699e1e324c554e1eb28a3075b6a2994baf7cae1f31072f87d458af7f927cdbbb

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 12:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

699e1e324c554e1eb28a3075b6a2994baf7cae1f31072f87d458af7f927cdbbb.exe
Size

384KB
MD5

b335745444ebb023c61739baa2f6322b
SHA1

cbdf6d1ac744697474ab369b5f93299ea86fbf63
SHA256

699e1e324c554e1eb28a3075b6a2994baf7cae1f31072f87d458af7f927cdbbb
SHA512

6fef37e53f930a7fab54650283441606e7cae7a6238aec6ae4851590aaa153b8da5c32679d9eb656c437a0ba17504d51b2a4d3b7f32ba67d813f2a80341ba138
SSDEEP

6144:r5z+rkyshR/Nv5kHt9L66abeEqKtvE8yxpMkTHrr30SfHF:r5Ukh1v5kTLNabD7q8yxNTHP30Sfl

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2772	gL28321NgKjO28321.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4284-135-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral2/memory/2772-136-0x0000000000400000-0x00000000004EE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gL28321NgKjO28321 = "C:\\ProgramData\\gL28321NgKjO28321\\gL28321NgKjO28321.exe"	gL28321NgKjO28321.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
632	4284	WerFault.exe	80
1812	2772	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4284	699e1e324c554e1eb28a3075b6a2994baf7cae1f31072f87d458af7f927cdbbb.exe
4284	699e1e324c554e1eb28a3075b6a2994baf7cae1f31072f87d458af7f927cdbbb.exe
4284	699e1e324c554e1eb28a3075b6a2994baf7cae1f31072f87d458af7f927cdbbb.exe
4284	699e1e324c554e1eb28a3075b6a2994baf7cae1f31072f87d458af7f927cdbbb.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4284	699e1e324c554e1eb28a3075b6a2994baf7cae1f31072f87d458af7f927cdbbb.exe
Token: SeDebugPrivilege	2772	gL28321NgKjO28321.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2772	gL28321NgKjO28321.exe
2772	gL28321NgKjO28321.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 2772	4284	699e1e324c554e1eb28a3075b6a2994baf7cae1f31072f87d458af7f927cdbbb.exe	83
PID 4284 wrote to memory of 2772	4284	699e1e324c554e1eb28a3075b6a2994baf7cae1f31072f87d458af7f927cdbbb.exe	83
PID 4284 wrote to memory of 2772	4284	699e1e324c554e1eb28a3075b6a2994baf7cae1f31072f87d458af7f927cdbbb.exe	83

C:\Users\Admin\AppData\Local\Temp\699e1e324c554e1eb28a3075b6a2994baf7cae1f31072f87d458af7f927cdbbb.exe
"C:\Users\Admin\AppData\Local\Temp\699e1e324c554e1eb28a3075b6a2994baf7cae1f31072f87d458af7f927cdbbb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 668
  2⤵
  - Program crash
  PID:632
- C:\ProgramData\gL28321NgKjO28321\gL28321NgKjO28321.exe
  "C:\ProgramData\gL28321NgKjO28321\gL28321NgKjO28321.exe" "C:\Users\Admin\AppData\Local\Temp\699e1e324c554e1eb28a3075b6a2994baf7cae1f31072f87d458af7f927cdbbb.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 668
    3⤵
    - Program crash
    PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4284 -ip 4284
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2772 -ip 2772
1⤵
PID:3332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gL28321NgKjO28321\gL28321NgKjO28321.exe

Filesize
384KB

MD5
68cf210cde95ec2ea0c22d836a8e602f

SHA1
cc9fab56900cb0d63ac5919ed41353055f06ca84

SHA256
aece8671a5f0c018605c2e0e62346543d7e7876ce0a5630e9f54bcfb25bcaa6c

SHA512
12468ae0a724287f0ab10aee6a90721f18c8657cfcb111a87a7c16ffbfdcbe8b818e423867e78bfa95a3f0c64c8d18e79236d6a0f9580399d6260be7c1b87123

Download Submit
C:\ProgramData\gL28321NgKjO28321\gL28321NgKjO28321.exe

Filesize
384KB

MD5
68cf210cde95ec2ea0c22d836a8e602f

SHA1
cc9fab56900cb0d63ac5919ed41353055f06ca84

SHA256
aece8671a5f0c018605c2e0e62346543d7e7876ce0a5630e9f54bcfb25bcaa6c

SHA512
12468ae0a724287f0ab10aee6a90721f18c8657cfcb111a87a7c16ffbfdcbe8b818e423867e78bfa95a3f0c64c8d18e79236d6a0f9580399d6260be7c1b87123

Download Submit
memory/2772-136-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4284-135-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download