2ee232ef51dce915cc0ac5e3911d990f6a72059dfb8c9fce7ae16625ac848da3

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-03-2024 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7375a5fc0b3d9a5dacde7beccecfba6.exe
Size

490KB
MD5

c7375a5fc0b3d9a5dacde7beccecfba6
SHA1

bf7ea12010c9d3a6d8c09cd213810c99da812006
SHA256

2ee232ef51dce915cc0ac5e3911d990f6a72059dfb8c9fce7ae16625ac848da3
SHA512

637da4794a1b0cde9d558e37f1ff9dbdca427cd6f922c147444fa6c3b421a808e36f8a4eb24c7d438835d75e669ba8fed021b4c846f16d43ead7f1d2f0057f0c
SSDEEP

6144:6xGIi+Q5RBvHyBnk3o83xbNlMEnFqbFuk+4xoFltJ:PdmnkRlMkFqpukhav

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	Dpavaa.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/860-0-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/memory/860-2-0x0000000000400000-0x000000000047C000-memory.dmp	upx
behavioral1/files/0x0038000000013acb-11.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\18RH6WMFH2 = "C:\\Windows\\Dpavaa.exe"	Dpavaa.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	c7375a5fc0b3d9a5dacde7beccecfba6.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	c7375a5fc0b3d9a5dacde7beccecfba6.exe
File created	C:\Windows\Dpavaa.exe	c7375a5fc0b3d9a5dacde7beccecfba6.exe
File opened for modification	C:\Windows\Dpavaa.exe	c7375a5fc0b3d9a5dacde7beccecfba6.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	Dpavaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe
3008	Dpavaa.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
860	c7375a5fc0b3d9a5dacde7beccecfba6.exe
3008	Dpavaa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 3008	860	c7375a5fc0b3d9a5dacde7beccecfba6.exe	28
PID 860 wrote to memory of 3008	860	c7375a5fc0b3d9a5dacde7beccecfba6.exe	28
PID 860 wrote to memory of 3008	860	c7375a5fc0b3d9a5dacde7beccecfba6.exe	28
PID 860 wrote to memory of 3008	860	c7375a5fc0b3d9a5dacde7beccecfba6.exe	28

C:\Users\Admin\AppData\Local\Temp\c7375a5fc0b3d9a5dacde7beccecfba6.exe
"C:\Users\Admin\AppData\Local\Temp\c7375a5fc0b3d9a5dacde7beccecfba6.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\Dpavaa.exe
  C:\Windows\Dpavaa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Dpavaa.exe

Filesize
490KB

MD5
c7375a5fc0b3d9a5dacde7beccecfba6

SHA1
bf7ea12010c9d3a6d8c09cd213810c99da812006

SHA256
2ee232ef51dce915cc0ac5e3911d990f6a72059dfb8c9fce7ae16625ac848da3

SHA512
637da4794a1b0cde9d558e37f1ff9dbdca427cd6f922c147444fa6c3b421a808e36f8a4eb24c7d438835d75e669ba8fed021b4c846f16d43ead7f1d2f0057f0c

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
344B

MD5
08f2cbdcb0817c1edaa561ffe68eb244

SHA1
c085cba29de3bb5b493b404bb4c72b14dabeb585

SHA256
272bbeab4a3f7d20ebee6969a3354f253e3fdf49e0bcf4f97f89dfb007343195

SHA512
664feb325b0246159b5d75dcf2a7c9fbcdad64c9ec4c29bdd23b8bb53b0ec1c9cc3face1e9aa0ca7e9427edccf9f594508c2a755b32628ca46d32dac61c5556d

Download Submit
memory/860-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/860-2-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/860-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/860-3-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/860-12-0x0000000000380000-0x00000000003FC000-memory.dmp

Filesize
496KB

Download
memory/860-47224-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/860-47228-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3008-15-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3008-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3008-47226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download