f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f

Analysis

max time kernel
202s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 10:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe
Size

250KB
MD5

4af604b1ed49f24ada9acdd4250b6b27
SHA1

dec5ffcebce5861e8253c95372d6fec16cd7507d
SHA256

f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f
SHA512

932c9b15bb63f22e0b13247e3827dd47cc0c8070ad6899607eb6053c901dfc4e3f7e486357a2213c7e9c4c42454ce3a6ccffe14fce5741dc9a965ee4b7853ccb
SSDEEP

3072:mg8j0Z4bGJv4EMi9T5/HrCDgdgkaumvtLjw5qMGZVUNKKzVEWNj/:kVKJ1J9NxgAUVUxbN7

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{H48YN2ML-M036-S5X3-I157-A4W5H03I7VD6}	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H48YN2ML-M036-S5X3-I157-A4W5H03I7VD6}\StubPath = "C:\\Windows\\system32\\1\\1.exe Restart"	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1396-55-0x0000000010410000-0x0000000010443000-memory.dmp	upx
behavioral1/memory/1396-59-0x0000000000260000-0x000000000026D000-memory.dmp	upx
behavioral1/memory/1396-62-0x0000000000400000-0x0000000000499000-memory.dmp	upx
behavioral1/memory/1396-64-0x0000000000270000-0x000000000027D000-memory.dmp	upx
behavioral1/memory/1396-68-0x0000000010450000-0x000000001045D000-memory.dmp	upx
behavioral1/memory/1396-74-0x0000000010460000-0x000000001046D000-memory.dmp	upx
behavioral1/memory/1396-80-0x0000000010470000-0x000000001047D000-memory.dmp	upx
behavioral1/memory/1396-86-0x0000000010480000-0x000000001048D000-memory.dmp	upx
behavioral1/memory/1396-92-0x0000000010490000-0x000000001049D000-memory.dmp	upx
behavioral1/memory/1396-98-0x00000000104A0000-0x00000000104AD000-memory.dmp	upx
behavioral1/memory/1396-104-0x00000000104B0000-0x00000000104BD000-memory.dmp	upx
behavioral1/memory/1396-110-0x00000000104C0000-0x00000000104CD000-memory.dmp	upx
behavioral1/memory/1396-116-0x00000000104D0000-0x00000000104DD000-memory.dmp	upx
behavioral1/memory/1396-122-0x00000000104E0000-0x00000000104ED000-memory.dmp	upx
behavioral1/memory/1396-128-0x00000000104F0000-0x00000000104FD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\4 = "C:\\Windows\\system32\\1\\1.exe"	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\1\\1.exe"	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\1\1.exe	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe
File opened for modification	C:\Windows\SysWOW64\1\1.exe	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe
1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe
Token: SeDebugPrivilege	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe
Token: SeDebugPrivilege	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe
Token: SeDebugPrivilege	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28
PID 1396 wrote to memory of 1256	1396	f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe	28

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1124
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1620
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1080
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1032
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:112
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:240
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:864
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:840
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:792
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:740
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:664
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1980

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe
"C:\Users\Admin\AppData\Local\Temp\f1bcf16b9a0c534404b22f83a49776724688f212e1f643ce90f1aecc33f96c3f.exe"
1⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/260-71-0x0000000010450000-0x000000001045D000-memory.dmp

Filesize
52KB

Download
memory/1396-86-0x0000000010480000-0x000000001048D000-memory.dmp

Filesize
52KB

Download
memory/1396-104-0x00000000104B0000-0x00000000104BD000-memory.dmp

Filesize
52KB

Download
memory/1396-64-0x0000000000270000-0x000000000027D000-memory.dmp

Filesize
52KB

Download
memory/1396-68-0x0000000010450000-0x000000001045D000-memory.dmp

Filesize
52KB

Download
memory/1396-59-0x0000000000260000-0x000000000026D000-memory.dmp

Filesize
52KB

Download
memory/1396-74-0x0000000010460000-0x000000001046D000-memory.dmp

Filesize
52KB

Download
memory/1396-62-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1396-92-0x0000000010490000-0x000000001049D000-memory.dmp

Filesize
52KB

Download
memory/1396-80-0x0000000010470000-0x000000001047D000-memory.dmp

Filesize
52KB

Download
memory/1396-98-0x00000000104A0000-0x00000000104AD000-memory.dmp

Filesize
52KB

Download
memory/1396-55-0x0000000010410000-0x0000000010443000-memory.dmp

Filesize
204KB

Download
memory/1396-110-0x00000000104C0000-0x00000000104CD000-memory.dmp

Filesize
52KB

Download
memory/1396-116-0x00000000104D0000-0x00000000104DD000-memory.dmp

Filesize
52KB

Download
memory/1396-122-0x00000000104E0000-0x00000000104ED000-memory.dmp

Filesize
52KB

Download
memory/1396-128-0x00000000104F0000-0x00000000104FD000-memory.dmp

Filesize
52KB

Download