e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf

Analysis

max time kernel
151s
max time network
113s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe
Size

418KB
MD5

315e048922d5b312db0132b150f14125
SHA1

713c197806a129b1aa6c1ea31ab810606d88f212
SHA256

e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf
SHA512

0d8ca45eb98bac07ee97b0173364deaa9ff5d641454b291598eb3e4c1c5006082528b43d2cbead97eebbd319be770a93ec37dff8aaa1b40e83b111aedc5338a9
SSDEEP

12288:BO0WXtiqY690177CL6JMY2/QmFxECb9lw0:BAlY6ONCL0v2/pEy

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1868	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1060-58-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1060-62-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1868-64-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/680-67-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/1868-68-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
680	oNk09200kMjGe09200.exe

Loads dropped DLL 1 IoCs

pid	Process
1060	e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oNk09200kMjGe09200 = "C:\\ProgramData\\oNk09200kMjGe09200\\oNk09200kMjGe09200.exe"	oNk09200kMjGe09200.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	oNk09200kMjGe09200.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1060	e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe
1060	e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe
1868	oNk09200kMjGe09200.exe
1060	e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe
1868	oNk09200kMjGe09200.exe
1868	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
1868	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
1868	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
1868	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
1868	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
1868	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
1868	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe
Token: SeDebugPrivilege	1868	oNk09200kMjGe09200.exe
Token: SeDebugPrivilege	680	oNk09200kMjGe09200.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
680	oNk09200kMjGe09200.exe
680	oNk09200kMjGe09200.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 1868	1060	e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe	27
PID 1060 wrote to memory of 1868	1060	e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe	27
PID 1060 wrote to memory of 1868	1060	e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe	27
PID 1060 wrote to memory of 1868	1060	e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe	27
PID 1060 wrote to memory of 680	1060	e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe	29
PID 1060 wrote to memory of 680	1060	e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe	29
PID 1060 wrote to memory of 680	1060	e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe	29
PID 1060 wrote to memory of 680	1060	e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe	29

C:\Users\Admin\AppData\Local\Temp\e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe
"C:\Users\Admin\AppData\Local\Temp\e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060
- C:\ProgramData\oNk09200kMjGe09200\oNk09200kMjGe09200.exe
  "C:\ProgramData\oNk09200kMjGe09200\oNk09200kMjGe09200.exe" BOMBARDAMAXIMUM
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\ProgramData\oNk09200kMjGe09200\oNk09200kMjGe09200.exe
  "C:\ProgramData\oNk09200kMjGe09200\oNk09200kMjGe09200.exe" "C:\Users\Admin\AppData\Local\Temp\e6f6b85bce8f054a9e44c5ef1393f98e94dc1289017dbe3a1288239fae1c7daf.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\oNk09200kMjGe09200\oNk09200kMjGe09200

Filesize
192B

MD5
2f5868cf2c7f6e5269c2617bc20a6b76

SHA1
97764eb0d549bca4d39932e451fad61d36f40d4b

SHA256
1055d418c68606a04219b011a5aa62310147e5e48adb10aefa2502cd00c2cd98

SHA512
6326370b8c5edba33ebb6b8790fc90257118e442b49a2c2dbf7d2da8de40c3a208c4ca8bb45eaad7a65beefa519f90f46fc3065d7fe7ab21fecc5b58ef20d37d

Download Submit
C:\ProgramData\oNk09200kMjGe09200\oNk09200kMjGe09200.exe

Filesize
418KB

MD5
f5930c0502360e87a2d95d45a7350392

SHA1
5917b5f939fafce5b9284178c2adc282fe1a03b2

SHA256
2471a5230ca7ced58d1b52d3b7aa673b7af9a6665cbed47cac8ab3560e9d1820

SHA512
6ad1e61199d7c33f6a91cf133b6437e61302cd022b8f47211a48585cf9d00a9a72b70574eac51961439b7f979146fa10c9a5c9bb6ea8d75619ab621a49032291

Download Submit
C:\ProgramData\oNk09200kMjGe09200\oNk09200kMjGe09200.exe

Filesize
418KB

MD5
f5930c0502360e87a2d95d45a7350392

SHA1
5917b5f939fafce5b9284178c2adc282fe1a03b2

SHA256
2471a5230ca7ced58d1b52d3b7aa673b7af9a6665cbed47cac8ab3560e9d1820

SHA512
6ad1e61199d7c33f6a91cf133b6437e61302cd022b8f47211a48585cf9d00a9a72b70574eac51961439b7f979146fa10c9a5c9bb6ea8d75619ab621a49032291

Download Submit
C:\ProgramData\oNk09200kMjGe09200\oNk09200kMjGe09200.exe

Filesize
418KB

MD5
f5930c0502360e87a2d95d45a7350392

SHA1
5917b5f939fafce5b9284178c2adc282fe1a03b2

SHA256
2471a5230ca7ced58d1b52d3b7aa673b7af9a6665cbed47cac8ab3560e9d1820

SHA512
6ad1e61199d7c33f6a91cf133b6437e61302cd022b8f47211a48585cf9d00a9a72b70574eac51961439b7f979146fa10c9a5c9bb6ea8d75619ab621a49032291

Download Submit
\ProgramData\oNk09200kMjGe09200\oNk09200kMjGe09200.exe

Filesize
418KB

MD5
f5930c0502360e87a2d95d45a7350392

SHA1
5917b5f939fafce5b9284178c2adc282fe1a03b2

SHA256
2471a5230ca7ced58d1b52d3b7aa673b7af9a6665cbed47cac8ab3560e9d1820

SHA512
6ad1e61199d7c33f6a91cf133b6437e61302cd022b8f47211a48585cf9d00a9a72b70574eac51961439b7f979146fa10c9a5c9bb6ea8d75619ab621a49032291

Download Submit
memory/680-67-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1060-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1060-62-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1060-58-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1868-64-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1868-68-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download