0865ae8433a92a15c4f298f4594a11a7472d6e594b4ded24f69c5861d99f6ba1

General

Target

7ddd7f9c572b5694c60fbc003614b04e.exe
Size

62KB
MD5

7ddd7f9c572b5694c60fbc003614b04e
SHA1

38eb2f33be1749271665ca0bf89a162154bbe2af
SHA256

0865ae8433a92a15c4f298f4594a11a7472d6e594b4ded24f69c5861d99f6ba1
SHA512

cb12f8a031dbb28d4e1baeb6f9ed8c6b0507ab5b8f2ce4194b7c64f760d338ff37f10c85e1493552e3b000753557c1c9b911056321f8c9a0b3e0f9a37128a11a
SSDEEP

768:EeglKSgf0Kn2hJRDCExKjWHKfIag5Ikoppb4PVzhOnDA3IGlieyDAlG7yWy6yvAT:EegqsDTAj6yrgmy9SDRMGvyCoup

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4280	winkernel32.EXE

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4364-0-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/files/0x000600000002320b-8.dat	upx
behavioral2/memory/4364-13-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/4280-75-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/4280-141-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/4280-142-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/4280-143-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/4280-144-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/4280-145-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/4280-146-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral2/memory/4280-147-0x0000000000400000-0x0000000000441000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVCHOST32 = "C:\\Arquivos de programas\\svchost32.EXE"	7ddd7f9c572b5694c60fbc003614b04e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVCHOST32 = "C:\\Arquivos de programas\\svchost32.EXE"	winkernel32.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\comdlg32.ocx	winkernel32.EXE
File opened for modification	C:\Windows\SysWOW64\comdlg32.ocx	winkernel32.EXE

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\inf\comdlg32.inf	winkernel32.EXE
File opened for modification	C:\Windows\inf\append.inf	7ddd7f9c572b5694c60fbc003614b04e.exe
File created	C:\Windows\inf\anvaila.inf	winkernel32.EXE
File created	C:\Windows\inf\gereba01.JPG	winkernel32.EXE
File created	C:\Windows\inf\r01.JPG	winkernel32.EXE
File created	C:\Windows\inf\r02.JPG	winkernel32.EXE
File opened for modification	C:\Windows\ansmtpbuild.dll	winkernel32.EXE
File created	C:\Windows\inf\anenvia.inf	winkernel32.EXE
File created	C:\Windows\inf\r03.JPG	winkernel32.EXE
File created	C:\Windows\inf\i04.JPG	winkernel32.EXE
File created	C:\Windows\inf\b01.JPG	winkernel32.EXE
File created	C:\Windows\inf\i01.JPG	winkernel32.EXE
File opened for modification	C:\Windows\inf\appstart32.inf	7ddd7f9c572b5694c60fbc003614b04e.exe
File created	C:\Windows\inf\azul02.JPG	winkernel32.EXE
File created	C:\Windows\inf\r04.JPG	winkernel32.EXE
File created	C:\Windows\inf\i05.JPG	winkernel32.EXE
File created	C:\Windows\inf\i06.JPG	winkernel32.EXE
File opened for modification	C:\Windows\ansmtp.dll	winkernel32.EXE
File created	C:\Windows\ansmtpbuild.dll	winkernel32.EXE
File created	C:\Windows\inf\anmanda.inf	winkernel32.EXE
File created	C:\Windows\inf\gereba02.JPG	winkernel32.EXE
File created	C:\Windows\inf\azul01.JPG	winkernel32.EXE
File created	C:\Windows\inf\i03.JPG	winkernel32.EXE
File created	C:\Windows\inf\b02.JPG	winkernel32.EXE
File created	C:\Windows\ansmtp.dll	winkernel32.EXE
File created	C:\Windows\inf\i02.JPG	winkernel32.EXE
File created	C:\Windows\inf\i07.JPG	winkernel32.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4280	winkernel32.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4364	7ddd7f9c572b5694c60fbc003614b04e.exe
4280	winkernel32.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 4280	4364	7ddd7f9c572b5694c60fbc003614b04e.exe	84
PID 4364 wrote to memory of 4280	4364	7ddd7f9c572b5694c60fbc003614b04e.exe	84
PID 4364 wrote to memory of 4280	4364	7ddd7f9c572b5694c60fbc003614b04e.exe	84

C:\Users\Admin\AppData\Local\Temp\7ddd7f9c572b5694c60fbc003614b04e.exe
"C:\Users\Admin\AppData\Local\Temp\7ddd7f9c572b5694c60fbc003614b04e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364
- C:\winkernel32.EXE
  C:\winkernel32.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\43O0UZKG\gereba01[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Windows\INF\anvaila.inf

Filesize
94KB

MD5
740d65e38a2f2399adf61dd16740424c

SHA1
26a04a0fb338693d433d1ec8c37f7e3d7b46d7a3

SHA256
a53629e3667bab8af5ed743c76653d1495c3ddc1bd2bd5311ac5ab4945ab3c9d

SHA512
c1cd9f29b110af36d3e720134f779798e89d618630b2bab92df834dc8dab91330cebd45d3eec5d453354452d0e7bbe1c91b8a58759cd43d071dc1147ffff85db

Download Submit
C:\Windows\inf\append.inf

Filesize
28B

MD5
7452db5e8f1ec3336bddad6538821e1b

SHA1
f09f835b7a9a2d017860e37649bf4eeba678481c

SHA256
3015ffef210daa73fcc635059b11e6911ff6b32e4ca759d57245d74704d7fb88

SHA512
8e0d80ad239868ca83d4ca515ea4bc05e98853604015e01b673b56b9007d03b245066353ec103d34d1cf4e4fa647d76a0736b303581abddf6eb623682fa37d1d

Download Submit
C:\winkernel32.EXE

Filesize
62KB

MD5
7ddd7f9c572b5694c60fbc003614b04e

SHA1
38eb2f33be1749271665ca0bf89a162154bbe2af

SHA256
0865ae8433a92a15c4f298f4594a11a7472d6e594b4ded24f69c5861d99f6ba1

SHA512
cb12f8a031dbb28d4e1baeb6f9ed8c6b0507ab5b8f2ce4194b7c64f760d338ff37f10c85e1493552e3b000753557c1c9b911056321f8c9a0b3e0f9a37128a11a

Download Submit
memory/4280-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4280-75-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4280-141-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4280-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4280-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4280-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4280-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4280-147-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4364-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4364-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads