7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
25/08/2023, 22:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe
Size

627KB
MD5

05843457925fca89dc0e6df6debe24c1
SHA1

f12774cb4a410eef9b6e705013dc8d288c39d754
SHA256

7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a
SHA512

20a3daf9ddfcf1ea1f92ab9b2c007d679d2b37fd5d5e93937d37fd03713b3a99315a750485416efbcae5c4aa2ad38329b55beba391ee0d8f7320028da5669f3f
SSDEEP

12288:ceUskYy8XHMhedEc1x1YREc1xPqnQNHOTP:ceXJZXshiYRE8a0uTP

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\updsp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\updsp.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\spcfg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spcfg.exe"	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2624	PING.EXE
2508	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1640	WMIC.exe
Token: SeSecurityPrivilege	1640	WMIC.exe
Token: SeTakeOwnershipPrivilege	1640	WMIC.exe
Token: SeLoadDriverPrivilege	1640	WMIC.exe
Token: SeSystemProfilePrivilege	1640	WMIC.exe
Token: SeSystemtimePrivilege	1640	WMIC.exe
Token: SeProfSingleProcessPrivilege	1640	WMIC.exe
Token: SeIncBasePriorityPrivilege	1640	WMIC.exe
Token: SeCreatePagefilePrivilege	1640	WMIC.exe
Token: SeBackupPrivilege	1640	WMIC.exe
Token: SeRestorePrivilege	1640	WMIC.exe
Token: SeShutdownPrivilege	1640	WMIC.exe
Token: SeDebugPrivilege	1640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1640	WMIC.exe
Token: SeRemoteShutdownPrivilege	1640	WMIC.exe
Token: SeUndockPrivilege	1640	WMIC.exe
Token: SeManageVolumePrivilege	1640	WMIC.exe
Token: 33	1640	WMIC.exe
Token: 34	1640	WMIC.exe
Token: 35	1640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1640	WMIC.exe
Token: SeSecurityPrivilege	1640	WMIC.exe
Token: SeTakeOwnershipPrivilege	1640	WMIC.exe
Token: SeLoadDriverPrivilege	1640	WMIC.exe
Token: SeSystemProfilePrivilege	1640	WMIC.exe
Token: SeSystemtimePrivilege	1640	WMIC.exe
Token: SeProfSingleProcessPrivilege	1640	WMIC.exe
Token: SeIncBasePriorityPrivilege	1640	WMIC.exe
Token: SeCreatePagefilePrivilege	1640	WMIC.exe
Token: SeBackupPrivilege	1640	WMIC.exe
Token: SeRestorePrivilege	1640	WMIC.exe
Token: SeShutdownPrivilege	1640	WMIC.exe
Token: SeDebugPrivilege	1640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1640	WMIC.exe
Token: SeRemoteShutdownPrivilege	1640	WMIC.exe
Token: SeUndockPrivilege	1640	WMIC.exe
Token: SeManageVolumePrivilege	1640	WMIC.exe
Token: 33	1640	WMIC.exe
Token: 34	1640	WMIC.exe
Token: 35	1640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2176	WMIC.exe
Token: SeSecurityPrivilege	2176	WMIC.exe
Token: SeTakeOwnershipPrivilege	2176	WMIC.exe
Token: SeLoadDriverPrivilege	2176	WMIC.exe
Token: SeSystemProfilePrivilege	2176	WMIC.exe
Token: SeSystemtimePrivilege	2176	WMIC.exe
Token: SeProfSingleProcessPrivilege	2176	WMIC.exe
Token: SeIncBasePriorityPrivilege	2176	WMIC.exe
Token: SeCreatePagefilePrivilege	2176	WMIC.exe
Token: SeBackupPrivilege	2176	WMIC.exe
Token: SeRestorePrivilege	2176	WMIC.exe
Token: SeShutdownPrivilege	2176	WMIC.exe
Token: SeDebugPrivilege	2176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2176	WMIC.exe
Token: SeRemoteShutdownPrivilege	2176	WMIC.exe
Token: SeUndockPrivilege	2176	WMIC.exe
Token: SeManageVolumePrivilege	2176	WMIC.exe
Token: 33	2176	WMIC.exe
Token: 34	2176	WMIC.exe
Token: 35	2176	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2176	WMIC.exe
Token: SeSecurityPrivilege	2176	WMIC.exe
Token: SeTakeOwnershipPrivilege	2176	WMIC.exe
Token: SeLoadDriverPrivilege	2176	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 3028	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	28
PID 1076 wrote to memory of 3028	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	28
PID 1076 wrote to memory of 3028	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	28
PID 1076 wrote to memory of 3028	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	28
PID 3028 wrote to memory of 1640	3028	cmd.exe	30
PID 3028 wrote to memory of 1640	3028	cmd.exe	30
PID 3028 wrote to memory of 1640	3028	cmd.exe	30
PID 3028 wrote to memory of 1640	3028	cmd.exe	30
PID 3028 wrote to memory of 2452	3028	cmd.exe	31
PID 3028 wrote to memory of 2452	3028	cmd.exe	31
PID 3028 wrote to memory of 2452	3028	cmd.exe	31
PID 3028 wrote to memory of 2452	3028	cmd.exe	31
PID 1076 wrote to memory of 1828	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	33
PID 1076 wrote to memory of 1828	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	33
PID 1076 wrote to memory of 1828	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	33
PID 1076 wrote to memory of 1828	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	33
PID 1828 wrote to memory of 2176	1828	cmd.exe	35
PID 1828 wrote to memory of 2176	1828	cmd.exe	35
PID 1828 wrote to memory of 2176	1828	cmd.exe	35
PID 1828 wrote to memory of 2176	1828	cmd.exe	35
PID 1076 wrote to memory of 2160	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	36
PID 1076 wrote to memory of 2160	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	36
PID 1076 wrote to memory of 2160	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	36
PID 1076 wrote to memory of 2160	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	36
PID 2160 wrote to memory of 2852	2160	cmd.exe	38
PID 2160 wrote to memory of 2852	2160	cmd.exe	38
PID 2160 wrote to memory of 2852	2160	cmd.exe	38
PID 2160 wrote to memory of 2852	2160	cmd.exe	38
PID 1076 wrote to memory of 544	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	39
PID 1076 wrote to memory of 544	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	39
PID 1076 wrote to memory of 544	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	39
PID 1076 wrote to memory of 544	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	39
PID 544 wrote to memory of 2712	544	cmd.exe	41
PID 544 wrote to memory of 2712	544	cmd.exe	41
PID 544 wrote to memory of 2712	544	cmd.exe	41
PID 544 wrote to memory of 2712	544	cmd.exe	41
PID 1076 wrote to memory of 2716	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	42
PID 1076 wrote to memory of 2716	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	42
PID 1076 wrote to memory of 2716	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	42
PID 1076 wrote to memory of 2716	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	42
PID 2716 wrote to memory of 2796	2716	cmd.exe	44
PID 2716 wrote to memory of 2796	2716	cmd.exe	44
PID 2716 wrote to memory of 2796	2716	cmd.exe	44
PID 2716 wrote to memory of 2796	2716	cmd.exe	44
PID 1076 wrote to memory of 2728	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	47
PID 1076 wrote to memory of 2728	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	47
PID 1076 wrote to memory of 2728	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	47
PID 1076 wrote to memory of 2728	1076	7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe	47
PID 2728 wrote to memory of 2928	2728	cmd.exe	49
PID 2728 wrote to memory of 2928	2728	cmd.exe	49
PID 2728 wrote to memory of 2928	2728	cmd.exe	49
PID 2728 wrote to memory of 2928	2728	cmd.exe	49
PID 2728 wrote to memory of 2912	2728	cmd.exe	50
PID 2728 wrote to memory of 2912	2728	cmd.exe	50
PID 2728 wrote to memory of 2912	2728	cmd.exe	50
PID 2728 wrote to memory of 2912	2728	cmd.exe	50
PID 2728 wrote to memory of 3064	2728	cmd.exe	51
PID 2728 wrote to memory of 3064	2728	cmd.exe	51
PID 2728 wrote to memory of 3064	2728	cmd.exe	51
PID 2728 wrote to memory of 3064	2728	cmd.exe	51
PID 2728 wrote to memory of 2740	2728	cmd.exe	52
PID 2728 wrote to memory of 2740	2728	cmd.exe	52
PID 2728 wrote to memory of 2740	2728	cmd.exe	52
PID 2728 wrote to memory of 2740	2728	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe
"C:\Users\Admin\AppData\Local\Temp\7dbc864c06e2db719f63243018099c9754f8118ac526be5b347ffaf93c64970a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c wmic diskdrive get MediaType,SerialNumber | find "Fixed"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic diskdrive get MediaType,SerialNumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\SysWOW64\find.exe
    find "Fixed"
    3⤵
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic csproduct get uuid <nul"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic cpu get processorid <nul"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg add "HKLM\SOFTWARE\OnlyLine" /v DeviceGuid /t REG_SZ /d "98ea74d2edebd5749187b368fc781610" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\OnlyLine" /v DeviceGuid /t REG_SZ /d "98ea74d2edebd5749187b368fc781610" /f
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg add "HKLM\SOFTWARE\OnlyLine" /v DeviceKey /t REG_SZ /d "E4E4B8D2-DB43-4685-8089-2A7C11EA610D-20230825224826" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\OnlyLine" /v DeviceKey /t REG_SZ /d "E4E4B8D2-DB43-4685-8089-2A7C11EA610D-20230825224826" /f
    3⤵
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OnlyLine" /v "DisplayName" /t REG_SZ /d "spcfg" /f
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OnlyLine" /v "DisplayVersion" /t REG_SZ /d "1.0.1" /f
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OnlyLine" /v "Publisher" /t REG_SZ /d "OnlyLine" /f
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OnlyLine" /v "DisplayName" /t REG_SZ /d "spcfg" /f
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OnlyLine" /v "DisplayVersion" /t REG_SZ /d "1.0.1" /f
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OnlyLine" /v "Publisher" /t REG_SZ /d "OnlyLine" /f
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -w 1000 -n 2
    3⤵
    - Runs ping.exe
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v updsp
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v updsp
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v updsp /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\updsp.exe" /f
  2⤵
  PID:2688
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v updsp /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\updsp.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v spcfg
  2⤵
  PID:2836
- - C:\Windows\SysWOW64\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v spcfg
    3⤵
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v spcfg /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\spcfg.exe" /f
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v spcfg /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\spcfg.exe" /f
    3⤵
    - Adds Run key to start application
    PID:624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\reg.exe
    reg add "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d 0 /f
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:968
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:1824
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -w 1000 -n 2
    3⤵
    - Runs ping.exe
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo HostName & hostname"
  2⤵
  PID:828
- - C:\Windows\SysWOW64\HOSTNAME.EXE
    hostname
    3⤵
    PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\log\tracelog.log

Filesize
5KB

MD5
0b9524ecf494f2fb8ede04a51e576484

SHA1
c2c9cc0c499da639bd40df4873c85cfdd155529d

SHA256
81c71b838228c37da8ee6a03e7f6c5664548d21401487140fda2c3b17cce70f3

SHA512
f4152ddab301bfe4a805a0a709cde94dcbf91d47db3adef107dd7f9a929581bbcb748a65a9b11ba5971d799e64d78e8434dac290b1caf2e800483163e196e57e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads