1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe
Size

444KB
MD5

da8a268585901b0de3c7bf326fed1755
SHA1

8b60ca89d8c4b7cacae3ccb40542115883d4dc59
SHA256

1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8
SHA512

2db1f8987c81c70f80c5dcab86f2d4b3dbc5d89fa1c1e14320bb8e07537255d56876944289499c30171e27e1e85c5d4a3b73aebef032ef02fc83e454265e7549
SSDEEP

12288:JHICZ9iSCnm8B/Hw9pVKGCs64DVdZ3+8qFXTjp:JoC7ijwFKlVadZ3+8qNp

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msiexec.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1573549286 = "C:\\PROGRA~3\\mscpnu.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe

Blocklisted process makes network request 11 IoCs

flow	pid	Process
2	1716	msiexec.exe
3	1716	msiexec.exe
4	1716	msiexec.exe
5	1716	msiexec.exe
6	1716	msiexec.exe
7	1716	msiexec.exe
8	1716	msiexec.exe
9	1716	msiexec.exe
10	1716	msiexec.exe
11	1716	msiexec.exe
12	1716	msiexec.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
1700	sf.exe
1932	ab.exe

Loads dropped DLL 2 IoCs

pid	Process
928	cmd.exe
1580	WScript.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\mscpnu.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1932	ab.exe
1716	msiexec.exe
1716	msiexec.exe
1152	cmd.exe

Suspicious behavior: MapViewOfSection 27 IoCs

pid	Process
1932	ab.exe
1932	ab.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe
1716	msiexec.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	ab.exe
Token: SeBackupPrivilege	1932	ab.exe
Token: SeRestorePrivilege	1932	ab.exe
Token: SeDebugPrivilege	1716	msiexec.exe
Token: SeBackupPrivilege	1716	msiexec.exe
Token: SeRestorePrivilege	1716	msiexec.exe
Token: SeDebugPrivilege	1152	cmd.exe
Token: SeBackupPrivilege	1152	cmd.exe
Token: SeRestorePrivilege	1152	cmd.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
696	AcroRd32.exe
696	AcroRd32.exe
696	AcroRd32.exe
696	AcroRd32.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1436	1956	1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe	28
PID 1956 wrote to memory of 1436	1956	1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe	28
PID 1956 wrote to memory of 1436	1956	1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe	28
PID 1956 wrote to memory of 1436	1956	1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe	28
PID 1956 wrote to memory of 1436	1956	1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe	28
PID 1956 wrote to memory of 1436	1956	1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe	28
PID 1956 wrote to memory of 1436	1956	1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe	28
PID 1956 wrote to memory of 864	1956	1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe	30
PID 1956 wrote to memory of 864	1956	1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe	30
PID 1956 wrote to memory of 864	1956	1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe	30
PID 1956 wrote to memory of 864	1956	1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe	30
PID 1956 wrote to memory of 864	1956	1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe	30
PID 1956 wrote to memory of 864	1956	1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe	30
PID 1956 wrote to memory of 864	1956	1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe	30
PID 864 wrote to memory of 928	864	WScript.exe	31
PID 864 wrote to memory of 928	864	WScript.exe	31
PID 864 wrote to memory of 928	864	WScript.exe	31
PID 864 wrote to memory of 928	864	WScript.exe	31
PID 864 wrote to memory of 928	864	WScript.exe	31
PID 864 wrote to memory of 928	864	WScript.exe	31
PID 864 wrote to memory of 928	864	WScript.exe	31
PID 864 wrote to memory of 1152	864	WScript.exe	33
PID 864 wrote to memory of 1152	864	WScript.exe	33
PID 864 wrote to memory of 1152	864	WScript.exe	33
PID 864 wrote to memory of 1152	864	WScript.exe	33
PID 864 wrote to memory of 1152	864	WScript.exe	33
PID 864 wrote to memory of 1152	864	WScript.exe	33
PID 864 wrote to memory of 1152	864	WScript.exe	33
PID 928 wrote to memory of 1700	928	cmd.exe	35
PID 928 wrote to memory of 1700	928	cmd.exe	35
PID 928 wrote to memory of 1700	928	cmd.exe	35
PID 928 wrote to memory of 1700	928	cmd.exe	35
PID 928 wrote to memory of 1700	928	cmd.exe	35
PID 928 wrote to memory of 1700	928	cmd.exe	35
PID 928 wrote to memory of 1700	928	cmd.exe	35
PID 1152 wrote to memory of 696	1152	cmd.exe	36
PID 1152 wrote to memory of 696	1152	cmd.exe	36
PID 1152 wrote to memory of 696	1152	cmd.exe	36
PID 1152 wrote to memory of 696	1152	cmd.exe	36
PID 1152 wrote to memory of 696	1152	cmd.exe	36
PID 1152 wrote to memory of 696	1152	cmd.exe	36
PID 1152 wrote to memory of 696	1152	cmd.exe	36
PID 1700 wrote to memory of 1580	1700	sf.exe	37
PID 1700 wrote to memory of 1580	1700	sf.exe	37
PID 1700 wrote to memory of 1580	1700	sf.exe	37
PID 1700 wrote to memory of 1580	1700	sf.exe	37
PID 1700 wrote to memory of 1580	1700	sf.exe	37
PID 1700 wrote to memory of 1580	1700	sf.exe	37
PID 1700 wrote to memory of 1580	1700	sf.exe	37
PID 1580 wrote to memory of 1932	1580	WScript.exe	38
PID 1580 wrote to memory of 1932	1580	WScript.exe	38
PID 1580 wrote to memory of 1932	1580	WScript.exe	38
PID 1580 wrote to memory of 1932	1580	WScript.exe	38
PID 1580 wrote to memory of 1932	1580	WScript.exe	38
PID 1580 wrote to memory of 1932	1580	WScript.exe	38
PID 1580 wrote to memory of 1932	1580	WScript.exe	38
PID 1932 wrote to memory of 1716	1932	ab.exe	39
PID 1932 wrote to memory of 1716	1932	ab.exe	39
PID 1932 wrote to memory of 1716	1932	ab.exe	39
PID 1932 wrote to memory of 1716	1932	ab.exe	39
PID 1932 wrote to memory of 1716	1932	ab.exe	39
PID 1932 wrote to memory of 1716	1932	ab.exe	39
PID 1932 wrote to memory of 1716	1932	ab.exe	39

C:\Users\Admin\AppData\Local\Temp\1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe
"C:\Users\Admin\AppData\Local\Temp\1b44a419ba9e440bc3ccd4c38e03db816cd74f74ef9ef4777ab3acee01e7c9c8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\WINDOWS\SysWOW64\cmd.exe
  "C:\WINDOWS\system32\cmd.exe" /c rename C:\Users\Admin\AppData\Local\Temp\outside.gif outside.js
  2⤵
  PID:1436
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\outside.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\sf.exe -pGlue -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Users\Admin\AppData\Local\Temp\sf.exe
      C:\Users\Admin\AppData\Local\Temp\sf.exe -pGlue -dC:\Users\Admin\AppData\Local\Temp
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\inside.js"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\ab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ab.exe" -dC:\Users\Admin\AppData\Local\Temp
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\msiexec.exe
        
        C:\Windows\SysWOW64\msiexec.exe
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Adds policy Run key to start application
        Blocklisted process makes network request
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Shipping_Invoice.pdf -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Shipping_Invoice.pdf"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Shipping_Invoice.pdf

Filesize
9KB

MD5
998acb522b47bbfe95f9954d17aa9918

SHA1
e351952afc397d6e127784fe692cf4259e1c6189

SHA256
409e472b667ae747942e10d4dc691796c3b2eb00a0e407146e69b2f8205de40c

SHA512
be047cc246765384f0a484759849d75ac32edbfcd6d5f4a7b96e9a63f2afedd5ff5386db038885455f1736c450b57b9c2e9b9242b740c3560677a35432a3f760

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab.exe

Filesize
139KB

MD5
d7a7d31b679ef0b85847cc6001cd024f

SHA1
2a648ebc0a3acb54aa2a4a109936c3e84fc6cd39

SHA256
39af3f7f7a5f8cd5671fb83e122236070248361b284defa6476d5751f697ff66

SHA512
12d56566114d299ba3f38eebf0ffca1ce7c6ab5d12352dc23f89ae516194379992f098e7b2a5d53fc0c93fab17b512449894f82678c4391b4285cb1896c59741

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab.exe

Filesize
139KB

MD5
d7a7d31b679ef0b85847cc6001cd024f

SHA1
2a648ebc0a3acb54aa2a4a109936c3e84fc6cd39

SHA256
39af3f7f7a5f8cd5671fb83e122236070248361b284defa6476d5751f697ff66

SHA512
12d56566114d299ba3f38eebf0ffca1ce7c6ab5d12352dc23f89ae516194379992f098e7b2a5d53fc0c93fab17b512449894f82678c4391b4285cb1896c59741

Download Submit
C:\Users\Admin\AppData\Local\Temp\inside.js

Filesize
81B

MD5
60eb46dd81c28a274d8f2aef1bc557fa

SHA1
902d992c6b245a70a84632608122e976d561c09d

SHA256
df58a069bd5d2b98275dd124dc72de12ff5fccfb86eeb698c7a63ae9875da026

SHA512
1ded12c5aca377c289d412c6f8ed6903dbaaf5de3413b94cb8b57eef7913d84a3d115426267fa5e48e5277b902f67840a9362283d1cc6e8cb87648c2a8c20633

