44e6496622a32cf8b38caad776fd12c8698a5082caa1d5868e21386777d91646

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Photo01 By ‮‮‮‮gpj.scr
Size

547KB
MD5

dc5e556beac206f025de1c9f92d2e39b
SHA1

c0820fed333a9bb3c800950e5d3f46b0ade731e0
SHA256

560e31e0a9b21391f252a3096e2e0e495eb7c33a7548de1d71dea1a334536aee
SHA512

4f34c33157fa78e7d068480962ad30116673a62fff7591b95d245e3cdc56e218cb6c8cc63ad1930d555a033ce810ba929c9040ebcc7df61099f673fbb8e6b621
SSDEEP

12288:oXTxe8fUp6qreT2A+FY0u7qMg+RIGjFGKOyeRJatK:xpVLqg+KW5b3tK

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Updbsp01.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Updbsp01.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Photo01 By ????gpj.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Photo01 By ????gpj.exe:*:Enabled:Windows Messanger"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2404 set thread context of 2752	2404	Photo01 By ‮‮‮‮gpj.scr	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2956	reg.exe
2952	reg.exe
2316	reg.exe
2580	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	Photo01 By ‮‮‮‮gpj.scr
Token: 1	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeCreateTokenPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeAssignPrimaryTokenPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeLockMemoryPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeIncreaseQuotaPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeMachineAccountPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeTcbPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeSecurityPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeTakeOwnershipPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeLoadDriverPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeSystemProfilePrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeSystemtimePrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeProfSingleProcessPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeIncBasePriorityPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeCreatePagefilePrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeCreatePermanentPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeBackupPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeRestorePrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeShutdownPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeDebugPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeAuditPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeSystemEnvironmentPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeChangeNotifyPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeRemoteShutdownPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeUndockPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeSyncAgentPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeEnableDelegationPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeManageVolumePrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeImpersonatePrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: SeCreateGlobalPrivilege	2752	Photo01 By ‮‮‮‮gpj.scr
Token: 31	2752	Photo01 By ‮‮‮‮gpj.scr
Token: 32	2752	Photo01 By ‮‮‮‮gpj.scr
Token: 33	2752	Photo01 By ‮‮‮‮gpj.scr
Token: 34	2752	Photo01 By ‮‮‮‮gpj.scr
Token: 35	2752	Photo01 By ‮‮‮‮gpj.scr

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1532	DllHost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2752	Photo01 By ‮‮‮‮gpj.scr
2752	Photo01 By ‮‮‮‮gpj.scr
2752	Photo01 By ‮‮‮‮gpj.scr
2752	Photo01 By ‮‮‮‮gpj.scr
2752	Photo01 By ‮‮‮‮gpj.scr
2752	Photo01 By ‮‮‮‮gpj.scr
2752	Photo01 By ‮‮‮‮gpj.scr
2752	Photo01 By ‮‮‮‮gpj.scr

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2752	2404	Photo01 By ‮‮‮‮gpj.scr	28
PID 2404 wrote to memory of 2752	2404	Photo01 By ‮‮‮‮gpj.scr	28
PID 2404 wrote to memory of 2752	2404	Photo01 By ‮‮‮‮gpj.scr	28
PID 2404 wrote to memory of 2752	2404	Photo01 By ‮‮‮‮gpj.scr	28
PID 2404 wrote to memory of 2752	2404	Photo01 By ‮‮‮‮gpj.scr	28
PID 2404 wrote to memory of 2752	2404	Photo01 By ‮‮‮‮gpj.scr	28
PID 2404 wrote to memory of 2752	2404	Photo01 By ‮‮‮‮gpj.scr	28
PID 2404 wrote to memory of 2752	2404	Photo01 By ‮‮‮‮gpj.scr	28
PID 2404 wrote to memory of 2648	2404	Photo01 By ‮‮‮‮gpj.scr	29
PID 2404 wrote to memory of 2648	2404	Photo01 By ‮‮‮‮gpj.scr	29
PID 2404 wrote to memory of 2648	2404	Photo01 By ‮‮‮‮gpj.scr	29
PID 2404 wrote to memory of 2648	2404	Photo01 By ‮‮‮‮gpj.scr	29
PID 2752 wrote to memory of 2552	2752	Photo01 By ‮‮‮‮gpj.scr	37
PID 2752 wrote to memory of 2552	2752	Photo01 By ‮‮‮‮gpj.scr	37
PID 2752 wrote to memory of 2552	2752	Photo01 By ‮‮‮‮gpj.scr	37
PID 2752 wrote to memory of 2552	2752	Photo01 By ‮‮‮‮gpj.scr	37
PID 2752 wrote to memory of 2668	2752	Photo01 By ‮‮‮‮gpj.scr	36
PID 2752 wrote to memory of 2668	2752	Photo01 By ‮‮‮‮gpj.scr	36
PID 2752 wrote to memory of 2668	2752	Photo01 By ‮‮‮‮gpj.scr	36
PID 2752 wrote to memory of 2668	2752	Photo01 By ‮‮‮‮gpj.scr	36
PID 2752 wrote to memory of 2704	2752	Photo01 By ‮‮‮‮gpj.scr	35
PID 2752 wrote to memory of 2704	2752	Photo01 By ‮‮‮‮gpj.scr	35
PID 2752 wrote to memory of 2704	2752	Photo01 By ‮‮‮‮gpj.scr	35
PID 2752 wrote to memory of 2704	2752	Photo01 By ‮‮‮‮gpj.scr	35
PID 2752 wrote to memory of 2644	2752	Photo01 By ‮‮‮‮gpj.scr	34
PID 2752 wrote to memory of 2644	2752	Photo01 By ‮‮‮‮gpj.scr	34
PID 2752 wrote to memory of 2644	2752	Photo01 By ‮‮‮‮gpj.scr	34
PID 2752 wrote to memory of 2644	2752	Photo01 By ‮‮‮‮gpj.scr	34
PID 2668 wrote to memory of 2952	2668	cmd.exe	41
PID 2668 wrote to memory of 2952	2668	cmd.exe	41
PID 2668 wrote to memory of 2952	2668	cmd.exe	41
PID 2668 wrote to memory of 2952	2668	cmd.exe	41
PID 2704 wrote to memory of 2580	2704	cmd.exe	43
PID 2704 wrote to memory of 2580	2704	cmd.exe	43
PID 2704 wrote to memory of 2580	2704	cmd.exe	43
PID 2704 wrote to memory of 2580	2704	cmd.exe	43
PID 2552 wrote to memory of 2316	2552	cmd.exe	42
PID 2552 wrote to memory of 2316	2552	cmd.exe	42
PID 2552 wrote to memory of 2316	2552	cmd.exe	42
PID 2552 wrote to memory of 2316	2552	cmd.exe	42
PID 2644 wrote to memory of 2956	2644	cmd.exe	40
PID 2644 wrote to memory of 2956	2644	cmd.exe	40
PID 2644 wrote to memory of 2956	2644	cmd.exe	40
PID 2644 wrote to memory of 2956	2644	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\Photo01 By ‮‮‮‮gpj.scr
"C:\Users\Admin\AppData\Local\Temp\Photo01 By ‮‮‮‮gpj.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\Photo01 By ‮‮‮‮gpj.scr
  "C:\Users\Admin\AppData\Local\Temp\Photo01 By ‮‮‮‮gpj.scr"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Updbsp01.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Updbsp01.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Updbsp01.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Updbsp01.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Photo01 By ????gpj.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Photo01 By ????gpj.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Photo01 By ????gpj.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Photo01 By ????gpj.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2316
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YICsc.vbs"
  2⤵
  PID:2648

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dunkel.jpg

Filesize
25KB

MD5
c0445a9d363b4960d7085959be6dd62a

SHA1
3e859468f8524c9e69ddb9111a591b162a863878

SHA256
cf7203048cd517b7b7f1e567ce36dc7f24d3d3869049b34569ddad50493ff0d4

SHA512
2a4747361fd6eee5be02e1768696690220e80fda59024721ce6d197cf734e03530dc476e47403334ab7eaec80b9fd7ef3b0b040f740f6a75bb03846def201a8e

Download Submit
C:\Users\Admin\AppData\Roaming\YICsc.vbs

Filesize
399B

MD5
ce01be7699a958d0bc7ed4d3207b49d7

SHA1
006dd08cb31da33ab0f54baa30f8d28e34dd83de

SHA256
0c9b78079d5172366b8806bffcb293a7b42bf83850148e5509ebe566e01e585a

SHA512
7a0d92283cb9317bf99e14df7d8ae0eaa17af007177a231f974c95a924f67d2cd40600ffd051ef55eb6258720ebb8500b56e482d8e512b128eb184f2d0490c08

Download Submit
memory/1532-33-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1532-29-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1532-28-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2404-30-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/2404-4-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/2404-1-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/2404-2-0x0000000000BE0000-0x0000000000C20000-memory.dmp

Filesize
256KB

Download
memory/2404-3-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/2404-17-0x0000000000BE0000-0x0000000000C20000-memory.dmp

Filesize
256KB

Download
memory/2404-0-0x0000000074AC0000-0x000000007506B000-memory.dmp

Filesize
5.7MB

Download
memory/2404-27-0x0000000004A30000-0x0000000004A32000-memory.dmp

Filesize
8KB

Download
memory/2752-8-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2752-5-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2752-19-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2752-6-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2752-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2752-32-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2752-12-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads