0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19/08/2023, 20:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe
Size

1.4MB
MD5

2fe1f18f470e9116e07edf5e21eb52a4
SHA1

6a071b8bec7083c96bcd24245e532668e193e2bb
SHA256

0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0
SHA512

2bd897aee75bf98a05c90ea3fa6a2f6fa567fbc2ee84e20bb8996792a3572a4f8e86937b283f6c88836fee823e9ef517bd878f1558bd1768d37e3fdd3947a35c
SSDEEP

12288:kiFZIQTJnk8FY1s57fhiwXO31o3B/hb4FeFQCVauYBIim1:kYJnPY1Uhiw+3ixOFWQCA+im1

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Windows Service

T1543.003

pid	Process
2928	netsh.exe
2668	netsh.exe
2932	netsh.exe
2412	netsh.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2068-54-0x0000000000400000-0x000000000074D000-memory.dmp	upx
behavioral1/memory/2068-63-0x0000000000400000-0x000000000074D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2068	0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe
2068	0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe
2068	0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe
2068	0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe
2068	0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe
2068	0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2068	0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe
2068	0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1476	2068	0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe	28
PID 2068 wrote to memory of 1476	2068	0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe	28
PID 2068 wrote to memory of 1476	2068	0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe	28
PID 2068 wrote to memory of 1476	2068	0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe	28
PID 1476 wrote to memory of 2840	1476	cmd.exe	30
PID 1476 wrote to memory of 2840	1476	cmd.exe	30
PID 1476 wrote to memory of 2840	1476	cmd.exe	30
PID 1476 wrote to memory of 2840	1476	cmd.exe	30
PID 2840 wrote to memory of 2788	2840	mshta.exe	31
PID 2840 wrote to memory of 2788	2840	mshta.exe	31
PID 2840 wrote to memory of 2788	2840	mshta.exe	31
PID 2840 wrote to memory of 2788	2840	mshta.exe	31
PID 2788 wrote to memory of 2928	2788	cmd.exe	33
PID 2788 wrote to memory of 2928	2788	cmd.exe	33
PID 2788 wrote to memory of 2928	2788	cmd.exe	33
PID 2788 wrote to memory of 2928	2788	cmd.exe	33
PID 2788 wrote to memory of 2668	2788	cmd.exe	34
PID 2788 wrote to memory of 2668	2788	cmd.exe	34
PID 2788 wrote to memory of 2668	2788	cmd.exe	34
PID 2788 wrote to memory of 2668	2788	cmd.exe	34
PID 2788 wrote to memory of 2932	2788	cmd.exe	35
PID 2788 wrote to memory of 2932	2788	cmd.exe	35
PID 2788 wrote to memory of 2932	2788	cmd.exe	35
PID 2788 wrote to memory of 2932	2788	cmd.exe	35
PID 2788 wrote to memory of 2412	2788	cmd.exe	36
PID 2788 wrote to memory of 2412	2788	cmd.exe	36
PID 2788 wrote to memory of 2412	2788	cmd.exe	36
PID 2788 wrote to memory of 2412	2788	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe
"C:\Users\Admin\AppData\Local\Temp\0253ee693f7572ee5e09ab34c97418e39102ff5e18080316e82d5e5c748c5cd0.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\XP\FHQ.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\mshta.exe
    mshta vbscript:createobject("shell.application").shellexecute("""C:\XP\FHQ.bat""","::",,"runas",0)(window.close)
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\XP\FHQ.bat" ::
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set allprofiles state on
        5⤵
        Modifies Windows Firewall
        
        PID:2928
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name="XP"
        5⤵
        Modifies Windows Firewall
        
        PID:2668
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="XP" dir=in action=block remoteip=217.160.166.143,185.132.43.160,217.160.94.22
        5⤵
        Modifies Windows Firewall
        
        PID:2932
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="XP" dir=out action=block remoteip=217.160.166.143,185.132.43.160,217.160.94.22
        5⤵
        Modifies Windows Firewall
        
        PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\XP\FHQ.bat

Filesize
537B

MD5
8222509062098ffaa30233020f927191

SHA1
3570aa6d03bea417f5aa0d55bc798302eca34618

SHA256
bea70e512d1b4da03490b3bcb4a9e6d9638b7aa672d6199e2a02936fdd6ea9d6

SHA512
2417606cb45fe1f671ad5411464d177ba9977f5cce2128208d23510d75127839cff37d6596b7ac3201e0195dffac5d3c98ba011d0c968749abe5788b70cc309d

Download Submit
C:\XP\FHQ.bat

Filesize
537B

MD5
8222509062098ffaa30233020f927191

SHA1
3570aa6d03bea417f5aa0d55bc798302eca34618

SHA256
bea70e512d1b4da03490b3bcb4a9e6d9638b7aa672d6199e2a02936fdd6ea9d6

SHA512
2417606cb45fe1f671ad5411464d177ba9977f5cce2128208d23510d75127839cff37d6596b7ac3201e0195dffac5d3c98ba011d0c968749abe5788b70cc309d

Download Submit
memory/2068-54-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/2068-63-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download