1423053f90855d33858db47f354055b660943104c1c18f848c9b7b415979dc5f

max time kernel
143s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Size

669KB
MD5

ead18f3a909685922d7213714ea9a183
SHA1

1270bd7fd62acc00447b30f066bb23f4745869bf
SHA256

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
SHA512

6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
SSDEEP

6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2800	icacls.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral21/memory/2284-0-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral21/files/0x00060000000193e7-20.dat	upx
behavioral21/memory/2284-21-0x0000000003C20000-0x0000000003CC9000-memory.dmp	upx
behavioral21/memory/2512-26-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral21/memory/1528-47-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral21/memory/2076-45-0x0000000000400000-0x00000000004A9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ff420df8-c292-439a-b450-f22422380130\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart"	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.2ip.ua
4	api.2ip.ua
9	api.2ip.ua
18	api.2ip.ua
20	api.2ip.ua
25	api.2ip.ua

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2284	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2512	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2512	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1528	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1528	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2076	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2076	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2024	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2024	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2800	2284	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	28
PID 2284 wrote to memory of 2800	2284	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	28
PID 2284 wrote to memory of 2800	2284	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	28
PID 2284 wrote to memory of 2800	2284	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	28
PID 2284 wrote to memory of 2512	2284	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	29
PID 2284 wrote to memory of 2512	2284	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	29
PID 2284 wrote to memory of 2512	2284	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	29
PID 2284 wrote to memory of 2512	2284	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	29
PID 2512 wrote to memory of 2076	2512	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	33
PID 2512 wrote to memory of 2076	2512	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	33
PID 2512 wrote to memory of 2076	2512	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	33
PID 2512 wrote to memory of 2076	2512	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	33
PID 2512 wrote to memory of 1528	2512	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	34
PID 2512 wrote to memory of 1528	2512	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	34
PID 2512 wrote to memory of 1528	2512	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	34
PID 2512 wrote to memory of 1528	2512	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	34
PID 2076 wrote to memory of 2024	2076	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	35
PID 2076 wrote to memory of 2024	2076	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	35
PID 2076 wrote to memory of 2024	2076	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	35
PID 2076 wrote to memory of 2024	2076	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	35

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\ff420df8-c292-439a-b450-f22422380130" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
  "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2076 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2024
- - C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2512 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
2365869258df7a66a2121b802ca4afd9

SHA1
73acc30a2edeb9d6830de559bb8a74f35168135d

SHA256
d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

SHA512
795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
7403e9ec70361f92b4bddc229731b39c

SHA1
a641d270a8c10d47dcbdb4417d16bace36b0d2b5

SHA256
5af1e8f8257fbb420c96c172bda311c14ae7035e040b5cc99c6eea4becba749c

SHA512
db9855b568bc01adca976a0791f656f3f037c48392f302b2ba5730a649cb3b42a6635384f4858de08ef9b8594994c5d0f6f272ecbd621a690bc3897aa02cab52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e3610e2581d7e9108d8bbcbbb03a846

SHA1
7ce79c6ca613a53e66ca653422111910b1c35681

SHA256
4c5c499356586e4909487487a2c53f732dbf6b7e63ce86c7d499f5d2be0c3d55

SHA512
eb481ef37ca4cf088c7c4cd2ed37a7ce8a64cf05ec39d553fbbade5243f744735c73e73c96da718db8d29776f0bb5e6aa9bfce53479394d2cde6ff4dca3bdd9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
f5022a0a48cd9017339ca84e381b8605

SHA1
05adc51674a7eedcc1c6e5b8722bb436b82a94f2

SHA256
7184b0b977a2d7270f8d834b328cfea89e592ad077f63e8240a76bd0d4d963c6

SHA512
b51f9e41db4c9e83eeecddab2248914b165d4ec9bbf8b89aa9186a01aa8075e90cd5414d383cf1f70edac83785e19e92c252f10cbc303aecf164ea5c2b3656c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e0307030d178d5b7d3d386c24342aa4e

SHA1
23910ace8ca8ce9cc4d49cf453725b288cfec5ce

SHA256
a476081cdd88744076bf87f79c0b8def5672af30a66ab32eb49b03bb50279291

SHA512
dccc9d88d276ce963dd038f8ca01b05a9152fef88344796a18a37db9e999c8a51a9fb4658fb21ffa6e1bceb41661d42db37116e2e76bd9b6e4d0d6d7aab512d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab363D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB0F8.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\ff420df8-c292-439a-b450-f22422380130\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Filesize
669KB

MD5
ead18f3a909685922d7213714ea9a183

SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf

SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Download Submit
memory/1528-47-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1528-83-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2024-80-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2076-45-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2076-81-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2284-25-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2284-23-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2284-2-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2284-3-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2284-24-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2284-21-0x0000000003C20000-0x0000000003CC9000-memory.dmp

Filesize
676KB

Download
memory/2284-0-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2512-44-0x0000000002580000-0x0000000002629000-memory.dmp

Filesize
676KB

Download
memory/2512-26-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2512-43-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2512-46-0x0000000002580000-0x0000000002629000-memory.dmp

Filesize
676KB

Download
memory/2512-28-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2512-42-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2512-82-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2512-41-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2512-86-0x0000000002580000-0x0000000002629000-memory.dmp

Filesize
676KB

Download