5a31ec03f44e86bda2d566e592145ef0007fffa04d921ad8e6e8bbc243e060f9

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17/01/2024, 22:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

63c5dd65d496b7d327c59aa739fc7251.exe
Size

14KB
MD5

63c5dd65d496b7d327c59aa739fc7251
SHA1

acd46497235b210515b0ffb3016e527e0ded9c2b
SHA256

5a31ec03f44e86bda2d566e592145ef0007fffa04d921ad8e6e8bbc243e060f9
SHA512

2b718aafe612a9f96ef33b03553fbca75598a1703fe0bd0bacf3a3df00896f611b5366bea98ab52e99630f369e13429be300c124e9b7ae641e07026b4ac98d89
SSDEEP

384:IZE+RQ8rSD/4+7vTz35RQtfJ8Vi+Kl/VCMdP:IOauD/4+7TzpRQtfJxX0

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2028	meyotmek.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	63c5dd65d496b7d327c59aa739fc7251.exe
2236	63c5dd65d496b7d327c59aa739fc7251.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x000a0000000144eb-3.dat	upx
behavioral1/memory/2028-11-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2236-19-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\meyotme.dll	63c5dd65d496b7d327c59aa739fc7251.exe
File created	C:\Windows\SysWOW64\meyotmek.exe	63c5dd65d496b7d327c59aa739fc7251.exe
File opened for modification	C:\Windows\SysWOW64\meyotmek.exe	63c5dd65d496b7d327c59aa739fc7251.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2236	63c5dd65d496b7d327c59aa739fc7251.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2028	2236	63c5dd65d496b7d327c59aa739fc7251.exe	28
PID 2236 wrote to memory of 2028	2236	63c5dd65d496b7d327c59aa739fc7251.exe	28
PID 2236 wrote to memory of 2028	2236	63c5dd65d496b7d327c59aa739fc7251.exe	28
PID 2236 wrote to memory of 2028	2236	63c5dd65d496b7d327c59aa739fc7251.exe	28
PID 2236 wrote to memory of 2760	2236	63c5dd65d496b7d327c59aa739fc7251.exe	29
PID 2236 wrote to memory of 2760	2236	63c5dd65d496b7d327c59aa739fc7251.exe	29
PID 2236 wrote to memory of 2760	2236	63c5dd65d496b7d327c59aa739fc7251.exe	29
PID 2236 wrote to memory of 2760	2236	63c5dd65d496b7d327c59aa739fc7251.exe	29

C:\Users\Admin\AppData\Local\Temp\63c5dd65d496b7d327c59aa739fc7251.exe
"C:\Users\Admin\AppData\Local\Temp\63c5dd65d496b7d327c59aa739fc7251.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\meyotmek.exe
  C:\Windows\system32\meyotmek.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\63c5dd65d496b7d327c59aa739fc7251.exe.bat
  2⤵
  - Deletes itself
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\63c5dd65d496b7d327c59aa739fc7251.exe.bat

Filesize
182B

MD5
b2af2b3a500042cebb5d115071d83922

SHA1
b7da82fe617da8537e5b4f535a7f179c068265d3

SHA256
c11cfc525a9315104448fd999b5bfb948fb3107fdcec78cfc07c7ac8c1ebe5de

SHA512
0f1fb60fc3515977a5e6d0b1444e7fe2b77145378400d3375ff29f1c7fc1898ca140b1565f8957d229afea067e2c4feb0913dc02efc12dc47544e580d4f83502

Download Submit
\Windows\SysWOW64\meyotmek.exe

Filesize
14KB

MD5
63c5dd65d496b7d327c59aa739fc7251

SHA1
acd46497235b210515b0ffb3016e527e0ded9c2b

SHA256
5a31ec03f44e86bda2d566e592145ef0007fffa04d921ad8e6e8bbc243e060f9

SHA512
2b718aafe612a9f96ef33b03553fbca75598a1703fe0bd0bacf3a3df00896f611b5366bea98ab52e99630f369e13429be300c124e9b7ae641e07026b4ac98d89

Download Submit
memory/2028-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2236-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2236-10-0x0000000000030000-0x0000000000040000-memory.dmp

Filesize
64KB

Download
memory/2236-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download