d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d

Analysis

max time kernel
152s
max time network
84s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 04:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe
Size

162KB
MD5

e239db2e771178fe56df55aa384b98b1
SHA1

58ab7582f9c184bb216ca5c3b9df5c908cdf712a
SHA256

d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d
SHA512

5ceb6bdf57fdc5ac7ba193db0fa17c5cad51cbfe811b03fe5ee6f033a034c58095b4a0f4025a36a5bf8755d9c133666f274af8211a6bf3e0a4b297f7767f86e9
SSDEEP

3072:+bH5phZFTumpRfkmULG5XriNvnFGx9scmY2vFn1/qM04ftfFVE57ne:+bZp1LrIGxriNv/cmdF1+4/V4e

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1112	ubmofan.exe
280	ubmofan.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
576	netsh.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1248-54-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1248-63-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0008000000014bf0-70.dat	upx
behavioral1/files/0x0008000000014bf0-71.dat	upx
behavioral1/files/0x0008000000014bf0-73.dat	upx
behavioral1/memory/1112-78-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0008000000014bf0-79.dat	upx
behavioral1/memory/1112-89-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0008000000014bf0-88.dat	upx

Deletes itself 1 IoCs

pid	Process
1624	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe
1736	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	ubmofan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{3F62E0A4-2E54-F340-0FC3-46AC98787D92} = "C:\\Users\\Admin\\AppData\\Roaming\\Ifqei\\ubmofan.exe"	ubmofan.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1248 set thread context of 1736	1248	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	27
PID 1112 set thread context of 280	1112	ubmofan.exe	32

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe
280	ubmofan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1736	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1736	1248	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	27
PID 1248 wrote to memory of 1736	1248	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	27
PID 1248 wrote to memory of 1736	1248	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	27
PID 1248 wrote to memory of 1736	1248	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	27
PID 1248 wrote to memory of 1736	1248	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	27
PID 1248 wrote to memory of 1736	1248	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	27
PID 1248 wrote to memory of 1736	1248	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	27
PID 1248 wrote to memory of 1736	1248	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	27
PID 1248 wrote to memory of 1736	1248	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	27
PID 1736 wrote to memory of 520	1736	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	28
PID 1736 wrote to memory of 520	1736	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	28
PID 1736 wrote to memory of 520	1736	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	28
PID 1736 wrote to memory of 520	1736	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	28
PID 1736 wrote to memory of 1112	1736	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	30
PID 1736 wrote to memory of 1112	1736	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	30
PID 1736 wrote to memory of 1112	1736	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	30
PID 1736 wrote to memory of 1112	1736	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	30
PID 520 wrote to memory of 576	520	cmd.exe	31
PID 520 wrote to memory of 576	520	cmd.exe	31
PID 520 wrote to memory of 576	520	cmd.exe	31
PID 520 wrote to memory of 576	520	cmd.exe	31
PID 1112 wrote to memory of 280	1112	ubmofan.exe	32
PID 1112 wrote to memory of 280	1112	ubmofan.exe	32
PID 1112 wrote to memory of 280	1112	ubmofan.exe	32
PID 1112 wrote to memory of 280	1112	ubmofan.exe	32
PID 1112 wrote to memory of 280	1112	ubmofan.exe	32
PID 1112 wrote to memory of 280	1112	ubmofan.exe	32
PID 1112 wrote to memory of 280	1112	ubmofan.exe	32
PID 1112 wrote to memory of 280	1112	ubmofan.exe	32
PID 1112 wrote to memory of 280	1112	ubmofan.exe	32
PID 1736 wrote to memory of 1624	1736	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	33
PID 1736 wrote to memory of 1624	1736	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	33
PID 1736 wrote to memory of 1624	1736	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	33
PID 1736 wrote to memory of 1624	1736	d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe	33
PID 280 wrote to memory of 1132	280	ubmofan.exe	17
PID 280 wrote to memory of 1132	280	ubmofan.exe	17
PID 280 wrote to memory of 1132	280	ubmofan.exe	17
PID 280 wrote to memory of 1132	280	ubmofan.exe	17
PID 280 wrote to memory of 1132	280	ubmofan.exe	17
PID 280 wrote to memory of 1192	280	ubmofan.exe	15
PID 280 wrote to memory of 1192	280	ubmofan.exe	15
PID 280 wrote to memory of 1192	280	ubmofan.exe	15
PID 280 wrote to memory of 1192	280	ubmofan.exe	15
PID 280 wrote to memory of 1192	280	ubmofan.exe	15
PID 280 wrote to memory of 1252	280	ubmofan.exe	14
PID 280 wrote to memory of 1252	280	ubmofan.exe	14
PID 280 wrote to memory of 1252	280	ubmofan.exe	14
PID 280 wrote to memory of 1252	280	ubmofan.exe	14
PID 280 wrote to memory of 1252	280	ubmofan.exe	14
PID 280 wrote to memory of 1792	280	ubmofan.exe	35
PID 280 wrote to memory of 1792	280	ubmofan.exe	35
PID 280 wrote to memory of 1792	280	ubmofan.exe	35
PID 280 wrote to memory of 1792	280	ubmofan.exe	35
PID 280 wrote to memory of 1792	280	ubmofan.exe	35
PID 280 wrote to memory of 556	280	ubmofan.exe	36
PID 280 wrote to memory of 556	280	ubmofan.exe	36
PID 280 wrote to memory of 556	280	ubmofan.exe	36
PID 280 wrote to memory of 556	280	ubmofan.exe	36
PID 280 wrote to memory of 556	280	ubmofan.exe	36
PID 280 wrote to memory of 1304	280	ubmofan.exe	37
PID 280 wrote to memory of 1304	280	ubmofan.exe	37
PID 280 wrote to memory of 1304	280	ubmofan.exe	37
PID 280 wrote to memory of 1304	280	ubmofan.exe	37
PID 280 wrote to memory of 1304	280	ubmofan.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe
  "C:\Users\Admin\AppData\Local\Temp\d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1248
- - \??\c:\users\admin\appdata\local\temp\d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe
    "c:\users\admin\appdata\local\temp\d3df08818e95a85946430329a420f1fdeb76fe7d1ce774d283bb0b41dec0330d.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9eae962b.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:520
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Ifqei\ubmofan.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:576
  - - C:\Users\Admin\AppData\Roaming\Ifqei\ubmofan.exe
      "C:\Users\Admin\AppData\Roaming\Ifqei\ubmofan.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1112
    - - \??\c:\users\admin\appdata\roaming\ifqei\ubmofan.exe
        
