32c2b7bbc4c7aa1e4c3c4512512bc5e0995c27884f1e484f57a9a9299c8d6dc9

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3c49ba1f06fca8a8b0b43c09f02711d.exe
Size

9KB
MD5

c3c49ba1f06fca8a8b0b43c09f02711d
SHA1

9edc8837f7d70828f39744408f9f3158853b0333
SHA256

32c2b7bbc4c7aa1e4c3c4512512bc5e0995c27884f1e484f57a9a9299c8d6dc9
SHA512

2667ff0c67ae09193cad370aa7134e417b150d9347e9a4895fa1151be00d7518a7cae67d616333fe6716c809bdb43b9a17f3de747be5dd46dabc974ecce9694a
SSDEEP

96:r2Q9dAIgfheyX7NY27MqHn2WfnamnQ4LIB/sWn/KPJAmwhhlkqRnKsmMf9ka:JXAFJdq2/faNns0/KPSr+qknCJ

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	c3c49ba1f06fca8a8b0b43c09f02711d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\this = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c3c49ba1f06fca8a8b0b43c09f02711d.exe"	c3c49ba1f06fca8a8b0b43c09f02711d.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2156-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 3016	2156	c3c49ba1f06fca8a8b0b43c09f02711d.exe	28
PID 2156 wrote to memory of 3016	2156	c3c49ba1f06fca8a8b0b43c09f02711d.exe	28
PID 2156 wrote to memory of 3016	2156	c3c49ba1f06fca8a8b0b43c09f02711d.exe	28
PID 2156 wrote to memory of 3016	2156	c3c49ba1f06fca8a8b0b43c09f02711d.exe	28

C:\Users\Admin\AppData\Local\Temp\c3c49ba1f06fca8a8b0b43c09f02711d.exe
"C:\Users\Admin\AppData\Local\Temp\c3c49ba1f06fca8a8b0b43c09f02711d.exe"
1⤵
- Adds policy Run key to start application
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2156-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads