520b19d4c7bad44e586bf55340380feec1d34fd3433484d96eb757682882a85c

Analysis

max time kernel
135s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25/04/2023, 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

520b19d4c7bad44e586bf55340380feec1d34fd3433484d96eb757682882a85c.exe
Size

2.4MB
MD5

192763968d2cbd12deff65cfa71afb58
SHA1

b3de492772b592fe830dc0ed397f71efd442230f
SHA256

520b19d4c7bad44e586bf55340380feec1d34fd3433484d96eb757682882a85c
SHA512

205ef3b29d3e4161220e3e86fc6c90fb8d3799278dd30d16c7f57227aefd63fea156a36de269a2070e196b49abd4f0a6df1105e42b317fb6bfcdf3fa89ae21ba
SSDEEP

49152:EYm0o65RpzVVON+1Q6M/tk37WLxKBlvyGiQSV2RLxFCKYT:/mBM16+1LMlIYKP1itcRdU/T

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\wofadk.sys	WinNTSetup_x64.exe
File opened for modification	C:\Windows\System32\drivers\wofadk.sys	WinNTSetup_x64.exe

Executes dropped EXE 2 IoCs

pid	Process
844	WinNTSetup_x64.exe
1344	Process not Found

Loads dropped DLL 9 IoCs

pid	Process
1704	520b19d4c7bad44e586bf55340380feec1d34fd3433484d96eb757682882a85c.exe
1704	520b19d4c7bad44e586bf55340380feec1d34fd3433484d96eb757682882a85c.exe
844	WinNTSetup_x64.exe
844	WinNTSetup_x64.exe
844	WinNTSetup_x64.exe
844	WinNTSetup_x64.exe
844	WinNTSetup_x64.exe
844	WinNTSetup_x64.exe
844	WinNTSetup_x64.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016cd0-232.dat	upx
behavioral1/files/0x0006000000016cd0-233.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
844	WinNTSetup_x64.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	844	WinNTSetup_x64.exe
Token: SeSecurityPrivilege	844	WinNTSetup_x64.exe
Token: SeRestorePrivilege	844	WinNTSetup_x64.exe
Token: SeSystemEnvironmentPrivilege	844	WinNTSetup_x64.exe
Token: SeBackupPrivilege	844	WinNTSetup_x64.exe
Token: SeSecurityPrivilege	844	WinNTSetup_x64.exe
Token: SeRestorePrivilege	844	WinNTSetup_x64.exe
Token: SeSecurityPrivilege	844	WinNTSetup_x64.exe
Token: SeTakeOwnershipPrivilege	844	WinNTSetup_x64.exe
Token: SeManageVolumePrivilege	844	WinNTSetup_x64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
844	WinNTSetup_x64.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 844	1704	520b19d4c7bad44e586bf55340380feec1d34fd3433484d96eb757682882a85c.exe	27
PID 1704 wrote to memory of 844	1704	520b19d4c7bad44e586bf55340380feec1d34fd3433484d96eb757682882a85c.exe	27
PID 1704 wrote to memory of 844	1704	520b19d4c7bad44e586bf55340380feec1d34fd3433484d96eb757682882a85c.exe	27
PID 1704 wrote to memory of 844	1704	520b19d4c7bad44e586bf55340380feec1d34fd3433484d96eb757682882a85c.exe	27

C:\Users\Admin\AppData\Local\Temp\520b19d4c7bad44e586bf55340380feec1d34fd3433484d96eb757682882a85c.exe
"C:\Users\Admin\AppData\Local\Temp\520b19d4c7bad44e586bf55340380feec1d34fd3433484d96eb757682882a85c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\WinNTSetup\WinNTSetup_x64.exe
  C:\Users\Admin\AppData\Local\Temp\WinNTSetup\WinNTSetup_x64.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\Imdisk\cpl\amd64\imdisk.cpl

Filesize
113KB

MD5
a19a0f76956805a157281a3998f06a29

SHA1
eb2e8fece8f2ffd2ef605a000fdbfe46bc97067a

SHA256
eb5b467f230bb85a74620a52f139cc35772e89ea9b8ffa2a64e10f878aa7b417

SHA512
5f4a013e28fdb2b67883144772afd717813d96f84d9eb680ad016fd78d0d8cc8061b5dd78d07238fd648c62dd1b09a8a0a752575a826bc1c96cdded84635f9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\BootICE\Booticex64.exe

