d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39

Analysis

max time kernel
142s
max time network
178s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe
Size

35KB
MD5

93b4aece31920c0bf354ca949bb6a203
SHA1

2e345c3c19059b71c742def9ec1a11efcf358355
SHA256

d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39
SHA512

c92dcb3c8206ca7dce3405c95b89177be082340480728771fbe8d9e523c49a1b6f1b8cd9932819cef3d7d601f32cd4bb3719bb01611449473a3fa97ac9664d42
SSDEEP

768:QKaLbwvm1JlIFNAHRTvxcOHijo2U9pDoj0Wt:QKW5HtDc7jo9n20

Score

8^/10

persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\5rvc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1tky.exe"	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe

Executes dropped EXE 2 IoCs

pid	Process
1188	1tky.exe
1600	1tky.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1692-57-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x000a000000012303-63.dat	upx
behavioral1/files/0x000a000000012303-64.dat	upx
behavioral1/files/0x000a000000012303-66.dat	upx
behavioral1/memory/1692-73-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x000a000000012303-75.dat	upx
behavioral1/files/0x000a000000012303-82.dat	upx
behavioral1/files/0x000a000000012303-80.dat	upx
behavioral1/memory/1188-90-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/1600-89-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/1188-88-0x0000000005380000-0x00000000053A2000-memory.dmp	upx
behavioral1/memory/1600-98-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
824	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe
1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe
1188	1tky.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1516	sc.exe
1452	sc.exe
344	sc.exe
1068	sc.exe
1888	sc.exe
436	sc.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	1tky.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	1tky.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe
1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe
1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe
1188	1tky.exe
1188	1tky.exe
1188	1tky.exe
1600	1tky.exe
1600	1tky.exe
1600	1tky.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1720	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	29
PID 1692 wrote to memory of 1720	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	29
PID 1692 wrote to memory of 1720	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	29
PID 1692 wrote to memory of 1720	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	29
PID 1692 wrote to memory of 1888	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	30
PID 1692 wrote to memory of 1888	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	30
PID 1692 wrote to memory of 1888	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	30
PID 1692 wrote to memory of 1888	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	30
PID 1692 wrote to memory of 620	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	32
PID 1692 wrote to memory of 620	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	32
PID 1692 wrote to memory of 620	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	32
PID 1692 wrote to memory of 620	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	32
PID 1692 wrote to memory of 436	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	34
PID 1692 wrote to memory of 436	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	34
PID 1692 wrote to memory of 436	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	34
PID 1692 wrote to memory of 436	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	34
PID 1692 wrote to memory of 1188	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	37
PID 1692 wrote to memory of 1188	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	37
PID 1692 wrote to memory of 1188	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	37
PID 1692 wrote to memory of 1188	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	37
PID 1692 wrote to memory of 824	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	38
PID 1692 wrote to memory of 824	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	38
PID 1692 wrote to memory of 824	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	38
PID 1692 wrote to memory of 824	1692	d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe	38
PID 620 wrote to memory of 2040	620	net.exe	39
PID 620 wrote to memory of 2040	620	net.exe	39
PID 620 wrote to memory of 2040	620	net.exe	39
PID 620 wrote to memory of 2040	620	net.exe	39
PID 1720 wrote to memory of 1052	1720	net.exe	41
PID 1720 wrote to memory of 1052	1720	net.exe	41
PID 1720 wrote to memory of 1052	1720	net.exe	41
PID 1720 wrote to memory of 1052	1720	net.exe	41
PID 1188 wrote to memory of 456	1188	1tky.exe	42
PID 1188 wrote to memory of 456	1188	1tky.exe	42
PID 1188 wrote to memory of 456	1188	1tky.exe	42
PID 1188 wrote to memory of 456	1188	1tky.exe	42
PID 1188 wrote to memory of 1516	1188	1tky.exe	43
PID 1188 wrote to memory of 1516	1188	1tky.exe	43
PID 1188 wrote to memory of 1516	1188	1tky.exe	43
PID 1188 wrote to memory of 1516	1188	1tky.exe	43
PID 1188 wrote to memory of 1100	1188	1tky.exe	48
PID 1188 wrote to memory of 1100	1188	1tky.exe	48
PID 1188 wrote to memory of 1100	1188	1tky.exe	48
PID 1188 wrote to memory of 1100	1188	1tky.exe	48
PID 1188 wrote to memory of 1452	1188	1tky.exe	47
PID 1188 wrote to memory of 1452	1188	1tky.exe	47
PID 1188 wrote to memory of 1452	1188	1tky.exe	47
PID 1188 wrote to memory of 1452	1188	1tky.exe	47
PID 1188 wrote to memory of 1600	1188	1tky.exe	45
PID 1188 wrote to memory of 1600	1188	1tky.exe	45
PID 1188 wrote to memory of 1600	1188	1tky.exe	45
PID 1188 wrote to memory of 1600	1188	1tky.exe	45
PID 1100 wrote to memory of 672	1100	net.exe	51
PID 1100 wrote to memory of 672	1100	net.exe	51
PID 1100 wrote to memory of 672	1100	net.exe	51
PID 1100 wrote to memory of 672	1100	net.exe	51
PID 456 wrote to memory of 1816	456	net.exe	52
PID 456 wrote to memory of 1816	456	net.exe	52
PID 456 wrote to memory of 1816	456	net.exe	52
PID 456 wrote to memory of 1816	456	net.exe	52
PID 1600 wrote to memory of 892	1600	1tky.exe	53
PID 1600 wrote to memory of 892	1600	1tky.exe	53
PID 1600 wrote to memory of 892	1600	1tky.exe	53
PID 1600 wrote to memory of 892	1600	1tky.exe	53

C:\Users\Admin\AppData\Local\Temp\d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe
"C:\Users\Admin\AppData\Local\Temp\d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:1052
- C:\Windows\SysWOW64\sc.exe
  sc config wscsvc start= DISABLED
  2⤵
  - Launches sc.exe
  PID:1888
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2040
- C:\Windows\SysWOW64\sc.exe
  sc config SharedAccess start= DISABLED
  2⤵
  - Launches sc.exe
  PID:436
- C:\Users\Admin\AppData\Local\Temp\1tky.exe
  C:\Users\Admin\AppData\Local\Temp\1tky.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Security Center"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      PID:1816
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= DISABLED
    3⤵
    - Launches sc.exe
    PID:1516
- - C:\Users\Admin\AppData\Local\Temp\1tky.exe
    C:\Users\Admin\AppData\Local\Temp\1tky.exe -dD6C57F95F037875870815A7DA0E4F10202DD72152C0D16827C0C87F19F78E0BCF18CF1E6453880E09BE6920CC8CF061F1F1B0AF899EF2F0A1227295391E77ED8BB38AA1CD8CB8E291B261E9F07FCA6472A00266C89198E7964D5E59247ACA1DA84D0B59584A624BA902F194C05C0D6B215DBF3DB763CC88DB484F8C209896FD8DDC460D5604DF83ADBEEE283AD7EDBA611F0DFCD1816B38F8308DEAB608C4D9797CC3846C698FFD51D45145927853B998EF6963C684B63A4919F54D91654DF3CC4B00A034E076E93B8388E06DB4AB9FC3D8106559FD12EBFE105582334850BE0B30EE218D215B9084DBE6BF974B35C0F11225A42364EA81FB20C26BE02FAF6AFF6160EB56BE89724BB500A3AD99768AD38910136E7C3A63B86BE3C6909A0043D5F051BED7230FBBA256F0768352F628926FDA71EAADA3E1C1E2F5723137EDB6BFDAAD6A37FD31C9FEBFB3E6DEF080FF88AB03A48B878C4F27BB77306283F60D023AB4B036C296DC6AF52CE5DB16474F055A8E5B68AF8CE83DD80CDA0920CB75A614EC80F5230A4585120136F6563D6A8B9591722D99930B3C74EE38BD90646958710DA6F8917
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      4⤵
      PID:892
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        5⤵
        
        PID:1768
  - - C:\Windows\SysWOW64\sc.exe
      sc config wscsvc start= DISABLED
      4⤵
      Launches sc.exe
      PID:344
  - - C:\Windows\SysWOW64\net.exe
      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      PID:1524
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
        5⤵
        
