8ae14923da560d96f51d83b829f00fb05d387544db008afc224a57449edfb03d

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/01/2024, 22:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

599faa3835c02686483fa8b03a9df79c.exe
Size

11KB
MD5

599faa3835c02686483fa8b03a9df79c
SHA1

baf36203c7f1c6b9965db83367e3a4744e33557c
SHA256

8ae14923da560d96f51d83b829f00fb05d387544db008afc224a57449edfb03d
SHA512

72f3e35b8bfeb898be5b00af855f294b3b941e11d25eff77462e7374a32b0ccd5a05a4abc85e8cd7a8c1cd76c3fe10e0aac93db6368478fbe74cea0940bcb83e
SSDEEP

192:82OdpCvccuSM3KWjnjnie3HPNFODY3TQQxA1fIpT0MgcAAId28/idgbxUZ0aYD2:82CCkcbM3KWjjx/ODY3T3xRppg5pIsij

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2600	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3008	xsiscok.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	599faa3835c02686483fa8b03a9df79c.exe
2380	599faa3835c02686483fa8b03a9df79c.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x000b000000015c3d-3.dat	upx
behavioral1/memory/2380-4-0x00000000001C0000-0x00000000001CF000-memory.dmp	upx
behavioral1/memory/3008-11-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2380-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xsisco.dll	599faa3835c02686483fa8b03a9df79c.exe
File created	C:\Windows\SysWOW64\xsiscok.exe	599faa3835c02686483fa8b03a9df79c.exe
File opened for modification	C:\Windows\SysWOW64\xsiscok.exe	599faa3835c02686483fa8b03a9df79c.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3008	2380	599faa3835c02686483fa8b03a9df79c.exe	28
PID 2380 wrote to memory of 3008	2380	599faa3835c02686483fa8b03a9df79c.exe	28
PID 2380 wrote to memory of 3008	2380	599faa3835c02686483fa8b03a9df79c.exe	28
PID 2380 wrote to memory of 3008	2380	599faa3835c02686483fa8b03a9df79c.exe	28
PID 2380 wrote to memory of 2600	2380	599faa3835c02686483fa8b03a9df79c.exe	29
PID 2380 wrote to memory of 2600	2380	599faa3835c02686483fa8b03a9df79c.exe	29
PID 2380 wrote to memory of 2600	2380	599faa3835c02686483fa8b03a9df79c.exe	29
PID 2380 wrote to memory of 2600	2380	599faa3835c02686483fa8b03a9df79c.exe	29

C:\Users\Admin\AppData\Local\Temp\599faa3835c02686483fa8b03a9df79c.exe
"C:\Users\Admin\AppData\Local\Temp\599faa3835c02686483fa8b03a9df79c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\xsiscok.exe
  C:\Windows\system32\xsiscok.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\599faa3835c02686483fa8b03a9df79c.exe.bat
  2⤵
  - Deletes itself
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\599faa3835c02686483fa8b03a9df79c.exe.bat

Filesize
182B

MD5
6e3a760b2ecc657fd97f6bc478278495

SHA1
c7e0144602a6df85867ee0d0b9b7fbb093d1d3c6

SHA256
6153f5cc4a9a46ae1b1f911dcae98b144ba4cf0b722821384f1e5393b37a8e2c

SHA512
e379ebedd3bd3198911f23af841d50d1373df463e5994a6466d63a16163564316246d53a93782d67f740cffd6b8bb7e5c2690fc61d0aaef7bc87388e4749e811

Download Submit
\Windows\SysWOW64\xsiscok.exe

Filesize
11KB

MD5
599faa3835c02686483fa8b03a9df79c

SHA1
baf36203c7f1c6b9965db83367e3a4744e33557c

SHA256
8ae14923da560d96f51d83b829f00fb05d387544db008afc224a57449edfb03d

SHA512
72f3e35b8bfeb898be5b00af855f294b3b941e11d25eff77462e7374a32b0ccd5a05a4abc85e8cd7a8c1cd76c3fe10e0aac93db6368478fbe74cea0940bcb83e

Download Submit
memory/2380-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2380-4-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/2380-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2380-16-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/3008-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download