e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe
Size

415KB
MD5

0bb3ffc4d6acd1e4bb2c0699bfe5d6e4
SHA1

613d57217ef99242fd58a53f8a231a1b40e03fcc
SHA256

e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59
SHA512

5dfd6ac9a6140f353dccc062c1fa0ddc7165a024f4b797ce64156da70dbdb3e89a5e143855959e0afd86ed7dc92e318ef172039feb42e563ff88edcc29b5df60
SSDEEP

6144:uHICZ9i1D3MCn/ucvB/HJ5vo9pcfJJicIn0fJYzfannM+MywwfoyO1EETXlCMzZ:uHICZ9iSCnm8B/Hw9pnn0fwSnn1uTXlF

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msiexec.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

msiexec.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\3155268564 = "C:\\PROGRA~3\\msokr.exe"	msiexec.exe

Blocklisted process makes network request 14 IoCs

Processes:

msiexec.exe

flow	pid	process
1	1844	msiexec.exe
2	1844	msiexec.exe
3	1844	msiexec.exe
4	1844	msiexec.exe
5	1844	msiexec.exe
7	1844	msiexec.exe
8	1844	msiexec.exe
9	1844	msiexec.exe
10	1844	msiexec.exe
11	1844	msiexec.exe
12	1844	msiexec.exe
13	1844	msiexec.exe
14	1844	msiexec.exe
15	1844	msiexec.exe

Disables taskbar notifications via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

Gl.exean.exe

pid process

1940 Gl.exe
1964 an.exe
Loads dropped DLL 2 IoCs

Processes:

WScript.execmd.exe

pid process

1376 WScript.exe
1032 cmd.exe
Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File opened for modification C:\PROGRA~3\msokr.exe msiexec.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

an.exemsiexec.execmd.exe

pid process

1964 an.exe
1844 msiexec.exe
1844 msiexec.exe
1548 cmd.exe

pid	process
1940	Gl.exe
1964	an.exe

pid	process
1376	WScript.exe
1032	cmd.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\msokr.exe	msiexec.exe

Suspicious behavior: MapViewOfSection 26 IoCs

Processes:

an.exemsiexec.exe

pid	process
1964	an.exe
1964	an.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

an.exemsiexec.execmd.exe

description	pid	process
Token: SeDebugPrivilege	1964	an.exe
Token: SeBackupPrivilege	1964	an.exe
Token: SeRestorePrivilege	1964	an.exe
Token: SeDebugPrivilege	1844	msiexec.exe
Token: SeBackupPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeDebugPrivilege	1548	cmd.exe
Token: SeBackupPrivilege	1548	cmd.exe
Token: SeRestorePrivilege	1548	cmd.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1372 AcroRd32.exe
1372 AcroRd32.exe
1372 AcroRd32.exe
1372 AcroRd32.exe

pid	process
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe
1372	AcroRd32.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exeWScript.execmd.exeGl.exeWScript.execmd.exean.exe

