c44384464c5823ac5c34b5d5c5465ac24e6f4c8d4e41239910c3e03a2154fbbb

Analysis

max time kernel
154s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 06:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8babb6a95414bdad9af629975bc620bb.exe
Size

10KB
MD5

8babb6a95414bdad9af629975bc620bb
SHA1

326e2bcdc7d7085db90a6534c90dd441c8a9c992
SHA256

c44384464c5823ac5c34b5d5c5465ac24e6f4c8d4e41239910c3e03a2154fbbb
SHA512

4710dcf6eb60d6dac55a69f596a063e89df88dcfa9a96cf514502898d6d85b3fb0d7c6fd4154e676e19287bc3a40d7012d5a86c9261b388ec6fa49ed38873f7e
SSDEEP

192:w5xYI3Z07C9Y4Mgkd92/O7lXsZnH1KYzWTpfuL+Lb4fwGlAdRpXbxXMb+:6xLJ07bHo/GknH1KYaAL+L2lIW+

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
3420	mduaeyk.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3036-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x000600000002310c-3.dat	upx
behavioral2/memory/3036-8-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3420-10-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mduaey.dll	8babb6a95414bdad9af629975bc620bb.exe
File created	C:\Windows\SysWOW64\mduaeyk.exe	8babb6a95414bdad9af629975bc620bb.exe
File opened for modification	C:\Windows\SysWOW64\mduaeyk.exe	8babb6a95414bdad9af629975bc620bb.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3420	3036	8babb6a95414bdad9af629975bc620bb.exe	84
PID 3036 wrote to memory of 3420	3036	8babb6a95414bdad9af629975bc620bb.exe	84
PID 3036 wrote to memory of 3420	3036	8babb6a95414bdad9af629975bc620bb.exe	84
PID 3036 wrote to memory of 2792	3036	8babb6a95414bdad9af629975bc620bb.exe	85
PID 3036 wrote to memory of 2792	3036	8babb6a95414bdad9af629975bc620bb.exe	85
PID 3036 wrote to memory of 2792	3036	8babb6a95414bdad9af629975bc620bb.exe	85

C:\Users\Admin\AppData\Local\Temp\8babb6a95414bdad9af629975bc620bb.exe
"C:\Users\Admin\AppData\Local\Temp\8babb6a95414bdad9af629975bc620bb.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\mduaeyk.exe
  C:\Windows\system32\mduaeyk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8babb6a95414bdad9af629975bc620bb.exe.bat
  2⤵
  PID:2792

Network

DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

0.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

114.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

114.110.16.96.in-addr.arpa

IN PTR

Response

114.110.16.96.in-addr.arpa

IN PTR

a96-16-110-114deploystaticakamaitechnologiescom
DNS

178.223.142.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

178.223.142.52.in-addr.arpa

IN PTR

Response
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

18.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.173.189.20.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

0.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

0.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

114.110.16.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

114.110.16.96.in-addr.arpa
8.8.8.8:53

178.223.142.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

178.223.142.52.in-addr.arpa
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

173.178.17.96.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

18.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

18.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8babb6a95414bdad9af629975bc620bb.exe.bat

Filesize
182B

MD5
99ae6980b6fa509ebd3ad3fcf82bb20c

SHA1
9c614d28aa22ec8d2e4c7f687b12dd5540a0857d

SHA256
20d46077628b370284d85bd73db0a9af2e33806dac3a4beaa16ee69bd08f03d9

SHA512
c7d79cf0c761d788ceff37f3e2bbda2cd3f4bf5b023a54d1fb43f0929ff9997d30c92e6dbbfa48b369d145ff9f112c0b1a22b74e761d1912ee167cba6a5d6233

Download Submit
C:\Windows\SysWOW64\mduaeyk.exe

Filesize
10KB

MD5
8babb6a95414bdad9af629975bc620bb

SHA1
326e2bcdc7d7085db90a6534c90dd441c8a9c992

SHA256
c44384464c5823ac5c34b5d5c5465ac24e6f4c8d4e41239910c3e03a2154fbbb

SHA512
4710dcf6eb60d6dac55a69f596a063e89df88dcfa9a96cf514502898d6d85b3fb0d7c6fd4154e676e19287bc3a40d7012d5a86c9261b388ec6fa49ed38873f7e

Download Submit
memory/3036-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3036-8-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3420-10-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.