b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7

Analysis

max time kernel
32s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
Size

299KB
MD5

e6870480bc03956ed54c346de31e5b4d
SHA1

5301558b5647f549c177ad28f4a350335f9253e3
SHA256

b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7
SHA512

25fcd31d003b0a6450b3ba97864d5baa9a0bb737cef0690395871987d2da45a5c1a16b5bf8c3ec448648afa58816d6d2dbccd5c073fc69a86f8ffab4c71710da
SSDEEP

6144:kuayAdOPViZJzC8mLi/g8iF1NDupfB+U3MdLNfNXu2bwzUNH:nAdyiDzgW/i1NDeB+3Ju2bwa

Score

8^/10

persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2124	smss.exe
2672	smss.exe
1276	csrss.exe
1576	csrss.exe

Loads dropped DLL 4 IoCs

pid	Process
1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1436-0-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/1436-9-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/1436-120-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe"	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\smss.exe = "C:\\Program Files\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\smss.exe = "C:\\Program Files\\smss.exe"	smss.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2124	smss.exe
2672	smss.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\smss.exe	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
File opened for modification	C:\Program Files\smss.exe	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
File created	C:\Program Files\csrss.exe	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
File opened for modification	C:\Program Files\csrss.exe	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2672	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2672	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2124	smss.exe
2672	smss.exe
2124	smss.exe
2672	smss.exe
2124	smss.exe
2672	smss.exe
2672	smss.exe
2124	smss.exe
2672	smss.exe
2124	smss.exe
2672	smss.exe
2124	smss.exe
2672	smss.exe
2124	smss.exe
2672	smss.exe
2124	smss.exe
2672	smss.exe
2124	smss.exe
2672	smss.exe
2124	smss.exe
2672	smss.exe
2124	smss.exe
2672	smss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	smss.exe
Token: SeDebugPrivilege	2672	smss.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
2124	smss.exe
2124	smss.exe
2672	smss.exe
2672	smss.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 2124	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	29
PID 1436 wrote to memory of 2124	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	29
PID 1436 wrote to memory of 2124	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	29
PID 1436 wrote to memory of 2124	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	29
PID 1436 wrote to memory of 2672	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	30
PID 1436 wrote to memory of 2672	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	30
PID 1436 wrote to memory of 2672	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	30
PID 1436 wrote to memory of 2672	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	30
PID 1436 wrote to memory of 1276	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	31
PID 1436 wrote to memory of 1276	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	31
PID 1436 wrote to memory of 1276	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	31
PID 1436 wrote to memory of 1276	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	31
PID 1436 wrote to memory of 1576	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	32
PID 1436 wrote to memory of 1576	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	32
PID 1436 wrote to memory of 1576	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	32
PID 1436 wrote to memory of 1576	1436	b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe	32

C:\Users\Admin\AppData\Local\Temp\b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe
"C:\Users\Admin\AppData\Local\Temp\b439c5c9bfad3de0d1f542ebb8f7be20bc021596dd137970c494a6ec450024c7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Program Files\smss.exe
  "C:\Program Files\smss.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2124
- C:\Program Files\smss.exe
  "C:\Program Files\smss.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2672
- C:\Program Files\csrss.exe
  "C:\Program Files\csrss.exe"
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Program Files\csrss.exe
  "C:\Program Files\csrss.exe"
  2⤵
  - Executes dropped EXE
  PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\csrss.exe

Filesize
40KB

MD5
770b3eec57133e1315d33d463ccfad54

SHA1
d749fa822779604a72425b4b1ddc0d0c261e3af0

SHA256
a6f41dd8df3faad311fa87bccfb01d5eb933f74afb8776eaf9a5384d6e147147

SHA512
abb03c8540d602c417ea4f35b6039a289905d964ad689dde42256e835fe46f76a1fabe15085c5bb8b1238323770ed9e422d8d3cf9c5a3894078dc6f3c9a6cbb4

Download Submit
C:\Program Files\csrss.exe

Filesize
40KB

MD5
770b3eec57133e1315d33d463ccfad54

SHA1
d749fa822779604a72425b4b1ddc0d0c261e3af0

SHA256
a6f41dd8df3faad311fa87bccfb01d5eb933f74afb8776eaf9a5384d6e147147

SHA512
abb03c8540d602c417ea4f35b6039a289905d964ad689dde42256e835fe46f76a1fabe15085c5bb8b1238323770ed9e422d8d3cf9c5a3894078dc6f3c9a6cbb4

Download Submit
C:\Program Files\csrss.exe

Filesize
40KB

MD5
770b3eec57133e1315d33d463ccfad54

SHA1
d749fa822779604a72425b4b1ddc0d0c261e3af0

SHA256
a6f41dd8df3faad311fa87bccfb01d5eb933f74afb8776eaf9a5384d6e147147

SHA512
abb03c8540d602c417ea4f35b6039a289905d964ad689dde42256e835fe46f76a1fabe15085c5bb8b1238323770ed9e422d8d3cf9c5a3894078dc6f3c9a6cbb4

