0865ae8433a92a15c4f298f4594a11a7472d6e594b4ded24f69c5861d99f6ba1

General

Target

7ddd7f9c572b5694c60fbc003614b04e.exe
Size

62KB
MD5

7ddd7f9c572b5694c60fbc003614b04e
SHA1

38eb2f33be1749271665ca0bf89a162154bbe2af
SHA256

0865ae8433a92a15c4f298f4594a11a7472d6e594b4ded24f69c5861d99f6ba1
SHA512

cb12f8a031dbb28d4e1baeb6f9ed8c6b0507ab5b8f2ce4194b7c64f760d338ff37f10c85e1493552e3b000753557c1c9b911056321f8c9a0b3e0f9a37128a11a
SSDEEP

768:EeglKSgf0Kn2hJRDCExKjWHKfIag5Ikoppb4PVzhOnDA3IGlieyDAlG7yWy6yvAT:EegqsDTAj6yrgmy9SDRMGvyCoup

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2660	winkernel32.EXE

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3016-0-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/files/0x002f00000001530e-9.dat	upx
behavioral1/memory/2660-13-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/3016-18-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/2660-154-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/2660-155-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/2660-156-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/2660-157-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/2660-159-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/2660-162-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/2660-163-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/2660-164-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/2660-166-0x0000000000400000-0x0000000000441000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SVCHOST32 = "C:\\Arquivos de programas\\svchost32.EXE"	7ddd7f9c572b5694c60fbc003614b04e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SVCHOST32 = "C:\\Arquivos de programas\\svchost32.EXE"	winkernel32.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\comdlg32.ocx	winkernel32.EXE
File opened for modification	C:\Windows\SysWOW64\comdlg32.ocx	winkernel32.EXE

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\inf\i07.JPG	winkernel32.EXE
File created	C:\Windows\inf\i05.JPG	winkernel32.EXE
File created	C:\Windows\inf\b01.JPG	winkernel32.EXE
File created	C:\Windows\inf\anmanda.inf	winkernel32.EXE
File created	C:\Windows\inf\anenvia.inf	winkernel32.EXE
File created	C:\Windows\inf\i04.JPG	winkernel32.EXE
File created	C:\Windows\inf\b02.JPG	winkernel32.EXE
File opened for modification	C:\Windows\ansmtpbuild.dll	winkernel32.EXE
File opened for modification	C:\Windows\inf\appstart32.inf	7ddd7f9c572b5694c60fbc003614b04e.exe
File created	C:\Windows\inf\azul01.JPG	winkernel32.EXE
File created	C:\Windows\inf\r03.JPG	winkernel32.EXE
File created	C:\Windows\ansmtp.dll	winkernel32.EXE
File created	C:\Windows\ansmtpbuild.dll	winkernel32.EXE
File created	C:\Windows\inf\azul02.JPG	winkernel32.EXE
File created	C:\Windows\inf\i01.JPG	winkernel32.EXE
File created	C:\Windows\inf\i02.JPG	winkernel32.EXE
File opened for modification	C:\Windows\inf\append.inf	7ddd7f9c572b5694c60fbc003614b04e.exe
File created	C:\Windows\inf\r01.JPG	winkernel32.EXE
File created	C:\Windows\inf\i03.JPG	winkernel32.EXE
File created	C:\Windows\inf\i06.JPG	winkernel32.EXE
File created	C:\Windows\inf\comdlg32.inf	winkernel32.EXE
File created	C:\Windows\inf\gereba01.JPG	winkernel32.EXE
File created	C:\Windows\inf\r04.JPG	winkernel32.EXE
File opened for modification	C:\Windows\ansmtp.dll	winkernel32.EXE
File created	C:\Windows\inf\anvaila.inf	winkernel32.EXE
File created	C:\Windows\inf\gereba02.JPG	winkernel32.EXE
File created	C:\Windows\inf\r02.JPG	winkernel32.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2660	winkernel32.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3016	7ddd7f9c572b5694c60fbc003614b04e.exe
2660	winkernel32.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2660	3016	7ddd7f9c572b5694c60fbc003614b04e.exe	28
PID 3016 wrote to memory of 2660	3016	7ddd7f9c572b5694c60fbc003614b04e.exe	28
PID 3016 wrote to memory of 2660	3016	7ddd7f9c572b5694c60fbc003614b04e.exe	28
PID 3016 wrote to memory of 2660	3016	7ddd7f9c572b5694c60fbc003614b04e.exe	28

C:\Users\Admin\AppData\Local\Temp\7ddd7f9c572b5694c60fbc003614b04e.exe
"C:\Users\Admin\AppData\Local\Temp\7ddd7f9c572b5694c60fbc003614b04e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016
- C:\winkernel32.EXE
  C:\winkernel32.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGM5U0T3\gereba01[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Windows\inf\anvaila.inf

Filesize
94KB

MD5
0d62f4033e60c48877de4e31acbb2439

SHA1
fe7261e7d4f4c7dc7bf3c26bf6b3cb8ea4ed0d06

SHA256
be342be2cae9e26fe06dc42b374fb7b2010007665d48a9c26f4c3fb4061e2941

SHA512
8e88acc74d9176b9e00416d555af3234e79d6d127678a00568fb5951295cb06c166afd82473bc9e4debeabffd9da95fdd1b7fe8fe34e026e3f3b3ff2e8875698

Download Submit
C:\Windows\inf\append.inf

Filesize
28B

MD5
cb7139601551c49db0f23ba7a1cc7ac2

SHA1
4610854239fcb110b344fad2ca678e870052ce7d

SHA256
ad1d8114e04e7522738af1be83daf313ef8cd237d8ccc4d2f6478c8f8795feef

SHA512
95e1f5b8d3d64d86998fb17f6f218268c90e2830bed0e005f0b622af4bf4eac9093dad5b1f627eda58c971cbe02aaa1ea948fdd9a36128526fb5c7f858830ad9

Download Submit
C:\winkernel32.EXE

Filesize
62KB

MD5
7ddd7f9c572b5694c60fbc003614b04e

SHA1
38eb2f33be1749271665ca0bf89a162154bbe2af

SHA256
0865ae8433a92a15c4f298f4594a11a7472d6e594b4ded24f69c5861d99f6ba1

SHA512
cb12f8a031dbb28d4e1baeb6f9ed8c6b0507ab5b8f2ce4194b7c64f760d338ff37f10c85e1493552e3b000753557c1c9b911056321f8c9a0b3e0f9a37128a11a

Download Submit
memory/2660-154-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-155-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-156-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-157-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2660-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-11-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/3016-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads