3526c74a22a6a7ff285bddc4a055d22e443bd2d9ceb47aa7bc20240256084787

Analysis

max time kernel
1799s
max time network
1560s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe
Size

55KB
MD5

7d4ef2a82587ae1bddeb41529560f6f0
SHA1

9c97a609d0ed9cbc5a3e7c40fb9dce196c63c82a
SHA256

e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3
SHA512

1b333e8704b0afbcd2282ab1d6b9c5bc75e5be0f133a57b01da57bbb1dbfb3429eaa7f6eacdc048646476bf44799add0358c5cc82e2fd60006b4b0682a746491
SSDEEP

1536:NVok6yvYSerI7XB0EiV5vpl1N5lJeltvW:roklxkI7XB0EAf1PeltvW

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2488	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	Skype.exe

Loads dropped DLL 1 IoCs

pid	Process
2204	e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral29/memory/2204-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral29/files/0x000b000000015cbd-13.dat	upx
behavioral29/memory/2204-15-0x00000000007F0000-0x0000000000808000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SkypeM = "C:\\Users\\Admin\\AppData\\Local\\Skype\\Skype.exe"	e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2488	2204	e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe	28
PID 2204 wrote to memory of 2488	2204	e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe	28
PID 2204 wrote to memory of 2488	2204	e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe	28
PID 2204 wrote to memory of 2488	2204	e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe	28
PID 2204 wrote to memory of 2536	2204	e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe	30
PID 2204 wrote to memory of 2536	2204	e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe	30
PID 2204 wrote to memory of 2536	2204	e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe	30
PID 2204 wrote to memory of 2536	2204	e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe	30

C:\Users\Admin\AppData\Local\Temp\e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe
"C:\Users\Admin\AppData\Local\Temp\e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\d.bat" "
  2⤵
  - Deletes itself
  PID:2488
- C:\Users\Admin\AppData\Local\Skype\Skype.exe
  "C:\Users\Admin\AppData\Local\Skype\Skype.exe"
  2⤵
  - Executes dropped EXE
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d.bat

Filesize
195B

MD5
7b32f26c3094012c7f4e5de79024ae6c

SHA1
117efd52b86d80b328763e9ff1c5d5bcacdaafa3

SHA256
6b9f5e1287af4328014ab7c5ba35f1c56dff66065a6f9f5d2a860edd88566e04

SHA512
2de0fb605425c76c5215587ab15bc0c44484815a9d4d85c0fec1756308d7133e15e1a558daef73585e47a656be215d541f0f8917a25a67df9490b14c3272e972

Download Submit
\Users\Admin\AppData\Local\Skype\Skype.exe

Filesize
55KB

MD5
7d4ef2a82587ae1bddeb41529560f6f0

SHA1
9c97a609d0ed9cbc5a3e7c40fb9dce196c63c82a

SHA256
e54de5d857ff16efd72ff0223235826494147444538f725f6977ca892282e7f3

SHA512
1b333e8704b0afbcd2282ab1d6b9c5bc75e5be0f133a57b01da57bbb1dbfb3429eaa7f6eacdc048646476bf44799add0358c5cc82e2fd60006b4b0682a746491

Download Submit
memory/2204-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2204-4-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2204-15-0x00000000007F0000-0x0000000000808000-memory.dmp

Filesize
96KB

Download
memory/2204-18-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2204-24-0x00000000007F0000-0x0000000000808000-memory.dmp

Filesize
96KB

Download
memory/2536-19-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2536-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2536-23-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2536-25-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads