxypia.exe
  C:\Windows\Sxypia.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Sxypia.exe

Filesize
67KB

MD5
1ade09aba906ad432174fadc234fd297

SHA1
68f3d643610dcadc25ff8b7a24daffcc5fdf8332

SHA256
3fbec6531cb95d2733a741e4c96c0bb67b89ba04c0803d5398a154417571d302

SHA512
1ebe6b26906a5541103a3409e32276590436fd74b97f26d154193870022627201e67a7cd3ba892c84ed3bb37a51b52bc7c1b2a76fdd74c689447162bd17f4bfd

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
344B

MD5
5cb60d15f569d1a768e7c5e5d64534b5

SHA1
a525c9f9e049cece3757051cdabbb39b7300b57f

SHA256
ae83ad4fe62a84ddf2ad0189aa899156ba6ea1bcf301f7d3f6ff965a17f5002c

SHA512
4bc2880169d52daa2f98dbb11f17abc380a36436018fc1d9cabba690952720680b7d6dfb57752d426fcff1345387489c0278e68c4239fbd7f62001dbfe5cd1f1

Download Submit
memory/2092-41669-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2092-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2092-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2092-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2092-14467-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2668-48311-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2668-34165-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2668-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2668-48312-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2668-48313-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2668-48314-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2668-48315-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2668-48317-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2668-48321-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2668-48322-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download