05b15c37cf427a6702d96c5ce74e72d3ae08f3b410f9d08405152656e2399e9b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 19:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a06f857dc7cfbeeab085e3a2cd8e5392.exe
Size

19KB
MD5

a06f857dc7cfbeeab085e3a2cd8e5392
SHA1

7c5b3b83ac1a27bad3ea4ffb24327b5e9051ef57
SHA256

05b15c37cf427a6702d96c5ce74e72d3ae08f3b410f9d08405152656e2399e9b
SHA512

dda0352dfff5746e55d2cac2712f41c6c7928ef8dbcf36b232e48c377daf1c896e6746b03b0a3289175f3b192198e42983fd53f883d0237d7e3f60f029aee059
SSDEEP

384:bZit53wqevHHxylp6WrtvmG57B/Sa/O5qmSpsllT:bI3wrxapFpmWB/j8smll

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\some = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a06f857dc7cfbeeab085e3a2cd8e5392.exe"	a06f857dc7cfbeeab085e3a2cd8e5392.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	a06f857dc7cfbeeab085e3a2cd8e5392.exe

Executes dropped EXE 1 IoCs

pid	Process
2632	scm.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1580-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/files/0x00070000000231dc-3.dat	upx
behavioral2/memory/2632-5-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1580-6-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2632-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
2632	scm.exe
2632	scm.exe
2632	scm.exe
2632	scm.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
2632	scm.exe
2632	scm.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
2632	scm.exe
2632	scm.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
2632	scm.exe
2632	scm.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
2632	scm.exe
2632	scm.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
2632	scm.exe
2632	scm.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
2632	scm.exe
2632	scm.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
2632	scm.exe
2632	scm.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
2632	scm.exe
2632	scm.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
2632	scm.exe
2632	scm.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
2632	scm.exe
2632	scm.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
2632	scm.exe
2632	scm.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
2632	scm.exe
2632	scm.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
2632	scm.exe
2632	scm.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
2632	scm.exe
2632	scm.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe
1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2632	1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe	83
PID 1580 wrote to memory of 2632	1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe	83
PID 1580 wrote to memory of 2632	1580	a06f857dc7cfbeeab085e3a2cd8e5392.exe	83

C:\Users\Admin\AppData\Local\Temp\a06f857dc7cfbeeab085e3a2cd8e5392.exe
"C:\Users\Admin\AppData\Local\Temp\a06f857dc7cfbeeab085e3a2cd8e5392.exe"
1⤵
- Adds policy Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\AppData\Local\Temp\scm.exe
  C:\Users\Admin\AppData\Local\Temp\scm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\scm.exe

Filesize
7KB

MD5
e73d5c1e3bfa5fec0485e7b35b8aa709

SHA1
8c1b51b6cd28a669dcbca2d451a0bf61a2fd6db3

SHA256
663a1a8bd7ab22867f2e139706dc83b58af5fa5ae2eca25a942e0a23d26d84dd

SHA512
417e238f03afb8de590d603fad6cdcf99bcb02447f33c496501d8945f044587261191ea5f1dad392971457c1979f0f27f746b53037a598dfa53320881760e416

Download Submit
memory/1580-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1580-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2632-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2632-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download