30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395

Analysis

max time kernel
152s
max time network
169s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 05:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
Size

411KB
MD5

7053d7d2c6eb7a495602d3c0cf6ed09a
SHA1

e3763025cfe785389ff15eb7e0dce5c4f7dde855
SHA256

30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395
SHA512

2dbae3bb9fe13f9f6970cf68b2587fd2d5dff1dc6d5bc375870bfb22ee820b8b0cedb2d55857c612a3678fc3b7b5b34500a48c26ea549a3ff84723ba2fa035c9
SSDEEP

12288:8q4ygd5TAAJJsIlA6j0R/C4WiZ3WLyzQ:8qAd5TAAt9j0tCuiy

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1160	fP18401CeOhN18401.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1852-56-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
behavioral1/memory/1160-62-0x0000000000400000-0x00000000004D8000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fP18401CeOhN18401 = "C:\\ProgramData\\fP18401CeOhN18401\\fP18401CeOhN18401.exe"	fP18401CeOhN18401.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	fP18401CeOhN18401.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1160	fP18401CeOhN18401.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1160	fP18401CeOhN18401.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1160	fP18401CeOhN18401.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1160	fP18401CeOhN18401.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1160	fP18401CeOhN18401.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1160	fP18401CeOhN18401.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1160	fP18401CeOhN18401.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1160	fP18401CeOhN18401.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1160	fP18401CeOhN18401.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
1160	fP18401CeOhN18401.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
Token: SeDebugPrivilege	1160	fP18401CeOhN18401.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1160	fP18401CeOhN18401.exe
1160	fP18401CeOhN18401.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1160	fP18401CeOhN18401.exe
1160	fP18401CeOhN18401.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1160	fP18401CeOhN18401.exe
1160	fP18401CeOhN18401.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1160	1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe	28
PID 1852 wrote to memory of 1160	1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe	28
PID 1852 wrote to memory of 1160	1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe	28
PID 1852 wrote to memory of 1160	1852	30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe	28

C:\Users\Admin\AppData\Local\Temp\30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe
"C:\Users\Admin\AppData\Local\Temp\30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\ProgramData\fP18401CeOhN18401\fP18401CeOhN18401.exe
  "C:\ProgramData\fP18401CeOhN18401\fP18401CeOhN18401.exe" "C:\Users\Admin\AppData\Local\Temp\30a739477f812b707f0a49a71f23564cf0b0dabe7f3c335bb90ac823d2f58395.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fP18401CeOhN18401\fP18401CeOhN18401.exe

Filesize
411KB

MD5
2de3ac6f50f3232c1225aeb37d2b42b1

SHA1
4558116ee1e1be6f5407e2b243e2ba1993dc5dbd

SHA256
19366ef3046608e0e60ed6f6f14cedf232c667bf3867c96a196d4243cbb28fa3

SHA512
fe210b9b7dcdc92429e47116a45ba7bb52c0b1ca6acb9fbaf47f1f35c493d7765666d1d4cc52f8b30bff7dcfd4db6cb5c51c4ab7b8334dd3e5675e1a7fd24687

Download Submit
C:\ProgramData\fP18401CeOhN18401\fP18401CeOhN18401.exe

Filesize
411KB

MD5
2de3ac6f50f3232c1225aeb37d2b42b1

SHA1
4558116ee1e1be6f5407e2b243e2ba1993dc5dbd

SHA256
19366ef3046608e0e60ed6f6f14cedf232c667bf3867c96a196d4243cbb28fa3

SHA512
fe210b9b7dcdc92429e47116a45ba7bb52c0b1ca6acb9fbaf47f1f35c493d7765666d1d4cc52f8b30bff7dcfd4db6cb5c51c4ab7b8334dd3e5675e1a7fd24687

Download Submit
\ProgramData\fP18401CeOhN18401\fP18401CeOhN18401.exe

Filesize
411KB

MD5
2de3ac6f50f3232c1225aeb37d2b42b1

SHA1
4558116ee1e1be6f5407e2b243e2ba1993dc5dbd

SHA256
19366ef3046608e0e60ed6f6f14cedf232c667bf3867c96a196d4243cbb28fa3

SHA512
fe210b9b7dcdc92429e47116a45ba7bb52c0b1ca6acb9fbaf47f1f35c493d7765666d1d4cc52f8b30bff7dcfd4db6cb5c51c4ab7b8334dd3e5675e1a7fd24687

Download Submit
\ProgramData\fP18401CeOhN18401\fP18401CeOhN18401.exe

Filesize
411KB

MD5
2de3ac6f50f3232c1225aeb37d2b42b1

SHA1
4558116ee1e1be6f5407e2b243e2ba1993dc5dbd

SHA256
19366ef3046608e0e60ed6f6f14cedf232c667bf3867c96a196d4243cbb28fa3

SHA512
fe210b9b7dcdc92429e47116a45ba7bb52c0b1ca6acb9fbaf47f1f35c493d7765666d1d4cc52f8b30bff7dcfd4db6cb5c51c4ab7b8334dd3e5675e1a7fd24687

Download Submit
memory/1160-62-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1852-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/1852-55-0x0000000000670000-0x0000000000673000-memory.dmp

Filesize
12KB

Download
memory/1852-56-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download