950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da

Analysis

max time kernel
151s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 12:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
Size

443KB
MD5

99aaa620322553c50645b955e3bf576e
SHA1

5bc7ecee3a481667ef4862fe954540e000a938ea
SHA256

950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da
SHA512

7ff13d05f1e80094c6345ed16429740629ed5e1b777242d3207fe22f55136b0869ffcf2a35ba3e1f9836c3d731b5aff730f1249a96f1d65a7fb5288dfb34be1d
SSDEEP

6144:ve9FyLYuCHLxbalHn5WHBdFZdQ8la5rlnOvLkREe4iq8MXHmdmxX0aGVuj:vDLY5H9AEBPZdQCi8kRPceub0uj

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1988	hAoFkGb18700.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1488-55-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x000a0000000122c4-58.dat	upx
behavioral1/files/0x000a0000000122c4-59.dat	upx
behavioral1/files/0x000a0000000122c4-61.dat	upx
behavioral1/memory/1488-63-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1988-65-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x000a0000000122c4-66.dat	upx
behavioral1/memory/1988-67-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hAoFkGb18700 = "C:\\ProgramData\\hAoFkGb18700\\hAoFkGb18700.exe"	hAoFkGb18700.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	hAoFkGb18700.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
1988	hAoFkGb18700.exe
1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
Token: SeDebugPrivilege	1988	hAoFkGb18700.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1988	hAoFkGb18700.exe
1988	hAoFkGb18700.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1988	hAoFkGb18700.exe
1988	hAoFkGb18700.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1988	hAoFkGb18700.exe
1988	hAoFkGb18700.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1988	1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe	26
PID 1488 wrote to memory of 1988	1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe	26
PID 1488 wrote to memory of 1988	1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe	26
PID 1488 wrote to memory of 1988	1488	950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe	26

C:\Users\Admin\AppData\Local\Temp\950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe
"C:\Users\Admin\AppData\Local\Temp\950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\ProgramData\hAoFkGb18700\hAoFkGb18700.exe
  "C:\ProgramData\hAoFkGb18700\hAoFkGb18700.exe" "C:\Users\Admin\AppData\Local\Temp\950145b4c939091039ee8e1ba1eabab05c9b4bedd99b7c9d14a4e09d3e35d6da.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hAoFkGb18700\hAoFkGb18700.exe

Filesize
443KB

MD5
ec63b88f7b50de5dccdc2e661efae45d

SHA1
9a4edb44c35febf5483134b2f217968a3da637d1

SHA256
7f7e425c5256fafde7e4aee00990b46e4c1428d8da88f9af963f92a5c465414e

SHA512
2b0283e99d8a86143909e3e232f075d5041764bc38adbca88391702a8ad1dd8c976e7efd87e1278328184352a078fffba43a108da825538b9c59d8efbec826dc

Download Submit
C:\ProgramData\hAoFkGb18700\hAoFkGb18700.exe

Filesize
443KB

MD5
ec63b88f7b50de5dccdc2e661efae45d

SHA1
9a4edb44c35febf5483134b2f217968a3da637d1

SHA256
7f7e425c5256fafde7e4aee00990b46e4c1428d8da88f9af963f92a5c465414e

SHA512
2b0283e99d8a86143909e3e232f075d5041764bc38adbca88391702a8ad1dd8c976e7efd87e1278328184352a078fffba43a108da825538b9c59d8efbec826dc

Download Submit
\ProgramData\hAoFkGb18700\hAoFkGb18700.exe

Filesize
443KB

MD5
ec63b88f7b50de5dccdc2e661efae45d

SHA1
9a4edb44c35febf5483134b2f217968a3da637d1

SHA256
7f7e425c5256fafde7e4aee00990b46e4c1428d8da88f9af963f92a5c465414e

SHA512
2b0283e99d8a86143909e3e232f075d5041764bc38adbca88391702a8ad1dd8c976e7efd87e1278328184352a078fffba43a108da825538b9c59d8efbec826dc

Download Submit
\ProgramData\hAoFkGb18700\hAoFkGb18700.exe

Filesize
443KB

MD5
ec63b88f7b50de5dccdc2e661efae45d

SHA1
9a4edb44c35febf5483134b2f217968a3da637d1

SHA256
7f7e425c5256fafde7e4aee00990b46e4c1428d8da88f9af963f92a5c465414e

SHA512
2b0283e99d8a86143909e3e232f075d5041764bc38adbca88391702a8ad1dd8c976e7efd87e1278328184352a078fffba43a108da825538b9c59d8efbec826dc

Download Submit
memory/1488-57-0x00000000002D0000-0x000000000031F000-memory.dmp

Filesize
316KB

Download
memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1488-56-0x0000000000230000-0x00000000002CE000-memory.dmp

Filesize
632KB

Download
memory/1488-63-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1488-64-0x0000000001E50000-0x0000000001F0A000-memory.dmp

Filesize
744KB

Download
memory/1488-55-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1988-65-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1988-67-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download