a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/04/2024, 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe
Size

259KB
MD5

a8b9fb05ab44dfae70e85051e7990152
SHA1

e09c0b71e518e5be8bb65da21e5da61cc00e5e02
SHA256

a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6
SHA512

66fa16c55bce8b43291580f7bcc7be6eb109ce1d7f60d4f7c61a761abfc85f8c851ab067bf5d83c9739a22139c695e84179c2a02f8b8ef244eaffb0f6f4042d0
SSDEEP

1536:GxtnE6acoso8vzxoSBUES5SwziMYiHzhtAia5QrMsQtCnt8qiJPQsZSTorlN33nI:K/vFYi9yQct1iJPQSrl1LtYFroxTSf7

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 15 IoCs

resource	yara_rule
behavioral1/memory/2304-0-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x000b00000001560a-8.dat	UPX
behavioral1/memory/2304-17-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/2460-18-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/2460-35-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0010000000015c3c-42.dat	UPX
behavioral1/memory/2580-51-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/2344-68-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0007000000015c87-80.dat	UPX
behavioral1/memory/2696-85-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/528-83-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0007000000015cb9-92.dat	UPX
behavioral1/memory/1340-117-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1980-125-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1188-127-0x0000000000400000-0x0000000000442000-memory.dmp	UPX

Executes dropped EXE 8 IoCs

pid	Process
2460	5c251.exe
2580	c948c.exe
2344	68112.exe
528	d8d48.exe
2696	8e989.exe
1340	61x4d.exe
1980	56x1c.exe
1188	56x1c.exe

Loads dropped DLL 16 IoCs

pid	Process
2304	a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe
2304	a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe
2460	5c251.exe
2460	5c251.exe
2580	c948c.exe
2580	c948c.exe
2344	68112.exe
2344	68112.exe
528	d8d48.exe
528	d8d48.exe
2696	8e989.exe
2696	8e989.exe
1340	61x4d.exe
1340	61x4d.exe
1980	56x1c.exe
1980	56x1c.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2304-0-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x000b00000001560a-8.dat	upx
behavioral1/memory/2304-17-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2460-18-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2460-35-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0010000000015c3c-42.dat	upx
behavioral1/memory/2580-51-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2344-68-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0007000000015c87-80.dat	upx
behavioral1/memory/2696-85-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/528-83-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/files/0x0007000000015cb9-92.dat	upx
behavioral1/memory/1340-117-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1980-125-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1188-127-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "61x4d.exe"	61x4d.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\5c251.exe	a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe
File opened for modification	C:\Windows\SysWOW64\5c251.exe	a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe
File created	C:\Windows\SysWOW64\56x1c.exe	61x4d.exe
File created	C:\Windows\SysWOW64\8e989.exe	d8d48.exe
File created	C:\Windows\SysWOW64\61x4d.exe	8e989.exe
File created	C:\Windows\SysWOW64\c948c.exe	5c251.exe
File created	C:\Windows\SysWOW64\d8d48.exe	68112.exe
File opened for modification	C:\Windows\SysWOW64\56x1c.exe	56x1c.exe
File opened for modification	C:\Windows\SysWOW64\8e989.exe	d8d48.exe
File opened for modification	C:\Windows\SysWOW64\61x4d.exe	8e989.exe
File opened for modification	C:\Windows\SysWOW64\	61x4d.exe
File opened for modification	C:\Windows\SysWOW64\56x1c.exe	61x4d.exe
File opened for modification	C:\Windows\SysWOW64\c948c.exe	5c251.exe
File created	C:\Windows\SysWOW64\68112.exe	c948c.exe
File opened for modification	C:\Windows\SysWOW64\68112.exe	c948c.exe
File opened for modification	C:\Windows\SysWOW64\d8d48.exe	68112.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1340	61x4d.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2304	a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe
2460	5c251.exe
2580	c948c.exe
2344	68112.exe
528	d8d48.exe
2696	8e989.exe
1340	61x4d.exe
1980	56x1c.exe
1188	56x1c.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2460	2304	a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe	28
PID 2304 wrote to memory of 2460	2304	a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe	28
PID 2304 wrote to memory of 2460	2304	a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe	28
PID 2304 wrote to memory of 2460	2304	a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe	28
PID 2460 wrote to memory of 2580	2460	5c251.exe	29
PID 2460 wrote to memory of 2580	2460	5c251.exe	29
PID 2460 wrote to memory of 2580	2460	5c251.exe	29
PID 2460 wrote to memory of 2580	2460	5c251.exe	29
PID 2580 wrote to memory of 2344	2580	c948c.exe	30
PID 2580 wrote to memory of 2344	2580	c948c.exe	30
PID 2580 wrote to memory of 2344	2580	c948c.exe	30
PID 2580 wrote to memory of 2344	2580	c948c.exe	30
PID 2344 wrote to memory of 528	2344	68112.exe	31
PID 2344 wrote to memory of 528	2344	68112.exe	31
PID 2344 wrote to memory of 528	2344	68112.exe	31
PID 2344 wrote to memory of 528	2344	68112.exe	31
PID 528 wrote to memory of 2696	528	d8d48.exe	32
PID 528 wrote to memory of 2696	528	d8d48.exe	32
PID 528 wrote to memory of 2696	528	d8d48.exe	32
PID 528 wrote to memory of 2696	528	d8d48.exe	32
PID 2696 wrote to memory of 1340	2696	8e989.exe	33
PID 2696 wrote to memory of 1340	2696	8e989.exe	33
PID 2696 wrote to memory of 1340	2696	8e989.exe	33
PID 2696 wrote to memory of 1340	2696	8e989.exe	33
PID 1340 wrote to memory of 1980	1340	61x4d.exe	34
PID 1340 wrote to memory of 1980	1340	61x4d.exe	34
PID 1340 wrote to memory of 1980	1340	61x4d.exe	34
PID 1340 wrote to memory of 1980	1340	61x4d.exe	34
PID 1980 wrote to memory of 1188	1980	56x1c.exe	35
PID 1980 wrote to memory of 1188	1980	56x1c.exe	35
PID 1980 wrote to memory of 1188	1980	56x1c.exe	35
PID 1980 wrote to memory of 1188	1980	56x1c.exe	35

