7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe
Size

250KB
MD5

084a4c5e6da1f70207f4e20880c44090
SHA1

9d8e3dd44b7cc6ced9fde512eca5b831b2593297
SHA256

7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53
SHA512

0f36f88c114f9c80fc12ccbc3050623ced7a1ea8dc3b43ffc2ecb5eee0aa3854f3a2fb45864f76a2b05a47df72983de4377f282617b20e3fafcd2d0dd2ff97f6
SSDEEP

6144:D2j6KlenuKQlv7oTvLcCYLSMIgPgZHHL8tSp4oFToSoo:x7nuLKTwC+IXZH6Sp4CToSZ

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1444	Process not Found
1300	Process not Found

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1248-54-0x0000000000400000-0x0000000000544000-memory.dmp	upx
behavioral1/memory/1248-56-0x0000000000400000-0x0000000000544000-memory.dmp	upx
behavioral1/memory/1972-58-0x0000000000400000-0x0000000000544000-memory.dmp	upx
behavioral1/memory/1972-73-0x0000000000400000-0x0000000000544000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe
956	rundll32.exe
1712	rundll32.exe
1672	rundll32.exe
1116	Process not Found
1012	Process not Found

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe
1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe
1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe
1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe
1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe
956	rundll32.exe
1672	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe
Token: SeDebugPrivilege	956	rundll32.exe
Token: SeDebugPrivilege	1672	rundll32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
956	rundll32.exe
1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe
1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe
1672	rundll32.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1972	1248	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	26
PID 1248 wrote to memory of 1972	1248	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	26
PID 1248 wrote to memory of 1972	1248	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	26
PID 1248 wrote to memory of 1972	1248	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	26
PID 1972 wrote to memory of 956	1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	27
PID 1972 wrote to memory of 956	1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	27
PID 1972 wrote to memory of 956	1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	27
PID 1972 wrote to memory of 956	1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	27
PID 1972 wrote to memory of 956	1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	27
PID 1972 wrote to memory of 956	1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	27
PID 1972 wrote to memory of 956	1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	27
PID 1972 wrote to memory of 1712	1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	28
PID 1972 wrote to memory of 1712	1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	28
PID 1972 wrote to memory of 1712	1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	28
PID 1972 wrote to memory of 1712	1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	28
PID 1972 wrote to memory of 1712	1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	28
PID 1972 wrote to memory of 1712	1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	28
PID 1972 wrote to memory of 1712	1972	7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe	28
PID 1712 wrote to memory of 1672	1712	rundll32.exe	29
PID 1712 wrote to memory of 1672	1712	rundll32.exe	29
PID 1712 wrote to memory of 1672	1712	rundll32.exe	29
PID 1712 wrote to memory of 1672	1712	rundll32.exe	29

C:\Users\Admin\AppData\Local\Temp\7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe
"C:\Users\Admin\AppData\Local\Temp\7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe
  C:\Users\Admin\AppData\Local\Temp\7d618a85a65309aba572ef916a14b9a1c7ceb5015620732a002d2cb80fa92f53.exe -R:1
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Users\Admin\AppData\Local\Temp\WNE6A87.tmp" ssl
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:956
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Users\Admin\AppData\Local\Temp\WNE6E9D.tmp" ssl
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\system32\rundll32.exe
      rundll32 "C:\Users\Admin\AppData\Local\Temp\WNE6E9D.tmp" ssl
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WNE6A87.tmp

Filesize
333KB

MD5
a47765a79a1175f6a8dbd0b80a3b15b9

SHA1
aefdf5c7f337148d156e863e3f014336b9c79417

SHA256
3dd3a2aed80a330d915e0d556d62f5e61eae709b42b7a28b1a4359f1cec7e3eb

SHA512
7f0c46eb51d60987dc01fd9ca4ecdbf8d2a553f3340037d918f2f4a023c6e63720faa5e93248e8df6d33f4be9124114e8e51679d03b7df7ea5043b987df4e4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WNE6E9D.tmp

Filesize
367KB

MD5
0361a9f8f237149f3820062bb58f3db2

SHA1
a798ff2ecb1eaa9ba32c0ec239aa93299f4c41b3

SHA256
e755144eff4bedf35628b03b93c19d66d8d9ce87a2dc2f3368eb972a5f16de83

SHA512
3e748e9bf8f0c494c122a665f6ac052912ad68f3cc75dd95d65171eb2b5b4f733eac46798e064f24d51326ff605f470197618f5d3d3f732a52298a0177796566