description	pid	process	target process
PID 1712 wrote to memory of 1640	1712	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	cmd.exe
PID 1712 wrote to memory of 1640	1712	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	cmd.exe
PID 1712 wrote to memory of 1640	1712	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	cmd.exe
PID 1712 wrote to memory of 1640	1712	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	cmd.exe
PID 1712 wrote to memory of 1640	1712	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	cmd.exe
PID 1712 wrote to memory of 1640	1712	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	cmd.exe
PID 1712 wrote to memory of 1640	1712	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	cmd.exe
PID 1712 wrote to memory of 1376	1712	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	WScript.exe
PID 1712 wrote to memory of 1376	1712	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	WScript.exe
PID 1712 wrote to memory of 1376	1712	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	WScript.exe
PID 1712 wrote to memory of 1376	1712	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	WScript.exe
PID 1712 wrote to memory of 1376	1712	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	WScript.exe
PID 1712 wrote to memory of 1376	1712	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	WScript.exe
PID 1712 wrote to memory of 1376	1712	e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe	WScript.exe
PID 1376 wrote to memory of 1940	1376	WScript.exe	Gl.exe
PID 1376 wrote to memory of 1940	1376	WScript.exe	Gl.exe
PID 1376 wrote to memory of 1940	1376	WScript.exe	Gl.exe
PID 1376 wrote to memory of 1940	1376	WScript.exe	Gl.exe
PID 1376 wrote to memory of 1940	1376	WScript.exe	Gl.exe
PID 1376 wrote to memory of 1940	1376	WScript.exe	Gl.exe
PID 1376 wrote to memory of 1940	1376	WScript.exe	Gl.exe
PID 1376 wrote to memory of 1548	1376	WScript.exe	cmd.exe
PID 1376 wrote to memory of 1548	1376	WScript.exe	cmd.exe
PID 1376 wrote to memory of 1548	1376	WScript.exe	cmd.exe
PID 1376 wrote to memory of 1548	1376	WScript.exe	cmd.exe
PID 1376 wrote to memory of 1548	1376	WScript.exe	cmd.exe
PID 1376 wrote to memory of 1548	1376	WScript.exe	cmd.exe
PID 1376 wrote to memory of 1548	1376	WScript.exe	cmd.exe
PID 1548 wrote to memory of 1372	1548	cmd.exe	AcroRd32.exe
PID 1548 wrote to memory of 1372	1548	cmd.exe	AcroRd32.exe
PID 1548 wrote to memory of 1372	1548	cmd.exe	AcroRd32.exe
PID 1548 wrote to memory of 1372	1548	cmd.exe	AcroRd32.exe
PID 1548 wrote to memory of 1372	1548	cmd.exe	AcroRd32.exe
PID 1548 wrote to memory of 1372	1548	cmd.exe	AcroRd32.exe
PID 1548 wrote to memory of 1372	1548	cmd.exe	AcroRd32.exe
PID 1940 wrote to memory of 1532	1940	Gl.exe	WScript.exe
PID 1940 wrote to memory of 1532	1940	Gl.exe	WScript.exe
PID 1940 wrote to memory of 1532	1940	Gl.exe	WScript.exe
PID 1940 wrote to memory of 1532	1940	Gl.exe	WScript.exe
PID 1940 wrote to memory of 1532	1940	Gl.exe	WScript.exe
PID 1940 wrote to memory of 1532	1940	Gl.exe	WScript.exe
PID 1940 wrote to memory of 1532	1940	Gl.exe	WScript.exe
PID 1532 wrote to memory of 1032	1532	WScript.exe	cmd.exe
PID 1532 wrote to memory of 1032	1532	WScript.exe	cmd.exe
PID 1532 wrote to memory of 1032	1532	WScript.exe	cmd.exe
PID 1532 wrote to memory of 1032	1532	WScript.exe	cmd.exe
PID 1532 wrote to memory of 1032	1532	WScript.exe	cmd.exe
PID 1532 wrote to memory of 1032	1532	WScript.exe	cmd.exe
PID 1532 wrote to memory of 1032	1532	WScript.exe	cmd.exe
PID 1032 wrote to memory of 1964	1032	cmd.exe	an.exe
PID 1032 wrote to memory of 1964	1032	cmd.exe	an.exe
PID 1032 wrote to memory of 1964	1032	cmd.exe	an.exe
PID 1032 wrote to memory of 1964	1032	cmd.exe	an.exe
PID 1032 wrote to memory of 1964	1032	cmd.exe	an.exe
PID 1032 wrote to memory of 1964	1032	cmd.exe	an.exe
PID 1032 wrote to memory of 1964	1032	cmd.exe	an.exe
PID 1964 wrote to memory of 1844	1964	an.exe	msiexec.exe
PID 1964 wrote to memory of 1844	1964	an.exe	msiexec.exe
PID 1964 wrote to memory of 1844	1964	an.exe	msiexec.exe
PID 1964 wrote to memory of 1844	1964	an.exe	msiexec.exe
PID 1964 wrote to memory of 1844	1964	an.exe	msiexec.exe
PID 1964 wrote to memory of 1844	1964	an.exe	msiexec.exe
PID 1964 wrote to memory of 1844	1964	an.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe
"C:\Users\Admin\AppData\Local\Temp\e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\WINDOWS\SysWOW64\cmd.exe
  "C:\WINDOWS\system32\cmd.exe" /c rename C:\Users\Admin\AppData\Local\Temp\out.gif out.js
  2⤵
  PID:1640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\out.js"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Users\Admin\AppData\Local\Temp\Gl.exe
    "C:\Users\Admin\AppData\Local\Temp\Gl.exe" -pGlue1 -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\inside.js"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\an.exe -dC:\Users\Admin\AppData\Local\Temp
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1032
      - C:\Users\Admin\AppData\Local\Temp\an.exe
        
