7642c3178448d341abfdcf5160d963444cee35703b344d397aaa94a2faa32a0b

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4cfead399dd493bed2fb2840a8f8916.exe
Size

12KB
MD5

c4cfead399dd493bed2fb2840a8f8916
SHA1

870ebc39a27a1b09869d045d06ba414736904933
SHA256

7642c3178448d341abfdcf5160d963444cee35703b344d397aaa94a2faa32a0b
SHA512

b39d059302f7a19c611ceec292a4f525972856521229f35a7f250e1c81df665e32b8c98864dab802b1b45a8801b801cae0046c52ced3c9126d6f07ee1c533ea6
SSDEEP

192:5YvhK3LS6dVAxqQQXGFCxfHpYEzRtcrqTqN2C8/0LDzK+vjJpGWObF3:5YvgvAoXGFAYencQqI7MLD/vjY3

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
1884	cmbdafk.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3096-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x000700000002321e-4.dat	upx
behavioral2/memory/3096-6-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1884-7-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cmbdaf.dll	c4cfead399dd493bed2fb2840a8f8916.exe
File created	C:\Windows\SysWOW64\cmbdafk.exe	c4cfead399dd493bed2fb2840a8f8916.exe
File opened for modification	C:\Windows\SysWOW64\cmbdafk.exe	c4cfead399dd493bed2fb2840a8f8916.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 1884	3096	c4cfead399dd493bed2fb2840a8f8916.exe	87
PID 3096 wrote to memory of 1884	3096	c4cfead399dd493bed2fb2840a8f8916.exe	87
PID 3096 wrote to memory of 1884	3096	c4cfead399dd493bed2fb2840a8f8916.exe	87
PID 3096 wrote to memory of 5116	3096	c4cfead399dd493bed2fb2840a8f8916.exe	101
PID 3096 wrote to memory of 5116	3096	c4cfead399dd493bed2fb2840a8f8916.exe	101
PID 3096 wrote to memory of 5116	3096	c4cfead399dd493bed2fb2840a8f8916.exe	101

C:\Users\Admin\AppData\Local\Temp\c4cfead399dd493bed2fb2840a8f8916.exe
"C:\Users\Admin\AppData\Local\Temp\c4cfead399dd493bed2fb2840a8f8916.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\SysWOW64\cmbdafk.exe
  C:\Windows\system32\cmbdafk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\c4cfead399dd493bed2fb2840a8f8916.exe.bat
  2⤵
  PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c4cfead399dd493bed2fb2840a8f8916.exe.bat

Filesize
182B

MD5
77623f04b04125a0f2a01cb4cbcb08cc

SHA1
9436f034703a7a781c5e25cfa563bc451d88eff4

SHA256
e966bdb5ddaca289bf91a7de01b761e6f5a1e74d29689493de61ea01013c986a

SHA512
e4b604f5bfe88051208dd3214ca70b2ff31fb6f23f6ea6b96ecdb23c175bd8cfaf6d7b7622e80666d99b9ec2594043aae14f80ecda1b92e7b97e9c345be26c0b

Download Submit
C:\Windows\SysWOW64\cmbdafk.exe

Filesize
12KB

MD5
c4cfead399dd493bed2fb2840a8f8916

SHA1
870ebc39a27a1b09869d045d06ba414736904933

SHA256
7642c3178448d341abfdcf5160d963444cee35703b344d397aaa94a2faa32a0b

SHA512
b39d059302f7a19c611ceec292a4f525972856521229f35a7f250e1c81df665e32b8c98864dab802b1b45a8801b801cae0046c52ced3c9126d6f07ee1c533ea6

Download Submit
memory/1884-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3096-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3096-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download