Filesize
489KB

MD5
7ddd108c095016b0e2e8d6b5b04f93b8

SHA1
3764d75c02c8ce8d2c78203aa9eb7f8018a112e1

SHA256
e1cb831ac9213b52066f934ba0fa80ea8a9de48932452d4142fa085a2ba24fc2

SHA512
36c77eaafed04eb3a337a909a90d4c3eb66e1d36531c6248095906332ea6d03dffc9abd7fbcb3c2101065110e4536c0a89b6320dcab386871b3f9d9e34e40bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\DISM\wofadk.sys

Filesize
216KB

MD5
fba28d5ac166714737d1d8cdf0aef078

SHA1
eef8d1bca48ecc93a7f165b735f7047ef085e12d

SHA256
54fba1cc80e820b462229fcb987fb8df2321ed85d9450f3f4a81d0982e5d289f

SHA512
50791cf079d9bbc26cd80b1f21fed3e2181ee15241dfcbbd964fca0425e634ae422652b58837352aad61775dc5cec7464ff0d23e0624b6f61fc1bc5cc805fd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\offreg.dll

Filesize
117KB

MD5
709fa2fc9dbd03814312f6d28eaf4a37

SHA1
3b85bf42645f5be9d678d0d98a11946a4c7aeb65

SHA256
ec993b3c8d7522793a141c692c63c413d47e77dfc79d95491d913736fe8b1f01

SHA512
25b5f69d926a32de058cfd64dcdfc7579af5908cbbebe80fadd907681a2ca15f863071c5886c8cb5d09e979cce98486e962fc6d81717a49da20cc3eb03e45093

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\wimgapi.dll

Filesize
797KB

MD5
fa5b941be590899a59c59dc883ed050f

SHA1
91a9517d09c298eac0a3e6559be90cd4881fd9ed

SHA256
14e85f541b282c59b796ba01ddcf8304f1c94835d2975b3da69cc450afd9d1e8

SHA512
09df8788213b2e44995538e295e44aedd49d5c238aee62ac0ac1e2fd1d2705af9754ba4dac2f376a0e6581155f6d0c84f0b5f4b58602b0d658a0ee291ba4b5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\wimlib\libwim-15.dll

Filesize
467KB

MD5
2434784fc3a9bb2c2c26d4b7184d6161

SHA1
7b125f36293ebb0635795498b48eca62775eb68a

SHA256
cc5549eade80f29ead05fc6a86cdf78d22d1b7ab7a17f91877244a7329eebd01

SHA512
7eddb5c8c9bb64e2ee0213207fafbdcfa09309780511fb77fdcb7875d6883a9a3a1b3b35276c8e57c866df4e30d29548ad70b52ab5482eb002798d0e27da6633

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinNTSetup\WinNTSetup_x64.exe

Filesize
1.1MB

MD5
cf3ea6ba021e1a9553972785843e014f

SHA1
8edf6548ac55a2b971d0cd44fb39b3206e3dc2ab

SHA256
a295e218b6b0ea2eafa83a30093115ee0e049adeeda6829e31b4e9f5165af0e9

SHA512
14c0d063ae31de3ca849ff9e1655525af567544ce28ec2750ce1c3025d5fb7e893859a7042e53d9c32c08780bacd28b190fa00333b7f1106e778e7d6cabaf15e

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\imdisk\cpl\amd64\imdisk.cpl

Filesize
113KB

MD5
a19a0f76956805a157281a3998f06a29

SHA1
eb2e8fece8f2ffd2ef605a000fdbfe46bc97067a

SHA256
eb5b467f230bb85a74620a52f139cc35772e89ea9b8ffa2a64e10f878aa7b417

SHA512
5f4a013e28fdb2b67883144772afd717813d96f84d9eb680ad016fd78d0d8cc8061b5dd78d07238fd648c62dd1b09a8a0a752575a826bc1c96cdded84635f9db

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\BootICE\BOOTICEx64.exe

Filesize
489KB

MD5
7ddd108c095016b0e2e8d6b5b04f93b8

SHA1
3764d75c02c8ce8d2c78203aa9eb7f8018a112e1

SHA256
e1cb831ac9213b52066f934ba0fa80ea8a9de48932452d4142fa085a2ba24fc2

SHA512
36c77eaafed04eb3a337a909a90d4c3eb66e1d36531c6248095906332ea6d03dffc9abd7fbcb3c2101065110e4536c0a89b6320dcab386871b3f9d9e34e40bad

