ad3bcb65313043b1a43b8fb210f3a20a87df8a8145ed9a18b086d0859616caa2

Analysis

max time kernel
161s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2023 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe
Size

60KB
MD5

6aa22fd28d56b38bdf8dfc90dbd6dc96
SHA1

1e28cf53cbcacde5a272669cdd1670785183272a
SHA256

9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0
SHA512

cb882269950289b614c1009eabc0a69ac8fb371a62af4e488413e10c60c0defeb5ad891e56a680e9cd60cb6971bcef8e35cc2899b17897d6ba1767e5be97ec35
SSDEEP

768:3kWI7wOxRW1Hn/txYKtXeQJCAhxPPqEAQemUJiKrji0tSdZRNoN5J:3kWI7kHn/f/tugCsxPSEA3mUJiKadYJ

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ini.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "fuckme"	ini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "%windir%\\programs\\fuckme.vbs"	ini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}	ini.exe

Executes dropped EXE 1 IoCs

Processes:

ini.exe

pid process

2612 ini.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral19/memory/4080-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
C:\Windows\programs\ini.exe	upx
C:\Windows\programs\ini.exe	upx
behavioral19/memory/4080-12-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral19/memory/2612-14-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

ini.exe

description ioc process

Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN ini.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	ini.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe

description	ioc	process
File opened for modification	C:\Windows\programs\desktop.ini	9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe
File created	C:\Windows\programs\desktop.ini	9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

ini.exe

description ioc process

File opened (read-only) \??\E: ini.exe
File opened (read-only) \??\H: ini.exe

description	ioc	process
File opened (read-only)	\??\E:	ini.exe
File opened (read-only)	\??\H:	ini.exe

Drops file in Program Files directory 64 IoCs

Processes:

ini.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\wsock32.dll	ini.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\wsock32.dll	ini.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\wsock32.dll	ini.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\wsock32.dll	ini.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\wsock32.dll	ini.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\wsock32.dll	ini.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\wsock32.dll	ini.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\cmm\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\wsock32.dll	ini.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\wsock32.dll	ini.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\wsock32.dll	ini.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\wsock32.dll	ini.exe
File created	C:\Program Files\Internet Explorer\de-DE\wsock32.dll	ini.exe
File created	C:\Program Files\Internet Explorer\images\wsock32.dll	ini.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\wsock32.dll	ini.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\wsock32.dll	ini.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\wsock32.dll	ini.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\wsock32.dll	ini.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\wsock32.dll	ini.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\wsock32.dll	ini.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jfr\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\wsock32.dll	ini.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\wsock32.dll	ini.exe
File created	C:\Program Files\7-Zip\Lang\wsock32.dll	ini.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\wsock32.dll	ini.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\wsock32.dll	ini.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\fr\wsock32.dll	ini.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\wsock32.dll	ini.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\wsock32.dll	ini.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\wsock32.dll	ini.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\wsock32.dll	ini.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\wsock32.dll	ini.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\wsock32.dll	ini.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\wsock32.dll	ini.exe

Drops file in Windows directory 10 IoCs

Processes:

9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exeini.exe

description	ioc	process
File created	C:\Windows\programs\ini.exe	9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe
File created	C:\Windows\programs\fuckme.vbs	ini.exe
File created	C:\Windows\programs\desktop.ini	9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe
File opened for modification	C:\Windows\programs\desktop.ini	9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe
File opened for modification	C:\Windows\SysWOW64	ini.exe
File opened for modification	C:\Windows\programs\fuckme.vbs	ini.exe
File created	C:\Windows\programs\wsock32.dll	ini.exe
File created	C:\Windows\Tasks\°²×°.bat	ini.exe
File opened for modification	C:\Windows\Tasks\°²×°.bat	ini.exe
File created	C:\Windows\SysWOW64	ini.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ini.exe

pid	process
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe
2612	ini.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ini.exe

pid process

2612 ini.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe

description pid process

Token: SeIncBasePriorityPrivilege 4080 9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4080	9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe

description	pid	process	target process
PID 4080 wrote to memory of 2612	4080	9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe	ini.exe
PID 4080 wrote to memory of 2612	4080	9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe	ini.exe
PID 4080 wrote to memory of 2612	4080	9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe	ini.exe
PID 4080 wrote to memory of 4344	4080	9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe	cmd.exe
PID 4080 wrote to memory of 4344	4080	9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe	cmd.exe
PID 4080 wrote to memory of 4344	4080	9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe
"C:\Users\Admin\AppData\Local\Temp\9b87457fe85670e2c059cedaa560a8a31027e96fe18b2b6a7fe610f38423b2f0.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\programs\ini.exe
C:\Windows\programs\ini.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9B8745~1.EXE > nul
2⤵
PID:4344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\programs\fuckme.vbs
Filesize
98B

MD5
0925bdaa312fecb530c1d48b220d31ce

SHA1
de8d85a93acb9babfa71a74ebb40402b02853043

SHA256
3016b31ecee1ad7211b2f541d3314955e4a21d64a820b245bffdc7ac7e8e5d15

SHA512
61afae90f93fea10fec1377dbc9181f2746b97b7210ada515d28239354f092ab34e40fb1b53293fbdcea13ded1d99fa3fdcbc14464f41354f54aecfa227e8af7

Download Submit
C:\Windows\programs\ini.exe
Filesize
60KB

MD5
0c409785272193c4e042a5455834c2af

SHA1
a569e2ccf5529634f41640a26229ef6be613219f

SHA256
ec39ca8d8d874a8366b49c0d8a8b61049b13978acbec8aea59f4837117f6114e

SHA512
1b5dcf87c048e0780478e2bcb09ce15772d44a7bed54bdf1e0281f9d22a4276572cd30bd4d7ea191499af4bac3bc6ad522b8ea7069daf85a61e9937997dc0db0

Download Submit
C:\Windows\programs\ini.exe
Filesize
60KB

MD5
0c409785272193c4e042a5455834c2af

SHA1
a569e2ccf5529634f41640a26229ef6be613219f

SHA256
ec39ca8d8d874a8366b49c0d8a8b61049b13978acbec8aea59f4837117f6114e

SHA512
1b5dcf87c048e0780478e2bcb09ce15772d44a7bed54bdf1e0281f9d22a4276572cd30bd4d7ea191499af4bac3bc6ad522b8ea7069daf85a61e9937997dc0db0

Download Submit
C:\Windows\programs\wsock32.dll
Filesize
17KB

MD5
02b73a0697baf1daf7690ffacd9fdedf

SHA1
f7135318f488a7fe7b19bfabc98f91edab190f66

SHA256
6c2b79175b503d14474852132117e1f36cb25c70bee3507215d8dbb85c28e8b9

SHA512
6005b81993ffcc6fc1b6809e00b7d4fc3dfc93d6c74f6f08a81471701f1ca7f2f67d18d847a8cf2bb9bab4c4e90beaef3ce0d2ab7002836d723f3d94aa7748a0

Download Submit
memory/2612-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4080-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4080-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download