Analysis
-
max time kernel
150s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:44
Behavioral task
behavioral1
Sample
75200e77fbdd79b413d51974e55051f1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
75200e77fbdd79b413d51974e55051f1.exe
Resource
win10v2004-20231222-en
General
-
Target
75200e77fbdd79b413d51974e55051f1.exe
-
Size
10KB
-
MD5
75200e77fbdd79b413d51974e55051f1
-
SHA1
7286e784b8e3326a1a632466af3a7155772509c6
-
SHA256
039cf530dca66ff431f96f937d88084af001b44ed504ca0458c699a42d89422b
-
SHA512
04efdf17b8a454d27d6ad3147aacf04e8bc27b1f45bc7c789fb4650a13c2ac29b3cd8faded3122752a6e17106735c542523fbbb4ce902237567cbc1cd64aef42
-
SSDEEP
192:DIysA/4ZJDPuuxDQNQ2spwlqZif/R/J9a+GGzDR3dD+l2+D2Dg+:DIysAwZJWNNvVqZkRjNDDxdD+lBD2s+
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
mpacklk.exepid process 4856 mpacklk.exe -
Processes:
resource yara_rule behavioral2/memory/4892-0-0x0000000000400000-0x000000000040F000-memory.dmp upx C:\Windows\SysWOW64\mpacklk.exe upx behavioral2/memory/4892-8-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral2/memory/4856-10-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
Processes:
75200e77fbdd79b413d51974e55051f1.exedescription ioc process File created C:\Windows\SysWOW64\mpackl.dll 75200e77fbdd79b413d51974e55051f1.exe File created C:\Windows\SysWOW64\mpacklk.exe 75200e77fbdd79b413d51974e55051f1.exe File opened for modification C:\Windows\SysWOW64\mpacklk.exe 75200e77fbdd79b413d51974e55051f1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
75200e77fbdd79b413d51974e55051f1.exepid process 4892 75200e77fbdd79b413d51974e55051f1.exe 4892 75200e77fbdd79b413d51974e55051f1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
75200e77fbdd79b413d51974e55051f1.exedescription pid process target process PID 4892 wrote to memory of 4856 4892 75200e77fbdd79b413d51974e55051f1.exe mpacklk.exe PID 4892 wrote to memory of 4856 4892 75200e77fbdd79b413d51974e55051f1.exe mpacklk.exe PID 4892 wrote to memory of 4856 4892 75200e77fbdd79b413d51974e55051f1.exe mpacklk.exe PID 4892 wrote to memory of 2824 4892 75200e77fbdd79b413d51974e55051f1.exe cmd.exe PID 4892 wrote to memory of 2824 4892 75200e77fbdd79b413d51974e55051f1.exe cmd.exe PID 4892 wrote to memory of 2824 4892 75200e77fbdd79b413d51974e55051f1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75200e77fbdd79b413d51974e55051f1.exe"C:\Users\Admin\AppData\Local\Temp\75200e77fbdd79b413d51974e55051f1.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\mpacklk.exeC:\Windows\system32\mpacklk.exe ˜‰2⤵
- Executes dropped EXE
PID:4856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\75200e77fbdd79b413d51974e55051f1.exe.bat2⤵PID:2824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182B
MD572553dd9a78803fb32a2bee2af797b0d
SHA1598f05111b464b856e4c5e23a6fdacfe456f8d5e
SHA256f687d0fdff9030790db398e737b1b94082c69243d039a19c8b6923a892a1ce38
SHA512d8c3173aaa051a7393c2b200487dc46d26009056bffd9b5adc3937ddd834738b1f8e24c8ac88bddd37991b2b973e0f6eac2adf45483f4020f8b102d014cec43b
-
Filesize
10KB
MD575200e77fbdd79b413d51974e55051f1
SHA17286e784b8e3326a1a632466af3a7155772509c6
SHA256039cf530dca66ff431f96f937d88084af001b44ed504ca0458c699a42d89422b
SHA51204efdf17b8a454d27d6ad3147aacf04e8bc27b1f45bc7c789fb4650a13c2ac29b3cd8faded3122752a6e17106735c542523fbbb4ce902237567cbc1cd64aef42