b5187cd9ef96bf19dac918511ea7f5bc5ba83bbc84693444b9759d74d336799f

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 20:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c6c540c1ef24bcfbccdac1af1379843f.exe
Size

13KB
MD5

c6c540c1ef24bcfbccdac1af1379843f
SHA1

cd1793285f261a2b77bbfb938075e2e4b65398ce
SHA256

b5187cd9ef96bf19dac918511ea7f5bc5ba83bbc84693444b9759d74d336799f
SHA512

549cac4ba673760def395eae7aefd8f2e425119f4c3e153bdbb5e28c6f6a5a1ca3770094e989d91fa7ccdf0c3845d70f15018aa85135ca5410b54639b06ce569
SSDEEP

192:KlJ9vIEDvRyr7+U9p4EnxLnQ8IQPCEMhaTg/3bxPfspinUoUBVI0le6D8ioZ3X:KlJ9PvQBO8Lc2ClhuM3N3sknUPC0gA8

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1740	wonlinsk.exe

Loads dropped DLL 2 IoCs

pid	Process
2312	c6c540c1ef24bcfbccdac1af1379843f.exe
2312	c6c540c1ef24bcfbccdac1af1379843f.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2312-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2312-4-0x0000000000230000-0x0000000000240000-memory.dmp	upx
behavioral1/files/0x000d0000000122d1-3.dat	upx
behavioral1/memory/1740-12-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2312-13-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wonlins.dll	c6c540c1ef24bcfbccdac1af1379843f.exe
File created	C:\Windows\SysWOW64\wonlinsk.exe	c6c540c1ef24bcfbccdac1af1379843f.exe
File opened for modification	C:\Windows\SysWOW64\wonlinsk.exe	c6c540c1ef24bcfbccdac1af1379843f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1740	2312	c6c540c1ef24bcfbccdac1af1379843f.exe	28
PID 2312 wrote to memory of 1740	2312	c6c540c1ef24bcfbccdac1af1379843f.exe	28
PID 2312 wrote to memory of 1740	2312	c6c540c1ef24bcfbccdac1af1379843f.exe	28
PID 2312 wrote to memory of 1740	2312	c6c540c1ef24bcfbccdac1af1379843f.exe	28
PID 2312 wrote to memory of 2624	2312	c6c540c1ef24bcfbccdac1af1379843f.exe	31
PID 2312 wrote to memory of 2624	2312	c6c540c1ef24bcfbccdac1af1379843f.exe	31
PID 2312 wrote to memory of 2624	2312	c6c540c1ef24bcfbccdac1af1379843f.exe	31
PID 2312 wrote to memory of 2624	2312	c6c540c1ef24bcfbccdac1af1379843f.exe	31

C:\Users\Admin\AppData\Local\Temp\c6c540c1ef24bcfbccdac1af1379843f.exe
"C:\Users\Admin\AppData\Local\Temp\c6c540c1ef24bcfbccdac1af1379843f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\wonlinsk.exe
  C:\Windows\system32\wonlinsk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\c6c540c1ef24bcfbccdac1af1379843f.exe.bat
  2⤵
  - Deletes itself
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c6c540c1ef24bcfbccdac1af1379843f.exe.bat

Filesize
182B

MD5
297c5efb043971c382bc41cd076574a9

SHA1
5abb11c0d0bbc42866ac726c18b7c231ac64456d

SHA256
7bb42ce82dc65dcad1859c7993a3d79d2551ee3c25b124fec920f1be088f0ba4

SHA512
5ef35baef5d6574cb60f3d1fc05db407135f5c0aa247d807495832411722c22e5a9f024965107e4a8bdfbddea76953d22265beeeba766703981d8e70063e9b60

Download Submit
\Windows\SysWOW64\wonlinsk.exe

Filesize
13KB

MD5
c6c540c1ef24bcfbccdac1af1379843f

SHA1
cd1793285f261a2b77bbfb938075e2e4b65398ce

SHA256
b5187cd9ef96bf19dac918511ea7f5bc5ba83bbc84693444b9759d74d336799f

SHA512
549cac4ba673760def395eae7aefd8f2e425119f4c3e153bdbb5e28c6f6a5a1ca3770094e989d91fa7ccdf0c3845d70f15018aa85135ca5410b54639b06ce569

Download Submit
memory/1740-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2312-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2312-4-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2312-10-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2312-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download