3dc207fa955192fe04782e4315634175c599cbd8f2b914b78017d30fba2e3655

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 19:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bca26733c137570a82cbaeb6a2fda4f1.exe
Size

12KB
MD5

bca26733c137570a82cbaeb6a2fda4f1
SHA1

dc4b3958af74c6232a0a2c0b8be94d772da378b3
SHA256

3dc207fa955192fe04782e4315634175c599cbd8f2b914b78017d30fba2e3655
SHA512

bedb3972c112ff4246f472f71df5a0a3eabac84f1e7d4d0ed7e70ab57259a284ba600aeb8af95b7db5cee5b7ebe54c43bc298737d006bcde6d96526042e9ae9d
SSDEEP

192:OLrypimCJQqqPIaxIbGuWT4/mNdZcP2JI0ndmqhhzk7TM1N+ByscxtknRDicJO7e:OisKqXbITG0HcP2xZN1gExxtOdn

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
1300	keyiftpk.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1916-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x00090000000224f7-4.dat	upx
behavioral2/memory/1916-6-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1300-7-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\keyiftp.dll	bca26733c137570a82cbaeb6a2fda4f1.exe
File created	C:\Windows\SysWOW64\keyiftpk.exe	bca26733c137570a82cbaeb6a2fda4f1.exe
File opened for modification	C:\Windows\SysWOW64\keyiftpk.exe	bca26733c137570a82cbaeb6a2fda4f1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1300	1916	bca26733c137570a82cbaeb6a2fda4f1.exe	88
PID 1916 wrote to memory of 1300	1916	bca26733c137570a82cbaeb6a2fda4f1.exe	88
PID 1916 wrote to memory of 1300	1916	bca26733c137570a82cbaeb6a2fda4f1.exe	88
PID 1916 wrote to memory of 1632	1916	bca26733c137570a82cbaeb6a2fda4f1.exe	100
PID 1916 wrote to memory of 1632	1916	bca26733c137570a82cbaeb6a2fda4f1.exe	100
PID 1916 wrote to memory of 1632	1916	bca26733c137570a82cbaeb6a2fda4f1.exe	100

C:\Users\Admin\AppData\Local\Temp\bca26733c137570a82cbaeb6a2fda4f1.exe
"C:\Users\Admin\AppData\Local\Temp\bca26733c137570a82cbaeb6a2fda4f1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\keyiftpk.exe
  C:\Windows\system32\keyiftpk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bca26733c137570a82cbaeb6a2fda4f1.exe.bat
  2⤵
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bca26733c137570a82cbaeb6a2fda4f1.exe.bat

Filesize
182B

MD5
94f3bdafec8081da5db1322903dfb2e2

SHA1
16127a02bf93460a81bc70e6e807720c34fe88d8

SHA256
eb2e4f22b442c61cfad0cfaede1e5efae85e43855b20b3289eca3de5f682b6db

SHA512
b605850d7ff7c0d29868ec6a48140a51da2809e9bb49c7fcdd131732f5f6974cb479b3d5df08b41e8171c142897825c43cc2090d3e9ad3ad3be8dd4ab80de7d9

Download Submit
C:\Windows\SysWOW64\keyiftpk.exe

Filesize
12KB

MD5
bca26733c137570a82cbaeb6a2fda4f1

SHA1
dc4b3958af74c6232a0a2c0b8be94d772da378b3

SHA256
3dc207fa955192fe04782e4315634175c599cbd8f2b914b78017d30fba2e3655

SHA512
bedb3972c112ff4246f472f71df5a0a3eabac84f1e7d4d0ed7e70ab57259a284ba600aeb8af95b7db5cee5b7ebe54c43bc298737d006bcde6d96526042e9ae9d

Download Submit
memory/1300-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1916-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1916-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download