a3aa9a8412b7686afa9e93a3c9da8a1ff0d8019e3714e4ff925d329be3f7e889

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c37dd60619cc1c5b4209f2385e47ea40.exe
Size

12KB
MD5

c37dd60619cc1c5b4209f2385e47ea40
SHA1

439d3245001e52be2c6b2bea83f8b0a80d0e009f
SHA256

a3aa9a8412b7686afa9e93a3c9da8a1ff0d8019e3714e4ff925d329be3f7e889
SHA512

614cc55fc625eeb13e1567f98842a22ee46f0fec17c2c8a252012a27402f8556fc764b40c5c050791cd42a2e88b4fc210b1c7252f72752779aeadd50e0067ddb
SSDEEP

192:9d1zm8XjjwKnCQBaDYBjfrXyYKIHz2pSZu9PzjC8YIqjhy4Q36ca:1zm8vwKPIWfrXj5z2YgxCP3DQI

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
1964	micsusk.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1880-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0008000000023211-4.dat	upx
behavioral2/memory/1880-6-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1964-7-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\micsus.dll	c37dd60619cc1c5b4209f2385e47ea40.exe
File created	C:\Windows\SysWOW64\micsusk.exe	c37dd60619cc1c5b4209f2385e47ea40.exe
File opened for modification	C:\Windows\SysWOW64\micsusk.exe	c37dd60619cc1c5b4209f2385e47ea40.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1964	1880	c37dd60619cc1c5b4209f2385e47ea40.exe	87
PID 1880 wrote to memory of 1964	1880	c37dd60619cc1c5b4209f2385e47ea40.exe	87
PID 1880 wrote to memory of 1964	1880	c37dd60619cc1c5b4209f2385e47ea40.exe	87
PID 1880 wrote to memory of 536	1880	c37dd60619cc1c5b4209f2385e47ea40.exe	99
PID 1880 wrote to memory of 536	1880	c37dd60619cc1c5b4209f2385e47ea40.exe	99
PID 1880 wrote to memory of 536	1880	c37dd60619cc1c5b4209f2385e47ea40.exe	99

C:\Users\Admin\AppData\Local\Temp\c37dd60619cc1c5b4209f2385e47ea40.exe
"C:\Users\Admin\AppData\Local\Temp\c37dd60619cc1c5b4209f2385e47ea40.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\micsusk.exe
  C:\Windows\system32\micsusk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\c37dd60619cc1c5b4209f2385e47ea40.exe.bat
  2⤵
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c37dd60619cc1c5b4209f2385e47ea40.exe.bat

Filesize
182B

MD5
769d09ac3a2fef14c033b1e3674c751c

SHA1
1b2e2f6b953bfe40d0a14a559a1b0ebbbe456dff

SHA256
6845f64c313935eec9b06f7cf274e976095b01f7187f29e57754d21833f989a6

SHA512
49fa3e7e7ee858366cfa48b95eb1122a1b67177d3912f27ed5f6159f4cc5d4fb83764495fa6c459ecb884a29b735a895e5875b56bd49f6193152925d60903391

Download Submit
C:\Windows\SysWOW64\micsusk.exe

Filesize
12KB

MD5
c37dd60619cc1c5b4209f2385e47ea40

SHA1
439d3245001e52be2c6b2bea83f8b0a80d0e009f

SHA256
a3aa9a8412b7686afa9e93a3c9da8a1ff0d8019e3714e4ff925d329be3f7e889

SHA512
614cc55fc625eeb13e1567f98842a22ee46f0fec17c2c8a252012a27402f8556fc764b40c5c050791cd42a2e88b4fc210b1c7252f72752779aeadd50e0067ddb

Download Submit
memory/1880-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1880-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1964-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download