C:\Users\Admin\AppData\Local\Temp\a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe
"C:\Users\Admin\AppData\Local\Temp\a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\5c251.exe
  "C:\Windows\system32\5c251.exe" killauto~~a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\c948c.exe
    "C:\Windows\system32\c948c.exe" killauto~~5c251.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\68112.exe
      "C:\Windows\system32\68112.exe" killauto~~c948c.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\SysWOW64\d8d48.exe
        
        "C:\Windows\system32\d8d48.exe" killauto~~68112.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:528
      - C:\Windows\SysWOW64\8e989.exe
        
        "C:\Windows\system32\8e989.exe" killauto~~d8d48.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\61x4d.exe
        
        "C:\Windows\system32\61x4d.exe" killauto~~8e989.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\56x1c.exe
        
        "C:\Windows\system32\56x1c.exe" killauto~~61x4d.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\56x1c.exe
        
        "C:\Windows\system32\56x1c.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\5c251.exe

Filesize
259KB

MD5
a8b9fb05ab44dfae70e85051e7990152

SHA1
e09c0b71e518e5be8bb65da21e5da61cc00e5e02

SHA256
a04143704ef345164939c979a62ff56e4aa973abc5c633a3654ff72960dc28c6

SHA512
66fa16c55bce8b43291580f7bcc7be6eb109ce1d7f60d4f7c61a761abfc85f8c851ab067bf5d83c9739a22139c695e84179c2a02f8b8ef244eaffb0f6f4042d0

Download Submit
C:\Windows\SysWOW64\8e989.exe

Filesize
259KB

MD5
2bc0fbac60af543620b202bd26a4cfb3

SHA1
b5a6a3ab2471565cea60544b35166165db6c35bb

SHA256
6eb1a1844e04a819b398224c533e1955b17a4184937378be6a98c01c8b9c4e87

SHA512
8404f75361f0e412fea3d360e3560bd27edf7cf0ba1e97decf1a5b2876b86f7f4399f0e2d65e24de05623395bbefad7e00c757a9fead5c855749c074203c3030

Download Submit
\Windows\SysWOW64\61x4d.exe

Filesize
259KB

MD5
c1060f3e73669d1ec1c1c1d338020aa3

SHA1
dc55744b6dca7ec6545292798956e113e9a498a9

SHA256
9cf805aa5e8839679709d65dd07f430feeeb72365a9485d32ec8095155d679da

SHA512
5dbaa9e73bd584179e681abcf3ee35b94c57911d6f67788540addeabb8ba2c435754a554c982a23215dac5912c8f33a4b483d042750401821e133e9581ba39c6

Download Submit
\Windows\SysWOW64\68112.exe

Filesize
259KB

MD5
40b415403abc488d6f0de303db398750

SHA1
7ccacb2cf5cb8bc017bcb56b3ca6dbd9aa8a8326

SHA256
225252afb8baf1f1c6c9bb1ba3e2703572ea809550f50e8d74be51c1183ad1f4

SHA512
5118da588dfac0598aacd0b1ed0796447e6b675aade14305ebe878f6e02a319ef3ddd53af9f2f538a637f99f309428090189c9c37ed718c179d4922baf834ca7

Download Submit
memory/528-81-0x0000000003D10000-0x0000000003D52000-memory.dmp

Filesize
264KB

Download
memory/528-83-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1188-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1340-117-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1340-113-0x0000000003BD0000-0x0000000003C12000-memory.dmp

Filesize
264KB

Download
memory/1980-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1980-123-0x0000000003830000-0x0000000003872000-memory.dmp

Filesize
264KB

Download
memory/2304-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2304-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2304-16-0x0000000003A10000-0x0000000003A52000-memory.dmp

Filesize
264KB

Download
memory/2304-13-0x0000000003A10000-0x0000000003A52000-memory.dmp

Filesize
264KB

Download
memory/2344-65-0x0000000003AB0000-0x0000000003AF2000-memory.dmp

Filesize
264KB

Download
memory/2344-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2460-32-0x0000000003840000-0x0000000003882000-memory.dmp

Filesize
264KB

Download
memory/2460-35-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2460-34-0x0000000003840000-0x0000000003882000-memory.dmp

Filesize
264KB

Download
memory/2460-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2580-48-0x0000000003C50000-0x0000000003C92000-memory.dmp

Filesize
264KB

Download
memory/2580-51-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-85-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-94-0x0000000003BE0000-0x0000000003C22000-memory.dmp

Filesize
264KB

Download