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\DISM\wofadk.sys

Filesize
216KB

MD5
fba28d5ac166714737d1d8cdf0aef078

SHA1
eef8d1bca48ecc93a7f165b735f7047ef085e12d

SHA256
54fba1cc80e820b462229fcb987fb8df2321ed85d9450f3f4a81d0982e5d289f

SHA512
50791cf079d9bbc26cd80b1f21fed3e2181ee15241dfcbbd964fca0425e634ae422652b58837352aad61775dc5cec7464ff0d23e0624b6f61fc1bc5cc805fd7e

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\DISM\wofadk.sys

Filesize
216KB

MD5
fba28d5ac166714737d1d8cdf0aef078

SHA1
eef8d1bca48ecc93a7f165b735f7047ef085e12d

SHA256
54fba1cc80e820b462229fcb987fb8df2321ed85d9450f3f4a81d0982e5d289f

SHA512
50791cf079d9bbc26cd80b1f21fed3e2181ee15241dfcbbd964fca0425e634ae422652b58837352aad61775dc5cec7464ff0d23e0624b6f61fc1bc5cc805fd7e

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\offreg.dll

Filesize
117KB

MD5
709fa2fc9dbd03814312f6d28eaf4a37

SHA1
3b85bf42645f5be9d678d0d98a11946a4c7aeb65

SHA256
ec993b3c8d7522793a141c692c63c413d47e77dfc79d95491d913736fe8b1f01

SHA512
25b5f69d926a32de058cfd64dcdfc7579af5908cbbebe80fadd907681a2ca15f863071c5886c8cb5d09e979cce98486e962fc6d81717a49da20cc3eb03e45093

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\wimgapi.dll

Filesize
797KB

MD5
fa5b941be590899a59c59dc883ed050f

SHA1
91a9517d09c298eac0a3e6559be90cd4881fd9ed

SHA256
14e85f541b282c59b796ba01ddcf8304f1c94835d2975b3da69cc450afd9d1e8

SHA512
09df8788213b2e44995538e295e44aedd49d5c238aee62ac0ac1e2fd1d2705af9754ba4dac2f376a0e6581155f6d0c84f0b5f4b58602b0d658a0ee291ba4b5b1

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\Tools\x64\wimlib\libwim-15.dll

Filesize
467KB

MD5
2434784fc3a9bb2c2c26d4b7184d6161

SHA1
7b125f36293ebb0635795498b48eca62775eb68a

SHA256
cc5549eade80f29ead05fc6a86cdf78d22d1b7ab7a17f91877244a7329eebd01

SHA512
7eddb5c8c9bb64e2ee0213207fafbdcfa09309780511fb77fdcb7875d6883a9a3a1b3b35276c8e57c866df4e30d29548ad70b52ab5482eb002798d0e27da6633

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\WinNTSetup_x64.exe

Filesize
1.1MB

MD5
cf3ea6ba021e1a9553972785843e014f

SHA1
8edf6548ac55a2b971d0cd44fb39b3206e3dc2ab

SHA256
a295e218b6b0ea2eafa83a30093115ee0e049adeeda6829e31b4e9f5165af0e9

SHA512
14c0d063ae31de3ca849ff9e1655525af567544ce28ec2750ce1c3025d5fb7e893859a7042e53d9c32c08780bacd28b190fa00333b7f1106e778e7d6cabaf15e

Download Submit
\Users\Admin\AppData\Local\Temp\WinNTSetup\WinNTSetup_x64.exe

Filesize
1.1MB

MD5
cf3ea6ba021e1a9553972785843e014f

SHA1
8edf6548ac55a2b971d0cd44fb39b3206e3dc2ab

SHA256
a295e218b6b0ea2eafa83a30093115ee0e049adeeda6829e31b4e9f5165af0e9

SHA512
14c0d063ae31de3ca849ff9e1655525af567544ce28ec2750ce1c3025d5fb7e893859a7042e53d9c32c08780bacd28b190fa00333b7f1106e778e7d6cabaf15e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3739.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/844-235-0x000000013FA00000-0x000000013FB7F000-memory.dmp

Filesize
1.5MB

Download
memory/844-236-0x000000013FA00000-0x000000013FB7F000-memory.dmp

Filesize
1.5MB

Download