        "c:\users\admin\appdata\roaming\ifqei\ubmofan.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:280
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfa0356de.bat"
      4⤵
      Deletes itself
      PID:1624

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1792

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9eae962b.bat

Filesize
202B

MD5
dbae24e036a2abd23291fa40d4947b54

SHA1
f82c6c2f5639e2885dca7605e3992f5ef0fb6aa7

SHA256
befb56727c03c5894731302b912e845de5d03f240ea31cb759f18771b07fcded

SHA512
641f5b6a291e7fe23d402440157854e2c89e7aeb3026a6fc9e5960a0260225ea9a5ea9716475d161f5511251b723b54c4fbdd922a79094c20cce4f4765dfd31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfa0356de.bat

Filesize
307B

MD5
8a6f1901b1f1c4c94f520b42437671ce

SHA1
4f249ba5ee693a450ecc355e07b792f97067c7ed

SHA256
caaca6cbb8326c4b738b7a8518c006f2201299d2bdea33f9603b322f30019d52

SHA512
a9d664625f6538121da072b7bc8cb717a2855d80f518bdbbfecccc51912a630053acf2e6d25c7c10b9b45c6289fd3458ca3da8ec27a8e149ff5662e9f4db4d0a

Download Submit
C:\Users\Admin\AppData\Roaming\Ifqei\ubmofan.exe

Filesize
162KB

MD5
3606f13eeacf02d26bf750bec0686033

SHA1
b5274260c143585d50cb0468fd5eae5fb2fc4b61

SHA256
12a507abb80e532391b653f51e6eb3336d6e3a153df39202beeb2eedc71dcd7e

SHA512
d49a779cb5b0a6f5829573fff7ce0689470f74a5951379fc48a7bcbc7ab393054cffb04873d83e928b19416d676928618f98e1c0b604099721dadeea10e1ee19

Download Submit
C:\Users\Admin\AppData\Roaming\Ifqei\ubmofan.exe

Filesize
162KB

MD5
3606f13eeacf02d26bf750bec0686033

SHA1
b5274260c143585d50cb0468fd5eae5fb2fc4b61

SHA256
12a507abb80e532391b653f51e6eb3336d6e3a153df39202beeb2eedc71dcd7e

SHA512
d49a779cb5b0a6f5829573fff7ce0689470f74a5951379fc48a7bcbc7ab393054cffb04873d83e928b19416d676928618f98e1c0b604099721dadeea10e1ee19

Download Submit
\??\c:\users\admin\appdata\roaming\ifqei\ubmofan.exe

Filesize
162KB

MD5
3606f13eeacf02d26bf750bec0686033

SHA1
b5274260c143585d50cb0468fd5eae5fb2fc4b61

SHA256
12a507abb80e532391b653f51e6eb3336d6e3a153df39202beeb2eedc71dcd7e

SHA512
d49a779cb5b0a6f5829573fff7ce0689470f74a5951379fc48a7bcbc7ab393054cffb04873d83e928b19416d676928618f98e1c0b604099721dadeea10e1ee19