        PID:1372
  - - C:\Windows\SysWOW64\sc.exe
      sc config SharedAccess start= DISABLED
      4⤵
      Launches sc.exe
      PID:1068
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= DISABLED
    3⤵
    - Launches sc.exe
    PID:1452
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      PID:672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ldslfovk.bat
  2⤵
  - Deletes itself
  PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1tky.exe

Filesize
35KB

MD5
93b4aece31920c0bf354ca949bb6a203

SHA1
2e345c3c19059b71c742def9ec1a11efcf358355

SHA256
d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39

SHA512
c92dcb3c8206ca7dce3405c95b89177be082340480728771fbe8d9e523c49a1b6f1b8cd9932819cef3d7d601f32cd4bb3719bb01611449473a3fa97ac9664d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\1tky.exe

Filesize
35KB

MD5
93b4aece31920c0bf354ca949bb6a203

SHA1
2e345c3c19059b71c742def9ec1a11efcf358355

SHA256
d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39

SHA512
c92dcb3c8206ca7dce3405c95b89177be082340480728771fbe8d9e523c49a1b6f1b8cd9932819cef3d7d601f32cd4bb3719bb01611449473a3fa97ac9664d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\1tky.exe

Filesize
35KB

MD5
93b4aece31920c0bf354ca949bb6a203

SHA1
2e345c3c19059b71c742def9ec1a11efcf358355

SHA256
d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39

SHA512
c92dcb3c8206ca7dce3405c95b89177be082340480728771fbe8d9e523c49a1b6f1b8cd9932819cef3d7d601f32cd4bb3719bb01611449473a3fa97ac9664d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldslfovk.bat

Filesize
254B

MD5
c320c9cbae74d23b1304815826719f11

SHA1
b61739fb4c2144dc7c786aeaf3df4976db2235b4

SHA256
27d1a39937026f1530fd10b9acc5923074c8cb5e5aad21a73a24b2ef0014d24c

SHA512
401efdf9b7359117bafe1a348ff71a6150e4976ce5c2415689acc87043d586fdbfd56738a2367171452e85008925af9f44c41b994275d89771ce58402aac2620

Download Submit
\Users\Admin\AppData\Local\Temp\1tky.exe

Filesize
35KB

MD5
93b4aece31920c0bf354ca949bb6a203

SHA1
2e345c3c19059b71c742def9ec1a11efcf358355

SHA256
d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39

SHA512
c92dcb3c8206ca7dce3405c95b89177be082340480728771fbe8d9e523c49a1b6f1b8cd9932819cef3d7d601f32cd4bb3719bb01611449473a3fa97ac9664d42

Download Submit
\Users\Admin\AppData\Local\Temp\1tky.exe

Filesize
35KB

MD5
93b4aece31920c0bf354ca949bb6a203

SHA1
2e345c3c19059b71c742def9ec1a11efcf358355

SHA256
d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39

SHA512
c92dcb3c8206ca7dce3405c95b89177be082340480728771fbe8d9e523c49a1b6f1b8cd9932819cef3d7d601f32cd4bb3719bb01611449473a3fa97ac9664d42

Download Submit
\Users\Admin\AppData\Local\Temp\1tky.exe

Filesize
35KB

MD5
93b4aece31920c0bf354ca949bb6a203

SHA1
2e345c3c19059b71c742def9ec1a11efcf358355

SHA256
d73ce65a90463ed42a31c5d721af04c67237296579e38c0f166163654a42ef39

SHA512
c92dcb3c8206ca7dce3405c95b89177be082340480728771fbe8d9e523c49a1b6f1b8cd9932819cef3d7d601f32cd4bb3719bb01611449473a3fa97ac9664d42

Download Submit
memory/1188-88-0x0000000005380000-0x00000000053A2000-memory.dmp

Filesize
136KB

Download
memory/1188-97-0x0000000005380000-0x00000000053A2000-memory.dmp

Filesize
136KB

Download
memory/1188-90-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1600-98-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1600-89-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1692-57-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1692-58-0x0000000003460000-0x00000000044C2000-memory.dmp

Filesize
16.4MB

Download
memory/1692-73-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1692-56-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads