11b522d5be53f0a1016e1882def9131aeae5d8d8ddf803f909acf2360e41170d

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 01:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

642914200f5bd137407918d0d31a4fa9.exe
Size

12KB
MD5

642914200f5bd137407918d0d31a4fa9
SHA1

fd58609b54a143c2a1af37d5ca278cd4ef222028
SHA256

11b522d5be53f0a1016e1882def9131aeae5d8d8ddf803f909acf2360e41170d
SHA512

49b218a1fbad31a9cafd0d149d1fec19547568ea75c3715aaee61155cf652b506ecfc99124d584e5bccec5d48dba7aaa1209225065c24d15f4bf2721e1c8ce9d
SSDEEP

192:phK1pyzlQHGl/GV4c9ZI9Zbl6TH1FRpPtRRaP0rqjWGosSbyA6Ybc9cJhmDNQhcK:psqzlXV2hYd65Z8PSqLDR8kcJINQr

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1728	micsusk.exe

Loads dropped DLL 2 IoCs

pid	Process
1132	642914200f5bd137407918d0d31a4fa9.exe
1132	642914200f5bd137407918d0d31a4fa9.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1132-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0009000000012270-3.dat	upx
behavioral1/memory/1728-10-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1132-11-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1728-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\micsus.dll	642914200f5bd137407918d0d31a4fa9.exe
File created	C:\Windows\SysWOW64\micsusk.exe	642914200f5bd137407918d0d31a4fa9.exe
File opened for modification	C:\Windows\SysWOW64\micsusk.exe	642914200f5bd137407918d0d31a4fa9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1728	1132	642914200f5bd137407918d0d31a4fa9.exe	28
PID 1132 wrote to memory of 1728	1132	642914200f5bd137407918d0d31a4fa9.exe	28
PID 1132 wrote to memory of 1728	1132	642914200f5bd137407918d0d31a4fa9.exe	28
PID 1132 wrote to memory of 1728	1132	642914200f5bd137407918d0d31a4fa9.exe	28
PID 1132 wrote to memory of 2924	1132	642914200f5bd137407918d0d31a4fa9.exe	29
PID 1132 wrote to memory of 2924	1132	642914200f5bd137407918d0d31a4fa9.exe	29
PID 1132 wrote to memory of 2924	1132	642914200f5bd137407918d0d31a4fa9.exe	29
PID 1132 wrote to memory of 2924	1132	642914200f5bd137407918d0d31a4fa9.exe	29

C:\Users\Admin\AppData\Local\Temp\642914200f5bd137407918d0d31a4fa9.exe
"C:\Users\Admin\AppData\Local\Temp\642914200f5bd137407918d0d31a4fa9.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\SysWOW64\micsusk.exe
  C:\Windows\system32\micsusk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\642914200f5bd137407918d0d31a4fa9.exe.bat
  2⤵
  - Deletes itself
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\642914200f5bd137407918d0d31a4fa9.exe.bat

Filesize
182B

MD5
1b092592061f4f7c9a32aa9bb195c453

SHA1
116921ef8ccdbc0792fc9e0e440e5180f0afb8fb

SHA256
83b69a6dc638f15c30f46a33399b118eb3e57d7ffb15c37f224370de4643b4ae

SHA512
39f471a081bb7b811986ef776cb95da28cd3193715904e8cfb07edf96a2cc9076ca2c577a7e7123ee76ac1b911c282a134daea926117c3a99f6b3f6b39f59e27

Download Submit
\Windows\SysWOW64\micsusk.exe

Filesize
12KB

MD5
642914200f5bd137407918d0d31a4fa9

SHA1
fd58609b54a143c2a1af37d5ca278cd4ef222028

SHA256
11b522d5be53f0a1016e1882def9131aeae5d8d8ddf803f909acf2360e41170d

SHA512
49b218a1fbad31a9cafd0d149d1fec19547568ea75c3715aaee61155cf652b506ecfc99124d584e5bccec5d48dba7aaa1209225065c24d15f4bf2721e1c8ce9d

Download Submit
memory/1132-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1132-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1132-15-0x00000000002B0000-0x00000000002BF000-memory.dmp

Filesize
60KB

Download
memory/1728-10-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1728-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download