9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3

Analysis

max time kernel
257s
max time network
339s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
Size

372KB
MD5

e7aa39a72a30fa7e050a3b1eda9d0673
SHA1

0b3c8a03c5583f537cf7efa98786eb0abf6a15e4
SHA256

9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3
SHA512

10c1f2478dcd98c55ee1cf0ba833d9b67113c5120b6e8d30da776d804b2d77d79ef632f538f88a3bd90e08ca72e51e979c305b8e21285d7d0823a84793f5c49e
SSDEEP

6144:jvCYy9p/Ra60sL61FXAV6QaysoxnBeuv0NnYTLSsC20ehOghQWDBXmkMbo3t:jvcR6f1NAVPaOvIYHSsRvOO3DskMk3

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
992	nL01605FdFdB01605.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/520-56-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral1/memory/992-62-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral1/memory/992-63-0x0000000000400000-0x00000000004C3000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nL01605FdFdB01605 = "C:\\ProgramData\\nL01605FdFdB01605\\nL01605FdFdB01605.exe"	nL01605FdFdB01605.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
Token: SeDebugPrivilege	992	nL01605FdFdB01605.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 992	520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe	28
PID 520 wrote to memory of 992	520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe	28
PID 520 wrote to memory of 992	520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe	28
PID 520 wrote to memory of 992	520	9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe	28

C:\Users\Admin\AppData\Local\Temp\9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe
"C:\Users\Admin\AppData\Local\Temp\9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520
- C:\ProgramData\nL01605FdFdB01605\nL01605FdFdB01605.exe
  "C:\ProgramData\nL01605FdFdB01605\nL01605FdFdB01605.exe" "C:\Users\Admin\AppData\Local\Temp\9b5a910c4cc78d92249f2e6b5d3b7273013da77a46b8e66d001370e0d6b72ad3.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nL01605FdFdB01605\nL01605FdFdB01605.exe

Filesize
372KB

MD5
06e3a0c65a98731c5e505823dfc80774

SHA1
db0d4c08f7bea6811ba9321e0ac91b14f56f5b79

SHA256
7fab4ec9a84457622fbfa45528d028e9d63008df38bf2543e6527708fa1f6f7c

SHA512
500c308d9b99b3ce2c86c8ca3aeca8d82d14e9069217397e37d201d6256dfce8e8320ed7df33cea96dcf1c3555fef4ed13d83b93cbd3e09267aea2b3f7e22261

Download Submit
C:\ProgramData\nL01605FdFdB01605\nL01605FdFdB01605.exe

Filesize
372KB

MD5
06e3a0c65a98731c5e505823dfc80774

SHA1
db0d4c08f7bea6811ba9321e0ac91b14f56f5b79

SHA256
7fab4ec9a84457622fbfa45528d028e9d63008df38bf2543e6527708fa1f6f7c

SHA512
500c308d9b99b3ce2c86c8ca3aeca8d82d14e9069217397e37d201d6256dfce8e8320ed7df33cea96dcf1c3555fef4ed13d83b93cbd3e09267aea2b3f7e22261

Download Submit
\ProgramData\nL01605FdFdB01605\nL01605FdFdB01605.exe

Filesize
372KB

MD5
06e3a0c65a98731c5e505823dfc80774

SHA1
db0d4c08f7bea6811ba9321e0ac91b14f56f5b79

SHA256
7fab4ec9a84457622fbfa45528d028e9d63008df38bf2543e6527708fa1f6f7c

SHA512
500c308d9b99b3ce2c86c8ca3aeca8d82d14e9069217397e37d201d6256dfce8e8320ed7df33cea96dcf1c3555fef4ed13d83b93cbd3e09267aea2b3f7e22261

Download Submit
\ProgramData\nL01605FdFdB01605\nL01605FdFdB01605.exe

Filesize
372KB

MD5
06e3a0c65a98731c5e505823dfc80774

SHA1
db0d4c08f7bea6811ba9321e0ac91b14f56f5b79

SHA256
7fab4ec9a84457622fbfa45528d028e9d63008df38bf2543e6527708fa1f6f7c

SHA512
500c308d9b99b3ce2c86c8ca3aeca8d82d14e9069217397e37d201d6256dfce8e8320ed7df33cea96dcf1c3555fef4ed13d83b93cbd3e09267aea2b3f7e22261

Download Submit
memory/520-54-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/520-55-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download
memory/520-56-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/992-59-0x0000000000000000-mapping.dmp

Download
memory/992-62-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/992-63-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download