a6751cc4653a458f29d1f03730521d85d7664f31b6ec3c5ba1a701bbcf04e261

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PNYUprising_V1.0.0.025.exe
Size

8.0MB
MD5

14c710804e09edc81c6d97518c57158f
SHA1

18e3ffdf6b1b7b81c5d38ad38e3e1fd221c36f9b
SHA256

a6751cc4653a458f29d1f03730521d85d7664f31b6ec3c5ba1a701bbcf04e261
SHA512

1310cea12cf87ba199ee2b4a3216675b3dff714e56843c20e59b64b7c17a11af1fddb6c016a560d7158c5797c3f36d7f2f592a463e76f4d00164b78e36e7c105
SSDEEP

196608:bFOzDWrAvld4ExHtsOf/6h1yztYYjnROz:4zDCa1xHt5/6DeHRI

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2532	PNYUprising_V1.0.0.025.tmp

Loads dropped DLL 5 IoCs

pid	Process
2232	PNYUprising_V1.0.0.025.exe
2532	PNYUprising_V1.0.0.025.tmp
2532	PNYUprising_V1.0.0.025.tmp
2532	PNYUprising_V1.0.0.025.tmp
2532	PNYUprising_V1.0.0.025.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PNYUprising\unins000.dat	PNYUprising_V1.0.0.025.tmp
File opened for modification	C:\Program Files (x86)\PNYUprising\PNYUprising.exe	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-1KCTA.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-27NOL.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-QUTMJ.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-EVMNN.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-KINC9.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-R5VK7.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-F9DPV.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-EGR0N.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-R7A41.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-VSURA.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-74Q2G.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-8Q4CU.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-DH17K.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-C62B7.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-TCOMV.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\is-539IC.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-OU7SH.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-KK63P.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\unins000.dat	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-LPANP.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-OKDA2.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-I5SC1.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-Q79PE.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-92GL5.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-56Q72.tmp	PNYUprising_V1.0.0.025.tmp
File opened for modification	C:\Program Files (x86)\PNYUprising\BIOS\nvflash32.exe	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-MIS67.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-TU6EV.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-T4Q55.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-S6SVH.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-2P5UN.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-36QI1.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-EA46V.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-8A7DG.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-NKII3.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-UOVJE.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-AH4ID.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-17C2M.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-JCTSA.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-FO2HE.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-DEQ09.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-HTPEI.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-K03C5.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-R68EJ.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-LE4QP.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-GNISD.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-BE4GA.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-OES85.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-LKG4U.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-MAMB6.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-9C8M7.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-SFCU5.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\is-6T7FG.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-ATROF.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-TMH15.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-CRTJU.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-UI563.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-7DG88.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-A62KV.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\BIOS\is-P6HTQ.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-G64C3.tmp	PNYUprising_V1.0.0.025.tmp
File created	C:\Program Files (x86)\PNYUprising\Resources\is-E2SQ8.tmp	PNYUprising_V1.0.0.025.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\is-FAU9S.tmp	PNYUprising_V1.0.0.025.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2532	PNYUprising_V1.0.0.025.tmp
2532	PNYUprising_V1.0.0.025.tmp
2532	PNYUprising_V1.0.0.025.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2532	PNYUprising_V1.0.0.025.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2532	2232	PNYUprising_V1.0.0.025.exe	28
PID 2232 wrote to memory of 2532	2232	PNYUprising_V1.0.0.025.exe	28
PID 2232 wrote to memory of 2532	2232	PNYUprising_V1.0.0.025.exe	28
PID 2232 wrote to memory of 2532	2232	PNYUprising_V1.0.0.025.exe	28
PID 2232 wrote to memory of 2532	2232	PNYUprising_V1.0.0.025.exe	28
PID 2232 wrote to memory of 2532	2232	PNYUprising_V1.0.0.025.exe	28
PID 2232 wrote to memory of 2532	2232	PNYUprising_V1.0.0.025.exe	28

C:\Users\Admin\AppData\Local\Temp\PNYUprising_V1.0.0.025.exe
"C:\Users\Admin\AppData\Local\Temp\PNYUprising_V1.0.0.025.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\is-NRIAE.tmp\PNYUprising_V1.0.0.025.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NRIAE.tmp\PNYUprising_V1.0.0.025.tmp" /SL5="$4010A,7543343,785408,C:\Users\Admin\AppData\Local\Temp\PNYUprising_V1.0.0.025.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PNYUprising\PNYUprising.exe