Download Submit
C:\Program Files\smss.exe

Filesize
2.8MB

MD5
aa4a1a7ad19849c5dee65ef1e4fc9a86

SHA1
b38bfd0421e50a1ca462b5629ea92389d4884975

SHA256
b3c8c35994341ed5cdd633144d79fa7db17fe3bbe5ec6bc43f31e9d8d8ee40e5

SHA512
95c39afff84a454465b8911d2797deea4afb087b1d5bdbad7e0ba84f837a6a5cbdf3b4e87d05a532f82ad8fb8fc633f154b932a756a78c2967a21458e15463dc

Download Submit
C:\Program Files\smss.exe

Filesize
2.8MB

MD5
aa4a1a7ad19849c5dee65ef1e4fc9a86

SHA1
b38bfd0421e50a1ca462b5629ea92389d4884975

SHA256
b3c8c35994341ed5cdd633144d79fa7db17fe3bbe5ec6bc43f31e9d8d8ee40e5

SHA512
95c39afff84a454465b8911d2797deea4afb087b1d5bdbad7e0ba84f837a6a5cbdf3b4e87d05a532f82ad8fb8fc633f154b932a756a78c2967a21458e15463dc

Download Submit
C:\Program Files\smss.exe

Filesize
2.8MB

MD5
aa4a1a7ad19849c5dee65ef1e4fc9a86

SHA1
b38bfd0421e50a1ca462b5629ea92389d4884975

SHA256
b3c8c35994341ed5cdd633144d79fa7db17fe3bbe5ec6bc43f31e9d8d8ee40e5

SHA512
95c39afff84a454465b8911d2797deea4afb087b1d5bdbad7e0ba84f837a6a5cbdf3b4e87d05a532f82ad8fb8fc633f154b932a756a78c2967a21458e15463dc

Download Submit
\Program Files\csrss.exe

Filesize
40KB

MD5
770b3eec57133e1315d33d463ccfad54

SHA1
d749fa822779604a72425b4b1ddc0d0c261e3af0

SHA256
a6f41dd8df3faad311fa87bccfb01d5eb933f74afb8776eaf9a5384d6e147147

SHA512
abb03c8540d602c417ea4f35b6039a289905d964ad689dde42256e835fe46f76a1fabe15085c5bb8b1238323770ed9e422d8d3cf9c5a3894078dc6f3c9a6cbb4

Download Submit
\Program Files\csrss.exe

Filesize
40KB

MD5
770b3eec57133e1315d33d463ccfad54

SHA1
d749fa822779604a72425b4b1ddc0d0c261e3af0

SHA256
a6f41dd8df3faad311fa87bccfb01d5eb933f74afb8776eaf9a5384d6e147147

SHA512
abb03c8540d602c417ea4f35b6039a289905d964ad689dde42256e835fe46f76a1fabe15085c5bb8b1238323770ed9e422d8d3cf9c5a3894078dc6f3c9a6cbb4

Download Submit
\Program Files\csrss.exe

Filesize
40KB

MD5
770b3eec57133e1315d33d463ccfad54

SHA1
d749fa822779604a72425b4b1ddc0d0c261e3af0

SHA256
a6f41dd8df3faad311fa87bccfb01d5eb933f74afb8776eaf9a5384d6e147147

SHA512
abb03c8540d602c417ea4f35b6039a289905d964ad689dde42256e835fe46f76a1fabe15085c5bb8b1238323770ed9e422d8d3cf9c5a3894078dc6f3c9a6cbb4

Download Submit
\Program Files\smss.exe

Filesize
2.8MB

MD5
aa4a1a7ad19849c5dee65ef1e4fc9a86

SHA1
b38bfd0421e50a1ca462b5629ea92389d4884975

SHA256
b3c8c35994341ed5cdd633144d79fa7db17fe3bbe5ec6bc43f31e9d8d8ee40e5

SHA512
95c39afff84a454465b8911d2797deea4afb087b1d5bdbad7e0ba84f837a6a5cbdf3b4e87d05a532f82ad8fb8fc633f154b932a756a78c2967a21458e15463dc

Download Submit
memory/1436-120-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1436-9-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1436-0-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2124-46-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2124-22-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2124-29-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2124-32-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2124-34-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2124-37-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2124-39-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2124-40-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2124-42-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2124-10-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2124-45-0x0000000077420000-0x0000000077421000-memory.dmp

Filesize
4KB

Download
memory/2124-44-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2124-48-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2124-50-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2124-51-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/2124-27-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2124-8-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/2124-14-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2124-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2124-17-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2124-19-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2124-15-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2124-103-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/2124-24-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2672-104-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/2672-93-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2672-92-0x0000000077420000-0x0000000077421000-memory.dmp

Filesize
4KB

Download
memory/2672-74-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2672-72-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2672-69-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2672-67-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download