4051d791566f289683ee377effd774a80b7eb2b251e604e3eeabf923d75c0c98

Resubmissions

19-10-2023 11:09

231019-m9hf6agh68 10

Analysis

max time kernel
592s
max time network
441s
platform
windows10-2004_x64
resource
win10v2004-20230915-ja
resource tags

arch:x64arch:x86image:win10v2004-20230915-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19-10-2023 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OpenedFilesView 1.80/OpenedFilesView_32.exe
Size

67KB
MD5

4338ff8ae33b8c6150feebcaa4864129
SHA1

4294ca4e350a5b67630c369823dc7ee2dd66253c
SHA256

5b4b9700ad8bbde39b7d597add33587edaaa0a36fabb7c47b642e9d8ff0ca441
SHA512

a2a460575a7f5d4d55984054c9de7cca6e1a0beec1b0ef39c9bd71e48685fb8b27d0819ec3a56704ee67d254a51185ea567ce94a6fc5124503401e456d22bb88
SSDEEP

1536:13PmFb9LibbWSonH9/Hbr3BEy08/1cu32YMtgo7biRx:dmFUfWPd/XRbB1v329gkSx

Score

9^/10

persistence upx

Malware Config

Signatures

Nirsoft 2 IoCs

resource	yara_rule
behavioral13/memory/4276-3-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral13/memory/4276-4-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\NirSoftOpenedFilesDriver.sys	OpenedFilesView_32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NirSoftOpenedFilesDriver\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\NirSoftOpenedFilesDriver.sys"	OpenedFilesView_32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral13/memory/4276-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral13/memory/4276-3-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral13/memory/4276-4-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4276	OpenedFilesView_32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4276	OpenedFilesView_32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4276	OpenedFilesView_32.exe
Token: SeDebugPrivilege	4276	OpenedFilesView_32.exe

C:\Users\Admin\AppData\Local\Temp\OpenedFilesView 1.80\OpenedFilesView_32.exe
"C:\Users\Admin\AppData\Local\Temp\OpenedFilesView 1.80\OpenedFilesView_32.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4276-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4276-3-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4276-4-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads