a212b00fc2ef30cbe2a896d2312739a6757f01730675bfbdf44470736160a024

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e304a34ea425d0e9e247779025675e1.exe
Size

132KB
MD5

4e304a34ea425d0e9e247779025675e1
SHA1

bad2e8e6189fc8363a89ec3a1a1fd1112c1de9a4
SHA256

a212b00fc2ef30cbe2a896d2312739a6757f01730675bfbdf44470736160a024
SHA512

1673f90c9e7f29636cc2f41fd9b2dae1b3ba969a4e9607669eb19c6208f7735e56ae112a2cdfe60252f7b42afdc2d60d184ffa16b2aaa3b026858356b89c2411
SSDEEP

3072:4NlVOkquTD5GtVOlibl6sLVIgSsr8WZTru5PBh1Eimb:4NvtTeKibl6qVZZnu55h1Lmb

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4392	mppzgu.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023217-7.dat	upx
behavioral2/memory/4392-9-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4392-10-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\mppzg	mppzgu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	mppzgu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	mppzgu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	mppzgu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\mppzg\\command	mppzgu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	mppzgu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\mppzg	mppzgu.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1436	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 1628	4508	4e304a34ea425d0e9e247779025675e1.exe	87
PID 4508 wrote to memory of 1628	4508	4e304a34ea425d0e9e247779025675e1.exe	87
PID 4508 wrote to memory of 1628	4508	4e304a34ea425d0e9e247779025675e1.exe	87
PID 1628 wrote to memory of 4392	1628	cmd.exe	89
PID 1628 wrote to memory of 4392	1628	cmd.exe	89
PID 1628 wrote to memory of 4392	1628	cmd.exe	89
PID 1628 wrote to memory of 1436	1628	cmd.exe	90
PID 1628 wrote to memory of 1436	1628	cmd.exe	90
PID 1628 wrote to memory of 1436	1628	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\4e304a34ea425d0e9e247779025675e1.exe
"C:\Users\Admin\AppData\Local\Temp\4e304a34ea425d0e9e247779025675e1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\icitnhn.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\mppzgu.exe
    "C:\Users\Admin\AppData\Local\Temp\mppzgu.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:4392
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\icitnhn.bat

Filesize
124B

MD5
f1014e70de518a9d516d81b04827195c

SHA1
e850091fc745486ce1e03ee118ccc38b9af853fc

SHA256
24ef17a34fd9978ee949c513ddcc872370774cedbbdcb59697bc781f307edeb1

SHA512
c562807035999d86cc7e5daa6ee85c1fc55a2e51b8c5ba70d1f1f643d1eab7ecd0dd45ae5bd453f78ae9306681ba743a07903cabb6a36ceecc3305c5747e0271

Download Submit
C:\Users\Admin\AppData\Local\Temp\mppzgu.exe

Filesize
82KB

MD5
d9baf78cdb4ef2906434f8010d6247ac

SHA1
16d0e1d1ab3d404b3f01188e194c5ea2833138e0

SHA256
c2f6e0bed2534734220de8d46d2d935779dd5d0cfdaf3964a29dfb89a3de0a10

SHA512
62dbb1fb43ec693ac0b7e4ed816b5b3af0609a3c0ca098870a40523d4294add7cb2a6d365676ac62d447da6027703b2fcc245b6fcd4d44f58ebda5e1e158593c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjcpay.bat

Filesize
156B

MD5
a8522d4950c614d58a25904fbe41efb3

SHA1
8be18d1d120ff72bf437849ae0eb79d93d2cd19c

SHA256
4b67fde49d93b89f09c948b30e6862b571af931a5f551b5852ab62386dcf0eda

SHA512
17b208cc0d3fd5bccca5c56facf49a84a52dc4b4321b365667d0e80e7aea483c312c6a7feb2c71726d1ce8420c8ec157f20c3e4901bea3f665324e1997a43797

Download Submit
memory/4392-9-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4392-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download