888f6b15d41d90eb5292c1f27a2d0585094f37ede833c22dc7862418aad9d8a6

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 03:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c25dd1c315283e1f0bb8371892fab146.exe
Size

129KB
MD5

c25dd1c315283e1f0bb8371892fab146
SHA1

04960001c36d44190528f14ad4c276c917fc2621
SHA256

888f6b15d41d90eb5292c1f27a2d0585094f37ede833c22dc7862418aad9d8a6
SHA512

98ca020c2426a86d0cfb1cd2db4826198d2958067c786a210dc0495fb482b6dd6ac9b3312c203180394bbfc47b8bf95e04d59ff351da547343c28f56010feed4
SSDEEP

3072:Sh1656y6YRk8THq6kJWdLAnrwNdvyJJxZAlzTvNjfoutJ:n5NJTaPqKDApvNjfoS

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\tbg85rre.sys	c25dd1c315283e1f0bb8371892fab146.exe
File created	C:\Windows\SysWOW64\drivers\oqunpi29.sys	c25dd1c315283e1f0bb8371892fab146.exe
File opened for modification	C:\Windows\SysWOW64\drivers\oqunpi29.sys	c25dd1c315283e1f0bb8371892fab146.exe
File created	C:\Windows\SysWOW64\drivers\tbg85rre.sys	c25dd1c315283e1f0bb8371892fab146.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\tbg85rre\ImagePath = "system32\\drivers\\tbg85rre.sys"	c25dd1c315283e1f0bb8371892fab146.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\oqunpi29\ImagePath = "system32\\drivers\\oqunpi29.sys"	c25dd1c315283e1f0bb8371892fab146.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2876-0-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/2876-4-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/2876-10-0x0000000000400000-0x000000000044A000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xz9bgtw2.dll	c25dd1c315283e1f0bb8371892fab146.exe
File opened for modification	C:\Windows\SysWOW64\xz9bgtw2.dll	c25dd1c315283e1f0bb8371892fab146.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
480	Process not Found
480	Process not Found

C:\Users\Admin\AppData\Local\Temp\c25dd1c315283e1f0bb8371892fab146.exe
"C:\Users\Admin\AppData\Local\Temp\c25dd1c315283e1f0bb8371892fab146.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Drops file in System32 directory
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2876-0-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2876-4-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2876-10-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads