0c2e45b4a3db1db3446ed9d2dc8df68693f2dbf28a63c224f7927251ad7635ae

Analysis

max time kernel
163s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46b24138674479aed8ff5f04988f9dae.exe
Size

27KB
MD5

46b24138674479aed8ff5f04988f9dae
SHA1

21e1bf9085a56cbbad89fe3cdf93acaa242766e8
SHA256

0c2e45b4a3db1db3446ed9d2dc8df68693f2dbf28a63c224f7927251ad7635ae
SHA512

7bc89d1ba87ecd274ef9c4934ecf7c9b4027c387629c268e0c78019508399526d439309a97bc0a69cf610dcb4430e23947c142ecad85f9064bd563fdfd3c6869
SSDEEP

384:sGWcozsPUJqSc4ACc8tN9fgC7YohxtUNNHePnYCLzPbFteZBxoO:Kcotc4ACcqvWNsPnvzPb7uno

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	46b24138674479aed8ff5f04988f9dae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\rare = "C:\\Users\\Admin\\AppData\\Local\\Temp\\46b24138674479aed8ff5f04988f9dae.exe"	46b24138674479aed8ff5f04988f9dae.exe

Executes dropped EXE 1 IoCs

pid	Process
1012	imsmn.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00050000000006e9-2.dat	upx
behavioral2/memory/1012-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1012-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
1012	imsmn.exe
1012	imsmn.exe
1012	imsmn.exe
1012	imsmn.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
1012	imsmn.exe
1012	imsmn.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
1012	imsmn.exe
1012	imsmn.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
1012	imsmn.exe
1012	imsmn.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
1012	imsmn.exe
1012	imsmn.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
1012	imsmn.exe
1012	imsmn.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
1012	imsmn.exe
1012	imsmn.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
1012	imsmn.exe
1012	imsmn.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
1012	imsmn.exe
1012	imsmn.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
1012	imsmn.exe
1012	imsmn.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
1012	imsmn.exe
1012	imsmn.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
1012	imsmn.exe
1012	imsmn.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
1012	imsmn.exe
1012	imsmn.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
1012	imsmn.exe
1012	imsmn.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
1012	imsmn.exe
1012	imsmn.exe
4896	46b24138674479aed8ff5f04988f9dae.exe
4896	46b24138674479aed8ff5f04988f9dae.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 1012	4896	46b24138674479aed8ff5f04988f9dae.exe	88
PID 4896 wrote to memory of 1012	4896	46b24138674479aed8ff5f04988f9dae.exe	88
PID 4896 wrote to memory of 1012	4896	46b24138674479aed8ff5f04988f9dae.exe	88

C:\Users\Admin\AppData\Local\Temp\46b24138674479aed8ff5f04988f9dae.exe
"C:\Users\Admin\AppData\Local\Temp\46b24138674479aed8ff5f04988f9dae.exe"
1⤵
- Adds policy Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\imsmn.exe
  C:\Users\Admin\AppData\Local\Temp\imsmn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\imsmn.exe

Filesize
6KB

MD5
f745a8951190966a531e6ff6b50abc1b

SHA1
fb8bc17d4849532a73f063c3121711fc49cd5842

SHA256
e60230b6e17a05f581a68bcddd30c152aabdc93134c999cf4fdd62ff4f85dc19

SHA512
a7134846ffec2da02f99bba933868451da16a5edb09cb2f299a20ac611a5a676a2826046f3f33ad338ca66ddebe8bb3326d31f998b5791411b1e98c3afd133f6

Download Submit
memory/1012-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1012-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download