Download Submit
\Users\Admin\AppData\Local\Temp\WNE6A87.tmp

Filesize
333KB

MD5
a47765a79a1175f6a8dbd0b80a3b15b9

SHA1
aefdf5c7f337148d156e863e3f014336b9c79417

SHA256
3dd3a2aed80a330d915e0d556d62f5e61eae709b42b7a28b1a4359f1cec7e3eb

SHA512
7f0c46eb51d60987dc01fd9ca4ecdbf8d2a553f3340037d918f2f4a023c6e63720faa5e93248e8df6d33f4be9124114e8e51679d03b7df7ea5043b987df4e4bd

Download Submit
\Users\Admin\AppData\Local\Temp\WNE6A87.tmp

Filesize
333KB

MD5
a47765a79a1175f6a8dbd0b80a3b15b9

SHA1
aefdf5c7f337148d156e863e3f014336b9c79417

SHA256
3dd3a2aed80a330d915e0d556d62f5e61eae709b42b7a28b1a4359f1cec7e3eb

SHA512
7f0c46eb51d60987dc01fd9ca4ecdbf8d2a553f3340037d918f2f4a023c6e63720faa5e93248e8df6d33f4be9124114e8e51679d03b7df7ea5043b987df4e4bd

Download Submit
\Users\Admin\AppData\Local\Temp\WNE6E9D.tmp

Filesize
367KB

MD5
0361a9f8f237149f3820062bb58f3db2

SHA1
a798ff2ecb1eaa9ba32c0ec239aa93299f4c41b3

SHA256
e755144eff4bedf35628b03b93c19d66d8d9ce87a2dc2f3368eb972a5f16de83

SHA512
3e748e9bf8f0c494c122a665f6ac052912ad68f3cc75dd95d65171eb2b5b4f733eac46798e064f24d51326ff605f470197618f5d3d3f732a52298a0177796566

Download Submit
\Users\Admin\AppData\Local\Temp\WNE6E9D.tmp

Filesize
367KB

MD5
0361a9f8f237149f3820062bb58f3db2

SHA1
a798ff2ecb1eaa9ba32c0ec239aa93299f4c41b3

SHA256
e755144eff4bedf35628b03b93c19d66d8d9ce87a2dc2f3368eb972a5f16de83

SHA512
3e748e9bf8f0c494c122a665f6ac052912ad68f3cc75dd95d65171eb2b5b4f733eac46798e064f24d51326ff605f470197618f5d3d3f732a52298a0177796566

Download Submit
\Users\Admin\AppData\Local\Temp\WNE6E9D.tmp

Filesize
367KB

MD5
0361a9f8f237149f3820062bb58f3db2

SHA1
a798ff2ecb1eaa9ba32c0ec239aa93299f4c41b3

SHA256
e755144eff4bedf35628b03b93c19d66d8d9ce87a2dc2f3368eb972a5f16de83

SHA512
3e748e9bf8f0c494c122a665f6ac052912ad68f3cc75dd95d65171eb2b5b4f733eac46798e064f24d51326ff605f470197618f5d3d3f732a52298a0177796566

Download Submit
\Users\Admin\AppData\Local\Temp\WNE6E9D.tmp

Filesize
367KB

MD5
0361a9f8f237149f3820062bb58f3db2

SHA1
a798ff2ecb1eaa9ba32c0ec239aa93299f4c41b3

SHA256
e755144eff4bedf35628b03b93c19d66d8d9ce87a2dc2f3368eb972a5f16de83

SHA512
3e748e9bf8f0c494c122a665f6ac052912ad68f3cc75dd95d65171eb2b5b4f733eac46798e064f24d51326ff605f470197618f5d3d3f732a52298a0177796566

Download Submit
\Users\Admin\AppData\Local\Temp\WNE6E9D.tmp

Filesize
367KB

MD5
0361a9f8f237149f3820062bb58f3db2

SHA1
a798ff2ecb1eaa9ba32c0ec239aa93299f4c41b3

SHA256
e755144eff4bedf35628b03b93c19d66d8d9ce87a2dc2f3368eb972a5f16de83

SHA512
3e748e9bf8f0c494c122a665f6ac052912ad68f3cc75dd95d65171eb2b5b4f733eac46798e064f24d51326ff605f470197618f5d3d3f732a52298a0177796566

Download Submit
\Users\Admin\AppData\Local\Temp\WNE6E9D.tmp

Filesize
367KB

MD5
0361a9f8f237149f3820062bb58f3db2

SHA1
a798ff2ecb1eaa9ba32c0ec239aa93299f4c41b3

SHA256
e755144eff4bedf35628b03b93c19d66d8d9ce87a2dc2f3368eb972a5f16de83

SHA512
3e748e9bf8f0c494c122a665f6ac052912ad68f3cc75dd95d65171eb2b5b4f733eac46798e064f24d51326ff605f470197618f5d3d3f732a52298a0177796566

Download Submit
memory/956-61-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1248-56-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/1248-54-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/1972-58-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/1972-73-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download