0b615bc5d4a0128a5cc106a10e867203997c2b6c79eae72db8dc0df8a20abee2

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

517151ca9fdfbb9fd142d796ec747269.exe
Size

14KB
MD5

517151ca9fdfbb9fd142d796ec747269
SHA1

f7161948e279898acbebccd58bc102d9ec683d46
SHA256

0b615bc5d4a0128a5cc106a10e867203997c2b6c79eae72db8dc0df8a20abee2
SHA512

e603751547521545b20c1bdcf74dd2f14e39b1d8dbe9377a09318160dc3d572a0d417b2b401acc533c1283b8b1585c26f4006423119af4b5a07c2e33e2848d84
SSDEEP

384:KrmkgsOfrZipsWArJWtUH5JF+ZcN1nHI:K6vRfUpsWkWtZqd

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
560	woodkenk.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/408-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/408-6-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/560-7-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\woodken.dll	517151ca9fdfbb9fd142d796ec747269.exe
File created	C:\Windows\SysWOW64\woodkenk.exe	517151ca9fdfbb9fd142d796ec747269.exe
File opened for modification	C:\Windows\SysWOW64\woodkenk.exe	517151ca9fdfbb9fd142d796ec747269.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 560	408	517151ca9fdfbb9fd142d796ec747269.exe	37
PID 408 wrote to memory of 560	408	517151ca9fdfbb9fd142d796ec747269.exe	37
PID 408 wrote to memory of 560	408	517151ca9fdfbb9fd142d796ec747269.exe	37
PID 408 wrote to memory of 3656	408	517151ca9fdfbb9fd142d796ec747269.exe	102
PID 408 wrote to memory of 3656	408	517151ca9fdfbb9fd142d796ec747269.exe	102
PID 408 wrote to memory of 3656	408	517151ca9fdfbb9fd142d796ec747269.exe	102

C:\Users\Admin\AppData\Local\Temp\517151ca9fdfbb9fd142d796ec747269.exe
"C:\Users\Admin\AppData\Local\Temp\517151ca9fdfbb9fd142d796ec747269.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\SysWOW64\woodkenk.exe
  C:\Windows\system32\woodkenk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\517151ca9fdfbb9fd142d796ec747269.exe.bat
  2⤵
  PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\517151ca9fdfbb9fd142d796ec747269.exe.bat

Filesize
182B

MD5
d1f8b8fdbaafa15f88ebab44393aecff

SHA1
3273fc89f88acd732ae26725e2f9d644384d6708

SHA256
0389815f04877385bfcbf0346a2f7ee99a16a3c8aa1352d8c188020cd739fbcd

SHA512
ff8f5974de158a6f9b48212ad5ba2d29961f83692aac83363effe5c090946ef9811e3560ead86e571258ba180391e7aa44fca011d18f042a67a961c8d1f0b08e

Download Submit
memory/408-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/408-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/560-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download