d5b074815c82a4c40fc66cb5f39ba8e06c08703f7f19c4259d48d406f3b4a5db

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

641c6fb84810707c46796249f937093e.exe
Size

14KB
MD5

641c6fb84810707c46796249f937093e
SHA1

0fd064136aa1dba8a6035d879b16beedcfb66477
SHA256

d5b074815c82a4c40fc66cb5f39ba8e06c08703f7f19c4259d48d406f3b4a5db
SHA512

b13110d66966e4f55dc8de2b1933ab76a7d142c292eb97c757a5a7424bf3813488f005a36375932476d7dc87f714f2b5bfd349e3fe4d3db914e63091463b5825
SSDEEP

384:s9bC8jZfXqHVR97epUeI4xp9Lw1iPL643mNc:Kb7lfXq1v2TPj98iPL643mN

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2732	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2080	kodensk.exe

Loads dropped DLL 2 IoCs

pid	Process
1180	641c6fb84810707c46796249f937093e.exe
1180	641c6fb84810707c46796249f937093e.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1180-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1180-4-0x00000000001C0000-0x00000000001CF000-memory.dmp	upx
behavioral1/files/0x000a00000001225c-3.dat	upx
behavioral1/memory/1180-11-0x00000000001C0000-0x00000000001CF000-memory.dmp	upx
behavioral1/memory/2080-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1180-13-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kodens.dll	641c6fb84810707c46796249f937093e.exe
File created	C:\Windows\SysWOW64\kodensk.exe	641c6fb84810707c46796249f937093e.exe
File opened for modification	C:\Windows\SysWOW64\kodensk.exe	641c6fb84810707c46796249f937093e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2080	1180	641c6fb84810707c46796249f937093e.exe	28
PID 1180 wrote to memory of 2080	1180	641c6fb84810707c46796249f937093e.exe	28
PID 1180 wrote to memory of 2080	1180	641c6fb84810707c46796249f937093e.exe	28
PID 1180 wrote to memory of 2080	1180	641c6fb84810707c46796249f937093e.exe	28
PID 1180 wrote to memory of 2732	1180	641c6fb84810707c46796249f937093e.exe	31
PID 1180 wrote to memory of 2732	1180	641c6fb84810707c46796249f937093e.exe	31
PID 1180 wrote to memory of 2732	1180	641c6fb84810707c46796249f937093e.exe	31
PID 1180 wrote to memory of 2732	1180	641c6fb84810707c46796249f937093e.exe	31

C:\Users\Admin\AppData\Local\Temp\641c6fb84810707c46796249f937093e.exe
"C:\Users\Admin\AppData\Local\Temp\641c6fb84810707c46796249f937093e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\kodensk.exe
  C:\Windows\system32\kodensk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\641c6fb84810707c46796249f937093e.exe.bat
  2⤵
  - Deletes itself
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\641c6fb84810707c46796249f937093e.exe.bat

Filesize
182B

MD5
d06fc6cfacc986d1608833de18773bad

SHA1
0610f9b5d239bfee429fc6def3e3d542ffd963ba

SHA256
4256018d9c473cd9eece4b25619dc185dd40d0cd529a2fa2919cc098e455a5d3

SHA512
3771c577db2b7a88e7f99ab36cddfb6c6429659b9f765ca8d276826c8e0a62f51ad48454662d618844e1d335af8efa25c05e37a9c13ad595cd6de1a97db5f97b

Download Submit
\Windows\SysWOW64\kodensk.exe

Filesize
14KB

MD5
641c6fb84810707c46796249f937093e

SHA1
0fd064136aa1dba8a6035d879b16beedcfb66477

SHA256
d5b074815c82a4c40fc66cb5f39ba8e06c08703f7f19c4259d48d406f3b4a5db

SHA512
b13110d66966e4f55dc8de2b1933ab76a7d142c292eb97c757a5a7424bf3813488f005a36375932476d7dc87f714f2b5bfd349e3fe4d3db914e63091463b5825

Download Submit
memory/1180-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1180-4-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/1180-11-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/1180-13-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2080-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download