c44384464c5823ac5c34b5d5c5465ac24e6f4c8d4e41239910c3e03a2154fbbb

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 06:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8babb6a95414bdad9af629975bc620bb.exe
Size

10KB
MD5

8babb6a95414bdad9af629975bc620bb
SHA1

326e2bcdc7d7085db90a6534c90dd441c8a9c992
SHA256

c44384464c5823ac5c34b5d5c5465ac24e6f4c8d4e41239910c3e03a2154fbbb
SHA512

4710dcf6eb60d6dac55a69f596a063e89df88dcfa9a96cf514502898d6d85b3fb0d7c6fd4154e676e19287bc3a40d7012d5a86c9261b388ec6fa49ed38873f7e
SSDEEP

192:w5xYI3Z07C9Y4Mgkd92/O7lXsZnH1KYzWTpfuL+Lb4fwGlAdRpXbxXMb+:6xLJ07bHo/GknH1KYaAL+L2lIW+

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2800	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	mduaeyk.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	8babb6a95414bdad9af629975bc620bb.exe
2504	8babb6a95414bdad9af629975bc620bb.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2504-4-0x0000000000030000-0x000000000003F000-memory.dmp	upx
behavioral1/files/0x000c0000000122d5-3.dat	upx
behavioral1/memory/2256-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2504-20-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mduaey.dll	8babb6a95414bdad9af629975bc620bb.exe
File created	C:\Windows\SysWOW64\mduaeyk.exe	8babb6a95414bdad9af629975bc620bb.exe
File opened for modification	C:\Windows\SysWOW64\mduaeyk.exe	8babb6a95414bdad9af629975bc620bb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2256	2504	8babb6a95414bdad9af629975bc620bb.exe	28
PID 2504 wrote to memory of 2256	2504	8babb6a95414bdad9af629975bc620bb.exe	28
PID 2504 wrote to memory of 2256	2504	8babb6a95414bdad9af629975bc620bb.exe	28
PID 2504 wrote to memory of 2256	2504	8babb6a95414bdad9af629975bc620bb.exe	28
PID 2504 wrote to memory of 2800	2504	8babb6a95414bdad9af629975bc620bb.exe	29
PID 2504 wrote to memory of 2800	2504	8babb6a95414bdad9af629975bc620bb.exe	29
PID 2504 wrote to memory of 2800	2504	8babb6a95414bdad9af629975bc620bb.exe	29
PID 2504 wrote to memory of 2800	2504	8babb6a95414bdad9af629975bc620bb.exe	29

C:\Users\Admin\AppData\Local\Temp\8babb6a95414bdad9af629975bc620bb.exe
"C:\Users\Admin\AppData\Local\Temp\8babb6a95414bdad9af629975bc620bb.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\mduaeyk.exe
  C:\Windows\system32\mduaeyk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\8babb6a95414bdad9af629975bc620bb.exe.bat
  2⤵
  - Deletes itself
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8babb6a95414bdad9af629975bc620bb.exe.bat

Filesize
182B

MD5
99ae6980b6fa509ebd3ad3fcf82bb20c

SHA1
9c614d28aa22ec8d2e4c7f687b12dd5540a0857d

SHA256
20d46077628b370284d85bd73db0a9af2e33806dac3a4beaa16ee69bd08f03d9

SHA512
c7d79cf0c761d788ceff37f3e2bbda2cd3f4bf5b023a54d1fb43f0929ff9997d30c92e6dbbfa48b369d145ff9f112c0b1a22b74e761d1912ee167cba6a5d6233

Download Submit
\Windows\SysWOW64\mduaeyk.exe

Filesize
10KB

MD5
8babb6a95414bdad9af629975bc620bb

SHA1
326e2bcdc7d7085db90a6534c90dd441c8a9c992

SHA256
c44384464c5823ac5c34b5d5c5465ac24e6f4c8d4e41239910c3e03a2154fbbb

SHA512
4710dcf6eb60d6dac55a69f596a063e89df88dcfa9a96cf514502898d6d85b3fb0d7c6fd4154e676e19287bc3a40d7012d5a86c9261b388ec6fa49ed38873f7e

Download Submit
memory/2256-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2504-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2504-4-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/2504-11-0x0000000000030000-0x000000000003F000-memory.dmp

Filesize
60KB

Download
memory/2504-20-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download