Filesize
9.8MB

MD5
1bae2fe574c3dcda1499cc5d87342e39

SHA1
652c280cda85cd39890b04554947f57494f3ae68

SHA256
f6d2da45b2a6f0f76c2b9fa56131bbf1764e8bca8756166764fc3458345e2732

SHA512
e06b744bb1d9b3bb0831562a10d944b4e33eb31c0a3d1fe40531ab96c2219856241ea654d9ced54b69148da8a2354f67e84962f3176771a697b8b06c85b87c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NRIAE.tmp\PNYUprising_V1.0.0.025.tmp

Filesize
960KB

MD5
e12c1692ea0db9e0255075c264e49e39

SHA1
022622329c19911f9ec2e1efd99ab5daaa9b4736

SHA256
8681b321baa181fc6bc9dbdfbf87c39df64c872439ca564dd6d56164ede0f81e

SHA512
4ff039876f129e8a777085d751a12bc75a6ab74839fab711110c3920f8abf1e9d26a1d2257df77a972f958454da4dda8f691c74b2e3da1459bd9a3934e346578

Download Submit
\Program Files (x86)\PNYUprising\PNYUprising.exe

Filesize
6.2MB

MD5
c38567626d9b0d53e516da6d13d39a86

SHA1
74b91492edb5c9881dab0c353151a7c77aa0c489

SHA256
be493083bee3a708d374d061bb5056f6a00615f23a248c12e59938cf3374e154

SHA512
687975d12015423552d6516a245a77dc986d3f3563ee60158bee4926389d216f230b9b475b772171524efd1a141917b13a5211102bfdd6858d331917ab8aa0ca

Download Submit
\Program Files (x86)\PNYUprising\PNYUprising.exe

Filesize
6.5MB

MD5
aa43e1c74f6528e2c20046bea15144c7

SHA1
68d71fd5dcfff4fd92879e9fb406612f416a2f24

SHA256
b07699356f92c18208d7beb0f9d71a1676d18ad86b1aa9b20f4a3dd330111cfa

SHA512
2b0487a9a2618a2cac5082512b8e22782413c6dc40f13bf10b2cbb30fa69edce38d3c4b91abc6e38c19b192db9ca9c4edf56b0120be7b2eab7058c1b3c45a2f8

Download Submit
\Program Files (x86)\PNYUprising\unins000.exe

Filesize
2.9MB

MD5
78e21e6c2e1f93f1871aa1e90457d973

SHA1
3d59773ef8dbf398998997357eab56a756908833

SHA256
b2d3c5fa4e0c409ff30b6c96ad571e505201d6ace1a872990714054b7809257e

SHA512
64073e3a4c6e91f6685d59214880243d59ecb46a7384182f7e57f0ea2a7fb75619da15e8dbff880ce1f12612789ef00cd793886a4a9dc9a6dd2d733a65ac6d4f

Download Submit
\Users\Admin\AppData\Local\Temp\is-3O8RI.tmp\psvince.dll

Filesize
43KB

MD5
c413ee1a8be7906f98d681e831026692

SHA1
dd0d81dfe55461fa542b17636d0ffda9e343eb85

SHA256
7250d7a3e3da906147fa01fe6ac0bac6b1b16e1b27a1d4d8d4eb00422c2d9a4d

SHA512
549462e82a9f926de5d6c42337a43246cbf8fb6c5de5af3f8f3cdbcc155d4a45e8d10ded098778034dbea22059f61e7fe0a88fd86df57dcca687ede160fa7002

Download Submit
\Users\Admin\AppData\Local\Temp\is-NRIAE.tmp\PNYUprising_V1.0.0.025.tmp

Filesize
2.9MB

MD5
0977502d1e1b52149de49ca9fe683626

SHA1
6acd4c71ebde1757f8b82f4e907ae31727f758a2

SHA256
571b7a3b9a4a525378e74a37006bf081d17928549690c34aff9ea655682617b6

SHA512
cada7326d78e691fb8dd53fafd331bac07fe8bb8b79c264e4fe82b5493bbf4c5f19aed54c9b8a8fc5c47cc7c7226021303868c18f462e31f7709025a316b867c

Download Submit
memory/2232-1-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2232-248-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2532-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2532-247-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download