        C:\Users\Admin\AppData\Local\Temp\an.exe -dC:\Users\Admin\AppData\Local\Temp
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\msiexec.exe
        
        C:\Windows\SysWOW64\msiexec.exe
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Adds policy Run key to start application
        Blocklisted process makes network request
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Shipping_Inv.pdf -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Shipping_Inv.pdf"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gl.exe

Filesize
282KB

MD5
45c5a25bb4add91fd4e8bc8a0c003977

SHA1
815d3cad4d6f0d39d17a3075c454c2089185afe9

SHA256
31c8b84f172d9977f6a204af31257f189bae5b9a7f3e425e57c504d410cd385d

SHA512
5e8c6c39a1c708042b647e04f3395e26ef846e377559778e59b64b7319308f5c32c50aca0d7634e57dd8f0cb20883265af30984516b630c757ffe4d5fd0fc058

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gl.exe

Filesize
282KB

MD5
45c5a25bb4add91fd4e8bc8a0c003977

SHA1
815d3cad4d6f0d39d17a3075c454c2089185afe9

SHA256
31c8b84f172d9977f6a204af31257f189bae5b9a7f3e425e57c504d410cd385d

SHA512
5e8c6c39a1c708042b647e04f3395e26ef846e377559778e59b64b7319308f5c32c50aca0d7634e57dd8f0cb20883265af30984516b630c757ffe4d5fd0fc058

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gl.png

Filesize
282KB

MD5
2ff306f691a4dd48e0e688e8a3e6e374

SHA1
7ec4b7c22d478c8aa47029eeb9c507a8ba6769cb

SHA256
f9cca52c9d840f3cfc8997e77a42ebc7640ea71f7729fa1782d8596a05ed963b

SHA512
0f7de7c99146ce8bf7165613cae06991153c2453fa775e6802b65f757c0aa1b097749e09e2981739e61749e3e43503a2b99cd810b6ad8e0d4cdd3bfd90a69375

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shipping_Inv.pdf

Filesize
9KB

MD5
998acb522b47bbfe95f9954d17aa9918

SHA1
e351952afc397d6e127784fe692cf4259e1c6189

SHA256
409e472b667ae747942e10d4dc691796c3b2eb00a0e407146e69b2f8205de40c

SHA512
be047cc246765384f0a484759849d75ac32edbfcd6d5f4a7b96e9a63f2afedd5ff5386db038885455f1736c450b57b9c2e9b9242b740c3560677a35432a3f760

Download Submit
C:\Users\Admin\AppData\Local\Temp\an.exe

Filesize
143KB

MD5
b30d8d55201cd988899c29bc01239085

SHA1
413ef22a404e433892bb0448f39e1d3594f3407e

SHA256
8a1279c890cbf622ed6f7fe3f087b4ce77c5acffeb60efaad44c57eba1c61794

SHA512
a7657a1afef81a81b2656f9da9890ed954185b8665d0e15e27f8331734055bcae54ad278254dd954acd1bbb6cc6e88fda86d7520fe3896da0e3a9d11958c4a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\an.exe

