f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Resubmissions

03-07-2024 22:59

240703-2yn7wszhlp 10

03-07-2024 16:13

03-07-2024 16:11

10-05-2024 16:25

24-08-2023 11:16

05-08-2023 22:52

Analysis

max time kernel
147s
max time network
135s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Size

669KB
MD5

ead18f3a909685922d7213714ea9a183
SHA1

1270bd7fd62acc00447b30f066bb23f4745869bf
SHA256

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
SHA512

6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
SSDEEP

6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2700 icacls.exe

pid	process
2700	icacls.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral17/memory/2132-0-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\2a481d76-b1ed-4fe0-a0c7-e9563c45ff59\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	upx
behavioral17/memory/2132-20-0x00000000039F0000-0x0000000003A99000-memory.dmp	upx
behavioral17/memory/1808-41-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral17/memory/2040-42-0x0000000000400000-0x00000000004A9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2a481d76-b1ed-4fe0-a0c7-e9563c45ff59\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart"	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 api.2ip.ua
3 api.2ip.ua
4 api.2ip.ua
9 api.2ip.ua
16 api.2ip.ua
18 api.2ip.ua
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
20	api.2ip.ua
3	api.2ip.ua
4	api.2ip.ua
9	api.2ip.ua
16	api.2ip.ua
18	api.2ip.ua

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

pid	process
2132	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2260	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2260	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1808	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1808	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2040	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2040	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1128	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1128	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\2a481d76-b1ed-4fe0-a0c7-e9563c45ff59" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:2700

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1808 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2260 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
1KB

MD5
2365869258df7a66a2121b802ca4afd9

SHA1
73acc30a2edeb9d6830de559bb8a74f35168135d

SHA256
d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

SHA512
795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
174B

MD5
3a72f2d971680bf89bc91917816ca894

SHA1
eb0d312846bc0cea355ee49f243a4a8f1b1ea5df

SHA256
fc51cc5eece89b0a9dc64912690c618dbfb0c36feaacd808a3458efed606619e

SHA512
fb3397b8482f5b4bffbd01e8cc345424e98668de89b6c454f731d6eb4a5038da6b94885c8ac9af6727b8b943cd07d88f2af55704be89211d271e484b778a087b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
317ad90445fb74d2f37b6320d35a56f0

SHA1
ce931b22178c69013a361f1c7d66345cdeb0968b

SHA256
357394c3aeb7c6ebee06149b7df77c5254da3776787947c411501e3529ad76e8

SHA512
30af4bde71591cd8623072628b9695e0ee5a49eb95bc9861490dbfc3272a18766533da3aa73754c31eae0f5282dbd1d4c438f5f10e8236f15dc1f81a986afd34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize
170B

MD5
bc6006ed16113ff48dbb151a008b8889

SHA1
3562b376f822b2d0447679cc827d8dbfcfe471f8

SHA256
a288eacee9fab583a48958bda0493de25744ca127b2a29e2ef4050997da89fbc

SHA512
1e945f49d9670296415d7d5a2bb23308f4e459e59542e2632243d225d4687923c3b6b247cb060a95791fdbc5080951055e7b445d0aa7003a0ce88e71aa8a5e6d

Download Submit
C:\Users\Admin\AppData\Local\2a481d76-b1ed-4fe0-a0c7-e9563c45ff59\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Filesize
669KB

MD5
ead18f3a909685922d7213714ea9a183

SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf

SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4C2D.tmp
Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCE96.tmp
Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
memory/1128-64-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1808-41-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1808-65-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2040-42-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2040-67-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2132-20-0x00000000039F0000-0x0000000003A99000-memory.dmp

Filesize
676KB

Download
memory/2132-0-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2132-22-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2132-3-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2132-2-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2132-24-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2132-23-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2260-26-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2260-38-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2260-39-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2260-40-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2260-66-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2260-69-0x0000000002770000-0x0000000002819000-memory.dmp

Filesize
676KB

Download

description	pid	process	target process
PID 2132 wrote to memory of 2700	2132	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	icacls.exe
PID 2132 wrote to memory of 2700	2132	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	icacls.exe
PID 2132 wrote to memory of 2700	2132	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	icacls.exe
PID 2132 wrote to memory of 2700	2132	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	icacls.exe
PID 2132 wrote to memory of 2260	2132	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2132 wrote to memory of 2260	2132	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2132 wrote to memory of 2260	2132	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2132 wrote to memory of 2260	2132	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2260 wrote to memory of 1808	2260	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2260 wrote to memory of 1808	2260	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2260 wrote to memory of 1808	2260	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2260 wrote to memory of 1808	2260	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2260 wrote to memory of 2040	2260	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2260 wrote to memory of 2040	2260	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2260 wrote to memory of 2040	2260	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2260 wrote to memory of 2040	2260	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1808 wrote to memory of 1128	1808	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1808 wrote to memory of 1128	1808	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1808 wrote to memory of 1128	1808	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1808 wrote to memory of 1128	1808	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe