1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b

Analysis

max time kernel
104s
max time network
197s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
Size

939KB
MD5

3f87c5fe1471cd8fca27923c3e28fba0
SHA1

a6eb75d64f1cc7fca6c9e541ca815b44796394ea
SHA256

1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b
SHA512

df1e508611a278d05f627a254d5e94a8d43f96934694b934d673a031c2e7f993a3cbc9d0956007d66ec255590b6a012f725fe16840b1faf1184269c832b6fb25
SSDEEP

24576:113aQvCBCUWjbUnvEG7YSvsrdkS1s1msZhxTT40qeKK:H3aQ6MUWscaYSUSS1s1mihxTTvq+

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6YY5FVND-LA48-R77O-H0W4-VT1438Q564C5}	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6YY5FVND-LA48-R77O-H0W4-VT1438Q564C5}\StubPath = "C:\\Windows\\system32\\svchost\\server.exe Restart"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6YY5FVND-LA48-R77O-H0W4-VT1438Q564C5}	iexplore.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/560-72-0x0000000010410000-0x00000000104D4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rg+g4+rg4eg4eg4r4h44he4h+564he4h = "C:\\Windows\\system32\\svchost\\server.exe"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ge54g564g5454h54h5+4ht5r4h54th54h = "C:\\Windows\\system32\\svchost\\server.exe"	iexplore.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost\plugin.dat	iexplore.exe
File created	C:\Windows\SysWOW64\svchost\logs.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\svchost\logs.dat	iexplore.exe
File created	C:\Windows\SysWOW64\svchost\plugin.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\svchost\	iexplore.exe
File created	C:\Windows\SysWOW64\svchost\server.exe	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\svchost\server.exe	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 296 set thread context of 560	296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	28

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
560	cvtres.exe
560	cvtres.exe
560	cvtres.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
Token: SeDebugPrivilege	560	cvtres.exe
Token: SeDebugPrivilege	560	cvtres.exe
Token: SeDebugPrivilege	560	cvtres.exe
Token: SeDebugPrivilege	560	cvtres.exe
Token: SeDebugPrivilege	1636	iexplore.exe
Token: SeDebugPrivilege	1636	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 560	296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	28
PID 296 wrote to memory of 560	296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	28
PID 296 wrote to memory of 560	296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	28
PID 296 wrote to memory of 560	296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	28
PID 296 wrote to memory of 560	296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	28
PID 296 wrote to memory of 560	296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	28
PID 296 wrote to memory of 560	296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	28
PID 296 wrote to memory of 560	296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	28
PID 296 wrote to memory of 560	296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	28
PID 296 wrote to memory of 560	296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	28
PID 296 wrote to memory of 560	296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	28
PID 296 wrote to memory of 560	296	1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe	28
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29
PID 560 wrote to memory of 1636	560	cvtres.exe	29

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:108
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1092
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:744
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1120
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1040
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:300
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:856
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:832
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:788
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:732
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:656
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:580

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:480

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1984

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1932

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe
  "C:\Users\Admin\AppData\Local\Temp\1a4356ba0f341550c45b648ff35c9f9a27dfeb5c8e5afb3713741eee75a17c3b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Installed Components in the registry
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:1636

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/260-96-0x00000000104E0000-0x00000000104EA000-memory.dmp

Filesize
40KB

Download
memory/296-54-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/296-57-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/296-69-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/560-68-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/560-72-0x0000000010410000-0x00000000104D4000-memory.dmp

Filesize
784KB

Download
memory/560-62-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/560-61-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/560-56-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/560-65-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/560-67-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/560-59-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/560-60-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/560-70-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/560-63-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/560-76-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/560-83-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/560-90-0x00000000104E0000-0x00000000104EA000-memory.dmp

Filesize
40KB

Download
memory/560-55-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/560-99-0x00000000104F0000-0x00000000104FA000-memory.dmp

Filesize
40KB

Download
memory/560-108-0x0000000010500000-0x000000001050A000-memory.dmp

Filesize
40KB

Download
memory/560-117-0x0000000010510000-0x000000001051A000-memory.dmp

Filesize
40KB

Download
memory/560-126-0x0000000010520000-0x000000001052A000-memory.dmp

Filesize
40KB

Download
memory/560-170-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/560-313-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download