Download Submit
\Users\Admin\AppData\Roaming\Ifqei\ubmofan.exe

Filesize
162KB

MD5
3606f13eeacf02d26bf750bec0686033

SHA1
b5274260c143585d50cb0468fd5eae5fb2fc4b61

SHA256
12a507abb80e532391b653f51e6eb3336d6e3a153df39202beeb2eedc71dcd7e

SHA512
d49a779cb5b0a6f5829573fff7ce0689470f74a5951379fc48a7bcbc7ab393054cffb04873d83e928b19416d676928618f98e1c0b604099721dadeea10e1ee19

Download Submit
\Users\Admin\AppData\Roaming\Ifqei\ubmofan.exe

Filesize
162KB

MD5
3606f13eeacf02d26bf750bec0686033

SHA1
b5274260c143585d50cb0468fd5eae5fb2fc4b61

SHA256
12a507abb80e532391b653f51e6eb3336d6e3a153df39202beeb2eedc71dcd7e

SHA512
d49a779cb5b0a6f5829573fff7ce0689470f74a5951379fc48a7bcbc7ab393054cffb04873d83e928b19416d676928618f98e1c0b604099721dadeea10e1ee19

Download Submit
memory/280-113-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/556-122-0x0000000000210000-0x0000000000238000-memory.dmp

Filesize
160KB

Download
memory/556-123-0x0000000000210000-0x0000000000238000-memory.dmp

Filesize
160KB

Download
memory/556-125-0x0000000000210000-0x0000000000238000-memory.dmp

Filesize
160KB

Download
memory/556-124-0x0000000000210000-0x0000000000238000-memory.dmp

Filesize
160KB

Download
memory/1112-78-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1112-89-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1132-96-0x0000000001C80000-0x0000000001CA8000-memory.dmp

Filesize
160KB

Download
memory/1132-99-0x0000000001C80000-0x0000000001CA8000-memory.dmp

Filesize
160KB

Download
memory/1132-98-0x0000000001C80000-0x0000000001CA8000-memory.dmp

Filesize
160KB

Download
memory/1132-97-0x0000000001C80000-0x0000000001CA8000-memory.dmp

Filesize
160KB

Download
memory/1192-102-0x0000000001AE0000-0x0000000001B08000-memory.dmp

Filesize
160KB

Download
memory/1192-104-0x0000000001AE0000-0x0000000001B08000-memory.dmp

Filesize
160KB

Download
memory/1192-103-0x0000000001AE0000-0x0000000001B08000-memory.dmp

Filesize
160KB

Download
memory/1192-105-0x0000000001AE0000-0x0000000001B08000-memory.dmp

Filesize
160KB

Download
memory/1248-63-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1248-65-0x00000000003A0000-0x00000000003AF000-memory.dmp

Filesize
60KB

Download
memory/1248-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1252-111-0x0000000002A90000-0x0000000002AB8000-memory.dmp

Filesize
160KB

Download
memory/1252-109-0x0000000002A90000-0x0000000002AB8000-memory.dmp

Filesize
160KB

Download
memory/1252-112-0x0000000002A90000-0x0000000002AB8000-memory.dmp

Filesize
160KB

Download
memory/1252-110-0x0000000002A90000-0x0000000002AB8000-memory.dmp

Filesize
160KB

Download
memory/1304-128-0x0000000000120000-0x0000000000148000-memory.dmp

Filesize
160KB

Download
memory/1304-131-0x0000000000120000-0x0000000000148000-memory.dmp

Filesize
160KB

Download
memory/1304-130-0x0000000000120000-0x0000000000148000-memory.dmp

Filesize
160KB

Download
memory/1304-129-0x0000000000120000-0x0000000000148000-memory.dmp

Filesize
160KB

Download
memory/1736-68-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1736-55-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1736-67-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1736-77-0x0000000000270000-0x000000000027F000-memory.dmp

Filesize
60KB

Download
memory/1736-66-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/1736-61-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1736-59-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1736-58-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1736-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1736-93-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1792-119-0x0000000003A50000-0x0000000003A78000-memory.dmp

Filesize
160KB

Download
memory/1792-118-0x0000000003A50000-0x0000000003A78000-memory.dmp

Filesize
160KB

Download
memory/1792-117-0x0000000003A50000-0x0000000003A78000-memory.dmp

Filesize
160KB

Download
memory/1792-116-0x0000000003A50000-0x0000000003A78000-memory.dmp

Filesize
160KB

Download