Download Submit
C:\Users\Admin\AppData\Local\Temp\outside.gif

Filesize
972B

MD5
0ee537f176cfd99964a85186db06d302

SHA1
77aa74fb3a14b56fe35964f4042f8d39dccf1684

SHA256
d7714fab24c3c172b2c3e9a0a6fd155deb4911c041528f4c0289b601f06a559f

SHA512
dbd7a68b30202301f6958f0c4927b010148a1877bbc02961dde8a65154ff9bfce421e375e859f6524b4b834af716e02271b221d58f5036f172c3529c5723c38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sf.exe

Filesize
277KB

MD5
8716ac6ce445a226080763da7df57f00

SHA1
5e29e26b90b409041770236205f521e8722aa0df

SHA256
12850970a3b394cc59e88e4cb2a5ebf2319d4d5c27312ec7cd9d50188d83cd6c

SHA512
558e13f998da96164fa8fabee5e596dfb89b2492ff64b27d6ea873ff9eb6ac00cd1a33bfee55720351a20d6b26c65613474e2ff1c555faec8bec4447d4c0d354

Download Submit
C:\Users\Admin\AppData\Local\Temp\sf.exe

Filesize
277KB

MD5
8716ac6ce445a226080763da7df57f00

SHA1
5e29e26b90b409041770236205f521e8722aa0df

SHA256
12850970a3b394cc59e88e4cb2a5ebf2319d4d5c27312ec7cd9d50188d83cd6c

SHA512
558e13f998da96164fa8fabee5e596dfb89b2492ff64b27d6ea873ff9eb6ac00cd1a33bfee55720351a20d6b26c65613474e2ff1c555faec8bec4447d4c0d354

Download Submit
C:\Users\Admin\AppData\Local\Temp\sf.png

Filesize
277KB

MD5
c04a4315c0ba40acaee4c345304b9278

SHA1
edbe6baa536fdf0b1946df6d88e4004c8d32eb2b

SHA256
c017fea199a5182078c98d716697a31d90c80f13df8b610ef36fa1feff4051c7

SHA512
23c2b53feeaca042b2f3ac47d9dba820e4c57bad1f4c008087cd5937565a50cabb42ec08414bfb8a31897c4e93f6164dee02840289efbfd2ed4e78bb91b69271

Download Submit
\Users\Admin\AppData\Local\Temp\ab.exe

Filesize
139KB

MD5
d7a7d31b679ef0b85847cc6001cd024f

SHA1
2a648ebc0a3acb54aa2a4a109936c3e84fc6cd39

SHA256
39af3f7f7a5f8cd5671fb83e122236070248361b284defa6476d5751f697ff66

SHA512
12d56566114d299ba3f38eebf0ffca1ce7c6ab5d12352dc23f89ae516194379992f098e7b2a5d53fc0c93fab17b512449894f82678c4391b4285cb1896c59741

Download Submit
\Users\Admin\AppData\Local\Temp\sf.exe

Filesize
277KB

MD5
8716ac6ce445a226080763da7df57f00

SHA1
5e29e26b90b409041770236205f521e8722aa0df

SHA256
12850970a3b394cc59e88e4cb2a5ebf2319d4d5c27312ec7cd9d50188d83cd6c

SHA512
558e13f998da96164fa8fabee5e596dfb89b2492ff64b27d6ea873ff9eb6ac00cd1a33bfee55720351a20d6b26c65613474e2ff1c555faec8bec4447d4c0d354

Download Submit
memory/696-70-0x0000000000000000-mapping.dmp

Download
memory/864-58-0x0000000000000000-mapping.dmp

Download
memory/928-61-0x0000000000000000-mapping.dmp

Download
memory/1152-90-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download
memory/1152-62-0x0000000000000000-mapping.dmp

Download
memory/1436-55-0x0000000000000000-mapping.dmp

Download
memory/1580-72-0x0000000000000000-mapping.dmp

Download
memory/1700-67-0x0000000000000000-mapping.dmp

Download
memory/1716-83-0x0000000000000000-mapping.dmp

Download
memory/1716-87-0x00000000008D0000-0x00000000008E4000-memory.dmp

Filesize
80KB

Download
memory/1716-88-0x00000000000D0000-0x00000000000D5000-memory.dmp

Filesize
20KB

Download
memory/1716-89-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download
memory/1932-81-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download
memory/1932-80-0x0000000002030000-0x00000000020C5000-memory.dmp

Filesize
596KB

Download
memory/1932-77-0x0000000000000000-mapping.dmp

Download
memory/1932-85-0x0000000002030000-0x00000000020C5000-memory.dmp

Filesize
596KB

Download
memory/1932-86-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download
memory/1956-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download