7107606074d34bfb3d9a659b21bf84e55692b810b8e7d60c677b86b6477fdd7a

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
06-08-2023 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

u9.exe
Size

4.5MB
MD5

92bd14c4a22b2aed0fe832f2b1174af0
SHA1

f08d2d2e6a6ffc92a7133d0ceaf01963cfaebe86
SHA256

7107606074d34bfb3d9a659b21bf84e55692b810b8e7d60c677b86b6477fdd7a
SHA512

bbc16c3595cf20a6aec3811975d8ae4121220f4549456dca9a4cc03e0d13131139736fa669d0dd941052f0cee25cf7d6d251e5cc61e34a22e712b19751c68b6a
SSDEEP

98304:sJizlahPkloq0/nubwpJPYSeHrNYgLVBwsrX:sJiQIoq+ubwpxANYs0sr

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

spolsvt.exeelf.exe

pid process

2864 spolsvt.exe
1428 elf.exe
Loads dropped DLL 5 IoCs

Processes:

u9.exeelf.exe

pid process

2600 u9.exe
2600 u9.exe
2600 u9.exe
2600 u9.exe
1428 elf.exe

pid	process
2864	spolsvt.exe
1428	elf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

Processes:

u9.exe

pid	process
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe
2600	u9.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

u9.exe

description pid process target process

PID 2600 set thread context of 2864 2600 u9.exe spolsvt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2600 set thread context of 2864	2600	u9.exe	spolsvt.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

u9.exespolsvt.exe

pid	process
2600	u9.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2864	spolsvt.exe
2600	u9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

spolsvt.exe

description pid process

Token: SeDebugPrivilege 2864 spolsvt.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

u9.exe

pid process

2600 u9.exe
2600 u9.exe

description	pid	process
Token: SeDebugPrivilege	2864	spolsvt.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

u9.exe

description	pid	process	target process
PID 2600 wrote to memory of 2864	2600	u9.exe	spolsvt.exe
PID 2600 wrote to memory of 2864	2600	u9.exe	spolsvt.exe
PID 2600 wrote to memory of 2864	2600	u9.exe	spolsvt.exe
PID 2600 wrote to memory of 2864	2600	u9.exe	spolsvt.exe
PID 2600 wrote to memory of 2864	2600	u9.exe	spolsvt.exe
PID 2600 wrote to memory of 2864	2600	u9.exe	spolsvt.exe
PID 2600 wrote to memory of 2864	2600	u9.exe	spolsvt.exe
PID 2600 wrote to memory of 2864	2600	u9.exe	spolsvt.exe
PID 2600 wrote to memory of 2864	2600	u9.exe	spolsvt.exe
PID 2600 wrote to memory of 1428	2600	u9.exe	elf.exe
PID 2600 wrote to memory of 1428	2600	u9.exe	elf.exe
PID 2600 wrote to memory of 1428	2600	u9.exe	elf.exe
PID 2600 wrote to memory of 1428	2600	u9.exe	elf.exe
PID 2600 wrote to memory of 1692	2600	u9.exe	cmd.exe
PID 2600 wrote to memory of 1692	2600	u9.exe	cmd.exe
PID 2600 wrote to memory of 1692	2600	u9.exe	cmd.exe
PID 2600 wrote to memory of 1692	2600	u9.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\u9.exe
"C:\Users\Admin\AppData\Local\Temp\u9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Public\Documents\t\spolsvt.exe
C:\Users\Public\Documents\t\spolsvt.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Users\Admin\Documents\robot\elf.exe
"C:\Users\Admin\Documents\robot\elf.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del u9.exe
2⤵
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UnRAR.dll

Filesize
278KB

MD5
c5587655293f83c72f0c88c74660dd10

SHA1
675d7cac72e4caebebd7c2a88403d138b69acd89

SHA256
a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe

SHA512
6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

Download Submit
C:\Users\Admin\Documents\robot\LoggerCollector.dll

Filesize
510KB

MD5
47fe0ab041a9c28fe838eb1b11556e33

SHA1
b7128f679230730cf477f3c081235de118c98960

SHA256
29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf

SHA512
7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

Download Submit
C:\Users\Admin\Documents\robot\elf.exe

Filesize
2.2MB

MD5
33922d12e5bb8f40ecddf816124ae93d

SHA1
28244217fa205f12cf40278e97a3a01e6d7366a3

SHA256
255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158

SHA512
1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

Download Submit
C:\Users\Admin\Documents\robot\elf.exe

Filesize
2.2MB

MD5
33922d12e5bb8f40ecddf816124ae93d

SHA1
28244217fa205f12cf40278e97a3a01e6d7366a3

SHA256
255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158

SHA512
1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

Download Submit
C:\Users\Admin\Documents\robot\skin\mainres.xml

Filesize
671B

MD5
47fb824e5df4deb39e5b5342e833d8e4

SHA1
3196520d4dabefd5b4eb6c689210d5ce459476da

SHA256
04fb5ba3130fb6cb99ce5d5ffa11a8df2d2c02fcb9dd3517d691bf97e0369289

SHA512
fb64455995630400f73a4725e365e44c8d77dd1ccb534c2ba8a0ff50cf42c9b838abe7bf63e98596bc40466a3c7eafda29d7981564684772afd3cba136e6bb42

Download Submit
C:\Users\Admin\Documents\robot\switch.json

Filesize
142B

MD5
362b8707494a5c175ec27ee577aaa133

SHA1
ec913a4fe073a776b33518af87e21669adb8bbe6

SHA256
c8412f15d564f5f6b972f0146db1797119414c7c363b697610ee360a34b4f8bd

SHA512
00c78d4d74c8225bcd214d8b005a4d5abde1b353fc8bf18b520c4fcc9603a8671a5d4fa0e98a1c54dd9c20f247cb3d22eb9b479fed9b84d6c41f7a6e0144bb49

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
\Users\Admin\AppData\Local\Temp\UnRAR.dll

Filesize
278KB

MD5
c5587655293f83c72f0c88c74660dd10

SHA1
675d7cac72e4caebebd7c2a88403d138b69acd89

SHA256
a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe

SHA512
6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

Download Submit
\Users\Admin\Documents\robot\LoggerCollector.dll

Filesize
510KB

MD5
47fe0ab041a9c28fe838eb1b11556e33

SHA1
b7128f679230730cf477f3c081235de118c98960

SHA256
29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf

SHA512
7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

Download Submit
\Users\Admin\Documents\robot\elf.exe

Filesize
2.2MB

MD5
33922d12e5bb8f40ecddf816124ae93d

SHA1
28244217fa205f12cf40278e97a3a01e6d7366a3

SHA256
255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158

SHA512
1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

Download Submit
\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
memory/2600-886-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-926-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-892-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-894-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-896-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-898-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-900-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-902-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-904-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-906-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-908-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-910-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-912-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-914-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-916-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-918-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-920-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-922-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-924-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-890-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-2601-0x0000000002230000-0x0000000002330000-memory.dmp

Filesize
1024KB

Download
memory/2600-2602-0x0000000002370000-0x00000000024F1000-memory.dmp

Filesize
1.5MB

Download
memory/2600-4390-0x0000000002230000-0x0000000002330000-memory.dmp

Filesize
1024KB

Download
memory/2600-8742-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-8743-0x0000000002740000-0x0000000002841000-memory.dmp

Filesize
1.0MB

Download
memory/2600-888-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-54-0x0000000000400000-0x000000000087A000-memory.dmp

Filesize
4.5MB

Download
memory/2600-884-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-882-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-880-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-878-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-876-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-874-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-872-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-870-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-868-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-866-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-865-0x0000000002620000-0x0000000002731000-memory.dmp

Filesize
1.1MB

Download
memory/2600-55-0x0000000075AD0000-0x0000000075B17000-memory.dmp

Filesize
284KB

Download
memory/2600-8857-0x0000000000400000-0x000000000087A000-memory.dmp

Filesize
4.5MB

Download