Filesize
143KB

MD5
b30d8d55201cd988899c29bc01239085

SHA1
413ef22a404e433892bb0448f39e1d3594f3407e

SHA256
8a1279c890cbf622ed6f7fe3f087b4ce77c5acffeb60efaad44c57eba1c61794

SHA512
a7657a1afef81a81b2656f9da9890ed954185b8665d0e15e27f8331734055bcae54ad278254dd954acd1bbb6cc6e88fda86d7520fe3896da0e3a9d11958c4a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\inside.js

Filesize
100B

MD5
1e7c8e75533812eabc488a16a924bb73

SHA1
3fcdc8292f73bb35610d64223f19208f6570af27

SHA256
6155c98419fa536481857f51a85db74ce04c3375dd0f1fd0d81d5f40d9e29ba7

SHA512
04215f67fe68c4d6beac03ed77eeec2ad7d4bc77be270f8f762c3877fa21b53d5bf46589bacd67cca0f827dda030af38198b98daadc5a85bacfb7e4dba5a2db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\out.gif

Filesize
900B

MD5
1938c5f7d1e343069723ea82e8805dca

SHA1
367834e08fcea13d45856680d461d6ad29ce7152

SHA256
50859a87a252222a4599e0235632e4530ca614aacf33d481e7ad644a1bdf7953

SHA512
f636093ad6810c0a066d0f76218b1aeb2b139379822b5a3e69f54b2d7c7f91ad404e56be34957fd75a4796bfcc39b25aea4a28c0048b11ddea63316b1d9c85fb

Download Submit
\Users\Admin\AppData\Local\Temp\Gl.exe

Filesize
282KB

MD5
45c5a25bb4add91fd4e8bc8a0c003977

SHA1
815d3cad4d6f0d39d17a3075c454c2089185afe9

SHA256
31c8b84f172d9977f6a204af31257f189bae5b9a7f3e425e57c504d410cd385d

SHA512
5e8c6c39a1c708042b647e04f3395e26ef846e377559778e59b64b7319308f5c32c50aca0d7634e57dd8f0cb20883265af30984516b630c757ffe4d5fd0fc058

Download Submit
\Users\Admin\AppData\Local\Temp\an.exe

Filesize
143KB

MD5
b30d8d55201cd988899c29bc01239085

SHA1
413ef22a404e433892bb0448f39e1d3594f3407e

SHA256
8a1279c890cbf622ed6f7fe3f087b4ce77c5acffeb60efaad44c57eba1c61794

SHA512
a7657a1afef81a81b2656f9da9890ed954185b8665d0e15e27f8331734055bcae54ad278254dd954acd1bbb6cc6e88fda86d7520fe3896da0e3a9d11958c4a2a

Download Submit
memory/1032-73-0x0000000000000000-mapping.dmp

Download
memory/1372-68-0x0000000000000000-mapping.dmp

Download
memory/1376-58-0x0000000000000000-mapping.dmp

Download
memory/1532-70-0x0000000000000000-mapping.dmp

Download
memory/1548-88-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download
memory/1548-65-0x0000000000000000-mapping.dmp

Download
memory/1640-55-0x0000000000000000-mapping.dmp

Download
memory/1712-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1844-89-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download
memory/1844-86-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/1844-87-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download
memory/1844-83-0x0000000000000000-mapping.dmp

Download
memory/1844-85-0x0000000000240000-0x0000000000254000-memory.dmp

Filesize
80KB

Download
memory/1940-62-0x0000000000000000-mapping.dmp

Download
memory/1964-82-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download
memory/1964-80-0x0000000000340000-0x000000000039D000-memory.dmp

Filesize
372KB

Download
memory/1964-77-0x0000000000000000-mapping.dmp

Download