Analysis
-
max time kernel
141s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
20-06-2023 20:51
Behavioral task
behavioral1
Sample
7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe
Resource
win10v2004-20230220-en
General
-
Target
7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe
-
Size
174KB
-
MD5
a098b1f58e37771a7ca6a61462def435
-
SHA1
775791167fd9a0162b9c5feac81205362927e3d7
-
SHA256
7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda
-
SHA512
2fa4568291981d6747e9952d2d9c5752852605c3cedbd94ebd867355aca35dbbf90b129ddc69c2347fef09cce36170d88710ca00a0d5bd89adff8ea776a5c682
-
SSDEEP
3072:CYOoXSH2e5kqL7RJsgQKxF//tUPzsFst3rJ/g/9J5B+oQc5O1/EY7:CYfSr5khgQKD//C4FS3dg/XD+RTxE
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exepid process 2016 7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2004 explorer.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exeexplorer.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 2016 7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe Token: SeDebugPrivilege 2016 7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe Token: SeShutdownPrivilege 2004 explorer.exe Token: SeShutdownPrivilege 2004 explorer.exe Token: SeShutdownPrivilege 2004 explorer.exe Token: SeShutdownPrivilege 2004 explorer.exe Token: SeShutdownPrivilege 2004 explorer.exe Token: SeShutdownPrivilege 2004 explorer.exe Token: SeShutdownPrivilege 2004 explorer.exe Token: SeShutdownPrivilege 2004 explorer.exe Token: SeShutdownPrivilege 2004 explorer.exe Token: SeShutdownPrivilege 2004 explorer.exe Token: 33 1076 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1076 AUDIODG.EXE Token: 33 1076 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1076 AUDIODG.EXE Token: SeShutdownPrivilege 2004 explorer.exe Token: SeShutdownPrivilege 2004 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe 2004 explorer.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exedescription pid process target process PID 2016 wrote to memory of 2044 2016 7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe regsvr32.exe PID 2016 wrote to memory of 2044 2016 7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe regsvr32.exe PID 2016 wrote to memory of 2044 2016 7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe regsvr32.exe PID 2016 wrote to memory of 2044 2016 7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe regsvr32.exe PID 2016 wrote to memory of 2044 2016 7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe regsvr32.exe PID 2016 wrote to memory of 2044 2016 7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe regsvr32.exe PID 2016 wrote to memory of 2044 2016 7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe regsvr32.exe PID 2016 wrote to memory of 2004 2016 7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe explorer.exe PID 2016 wrote to memory of 2004 2016 7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe explorer.exe PID 2016 wrote to memory of 2004 2016 7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe explorer.exe PID 2016 wrote to memory of 2004 2016 7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe"C:\Users\Admin\AppData\Local\Temp\7ce5fd133a02bf6515704a5fe150abd594bf4cc41c270dbab8b73dfd81c35fda.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /u /s "C:\Users\Administrator\AppData\Local\YunPan\Bin\x64\YuWangExt.dll"2⤵PID:2044
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2004
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5641⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2004-59-0x0000000003E90000-0x0000000003E91000-memory.dmpFilesize
4KB
-
memory/2004-62-0x0000000003E90000-0x0000000003E91000-memory.dmpFilesize
4KB
-
memory/2004-77-0x0000000002490000-0x00000000024A0000-memory.dmpFilesize
64KB
-
memory/2016-54-0x0000000000310000-0x0000000000378000-memory.dmpFilesize
416KB
-
memory/2016-55-0x0000000000310000-0x0000000000378000-memory.dmpFilesize
416KB
-
memory/2016-56-0x0000000000310000-0x0000000000378000-memory.dmpFilesize
416KB
-
memory/2016-57-0x0000000000310000-0x0000000000378000-memory.dmpFilesize
416KB
-
memory/2016-58-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB