78a28b25b330513649439305a5d9293cb07fb796ad6521ef31f39a5453a549d8

Resubmissions

07-09-2023 14:45

230907-r45fysaf5s 10

07-09-2023 14:12

230907-rjbyxaad5s 10

Analysis

max time kernel
60s
max time network
66s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07-09-2023 14:12

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe
Size

614KB
MD5

c7d23cb33b0db8303d7cc43fb4d7fdcd
SHA1

b456525f89a5fc70d3022fc41dec753a8a84ab16
SHA256

88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb
SHA512

688b6efb0e2af25b6d8695171ce2bf9ccadc147beab555bcf836b38de884e8c854ea4b7cf4e951b1451caefa741c5c6a03cca1e824a1549ef374e8092f7b3da9
SSDEEP

12288:aiXf2YxXtNvqOt093nvo8eb+s5KaadA6r7/Z77u5V4nutiXhb+:xvtxdNvq98+CjadAY7E5VRtkZ+

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\antispy.exe"	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral28/memory/320-0-0x0000000000400000-0x000000000069F000-memory.dmp	upx
behavioral28/memory/320-2-0x0000000000400000-0x000000000069F000-memory.dmp	upx
behavioral28/memory/320-17-0x0000000000400000-0x000000000069F000-memory.dmp	upx
behavioral28/memory/320-18-0x0000000000400000-0x000000000069F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmp	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe
320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2640	320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe	30
PID 320 wrote to memory of 2640	320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe	30
PID 320 wrote to memory of 2640	320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe	30
PID 320 wrote to memory of 2640	320	88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe	30

C:\Users\Admin\AppData\Local\Temp\88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe
"C:\Users\Admin\AppData\Local\Temp\88be20529ed15c95b7c9dc1ae66949fb09ebc934188de565a43e6fecf6bf63cb.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\lsdkasj.bat
  2⤵
  PID:2640

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:3052

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lsdkasj.bat

Filesize
143B

MD5
afd85e05c28795f6befa3f6ddb2fb9d7

SHA1
190322438076f7f9f5784eb9224f59b5f3598253

SHA256
40e5aca2b2950ea278f65976df53cd39d3e7f96670f5d08f371c83689edfcb4e

SHA512
d360b3a7f1ae09359720733768cf058aca0bc3ab63578c50378016fb6ef9b14f8ba60a52c9e273d4a5c46904c77f4680edd46af1b841b428eb030209b33677c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsdkasj.bat

Filesize
143B

MD5
afd85e05c28795f6befa3f6ddb2fb9d7

SHA1
190322438076f7f9f5784eb9224f59b5f3598253

SHA256
40e5aca2b2950ea278f65976df53cd39d3e7f96670f5d08f371c83689edfcb4e

SHA512
d360b3a7f1ae09359720733768cf058aca0bc3ab63578c50378016fb6ef9b14f8ba60a52c9e273d4a5c46904c77f4680edd46af1b841b428eb030209b33677c5

Download Submit
memory/320-0-0x0000000000400000-0x000000000069F000-memory.dmp

Filesize
2.6MB

Download
memory/320-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/320-2-0x0000000000400000-0x000000000069F000-memory.dmp

Filesize
2.6MB

Download
memory/320-4-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/320-17-0x0000000000400000-0x000000000069F000-memory.dmp

Filesize
2.6MB

Download
memory/320-18-0x0000000000400000-0x000000000069F000-memory.dmp

Filesize
2.6MB

Download
memory/2476-20-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/3052-19-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads