77f57ccf1b7b7a2bfc1a549d98a819a515b39a305248bc820d0ff392e352fc92

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07fe831123d550e74c5bba7fdce6b76e.exe
Size

188KB
MD5

07fe831123d550e74c5bba7fdce6b76e
SHA1

b4456506a3e5d544f9ec86823b696d37a8c86ae5
SHA256

77f57ccf1b7b7a2bfc1a549d98a819a515b39a305248bc820d0ff392e352fc92
SHA512

3376fee2cba7850b9c22616aec76edcc1bd3c2b4af630fcafc631c39ec8b6924dbf73a06b53adfa3591a1de246eb0c574aaf3088b4ea12394afe7f6f935ff4cb
SSDEEP

3072:3NkCNEac2ftrBQc8Al7vHC4zi4Agsu5vWQCR:3NTNEuRCgi4XsuoQ

Score

8^/10

evasion

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	07fe831123d550e74c5bba7fdce6b76e.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
2044	bs259436823.exe

Loads dropped DLL 4 IoCs

pid	Process
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kdfnba.idx	07fe831123d550e74c5bba7fdce6b76e.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\progra~1\Len0v0\CBA.sys	07fe831123d550e74c5bba7fdce6b76e.exe
File created	C:\progra~1\Len0v0\One.dll	07fe831123d550e74c5bba7fdce6b76e.exe
File created	C:\progra~1\Len0v0\CBA.inf	07fe831123d550e74c5bba7fdce6b76e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\3120.mp4	07fe831123d550e74c5bba7fdce6b76e.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2848	sc.exe
2724	sc.exe
3016	sc.exe
2720	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1268	1064	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe
1064	07fe831123d550e74c5bba7fdce6b76e.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeAuditPrivilege	2592	svchost.exe
Token: SeRestorePrivilege	1064	07fe831123d550e74c5bba7fdce6b76e.exe
Token: SeRestorePrivilege	1064	07fe831123d550e74c5bba7fdce6b76e.exe
Token: SeRestorePrivilege	1064	07fe831123d550e74c5bba7fdce6b76e.exe
Token: SeRestorePrivilege	1064	07fe831123d550e74c5bba7fdce6b76e.exe
Token: SeRestorePrivilege	1064	07fe831123d550e74c5bba7fdce6b76e.exe
Token: SeRestorePrivilege	1064	07fe831123d550e74c5bba7fdce6b76e.exe
Token: SeRestorePrivilege	1064	07fe831123d550e74c5bba7fdce6b76e.exe
Token: SeDebugPrivilege	1064	07fe831123d550e74c5bba7fdce6b76e.exe
Token: SeDebugPrivilege	1064	07fe831123d550e74c5bba7fdce6b76e.exe
Token: SeDebugPrivilege	1064	07fe831123d550e74c5bba7fdce6b76e.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2272	1064	07fe831123d550e74c5bba7fdce6b76e.exe	28
PID 1064 wrote to memory of 2272	1064	07fe831123d550e74c5bba7fdce6b76e.exe	28
PID 1064 wrote to memory of 2272	1064	07fe831123d550e74c5bba7fdce6b76e.exe	28
PID 1064 wrote to memory of 2272	1064	07fe831123d550e74c5bba7fdce6b76e.exe	28
PID 1064 wrote to memory of 2720	1064	07fe831123d550e74c5bba7fdce6b76e.exe	30
PID 1064 wrote to memory of 2720	1064	07fe831123d550e74c5bba7fdce6b76e.exe	30
PID 1064 wrote to memory of 2720	1064	07fe831123d550e74c5bba7fdce6b76e.exe	30
PID 1064 wrote to memory of 2720	1064	07fe831123d550e74c5bba7fdce6b76e.exe	30
PID 1064 wrote to memory of 2848	1064	07fe831123d550e74c5bba7fdce6b76e.exe	32
PID 1064 wrote to memory of 2848	1064	07fe831123d550e74c5bba7fdce6b76e.exe	32
PID 1064 wrote to memory of 2848	1064	07fe831123d550e74c5bba7fdce6b76e.exe	32
PID 1064 wrote to memory of 2848	1064	07fe831123d550e74c5bba7fdce6b76e.exe	32
PID 1064 wrote to memory of 2724	1064	07fe831123d550e74c5bba7fdce6b76e.exe	34
PID 1064 wrote to memory of 2724	1064	07fe831123d550e74c5bba7fdce6b76e.exe	34
PID 1064 wrote to memory of 2724	1064	07fe831123d550e74c5bba7fdce6b76e.exe	34
PID 1064 wrote to memory of 2724	1064	07fe831123d550e74c5bba7fdce6b76e.exe	34
PID 1064 wrote to memory of 3016	1064	07fe831123d550e74c5bba7fdce6b76e.exe	37
PID 1064 wrote to memory of 3016	1064	07fe831123d550e74c5bba7fdce6b76e.exe	37
PID 1064 wrote to memory of 3016	1064	07fe831123d550e74c5bba7fdce6b76e.exe	37
PID 1064 wrote to memory of 3016	1064	07fe831123d550e74c5bba7fdce6b76e.exe	37
PID 1064 wrote to memory of 2044	1064	07fe831123d550e74c5bba7fdce6b76e.exe	39
PID 1064 wrote to memory of 2044	1064	07fe831123d550e74c5bba7fdce6b76e.exe	39
PID 1064 wrote to memory of 2044	1064	07fe831123d550e74c5bba7fdce6b76e.exe	39
PID 1064 wrote to memory of 2044	1064	07fe831123d550e74c5bba7fdce6b76e.exe	39
PID 1064 wrote to memory of 1268	1064	07fe831123d550e74c5bba7fdce6b76e.exe	40
PID 1064 wrote to memory of 1268	1064	07fe831123d550e74c5bba7fdce6b76e.exe	40
PID 1064 wrote to memory of 1268	1064	07fe831123d550e74c5bba7fdce6b76e.exe	40
PID 1064 wrote to memory of 1268	1064	07fe831123d550e74c5bba7fdce6b76e.exe	40

C:\Users\Admin\AppData\Local\Temp\07fe831123d550e74c5bba7fdce6b76e.exe
"C:\Users\Admin\AppData\Local\Temp\07fe831123d550e74c5bba7fdce6b76e.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" import C:\Windows\3120.mp4
  2⤵
  PID:2272
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" config PolicyAgent start= auto
  2⤵
  - Launches sc.exe
  PID:2720
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" stop PolicyAgent
  2⤵
  - Launches sc.exe
  PID:2848
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start PolicyAgent
  2⤵
  - Launches sc.exe
  PID:2724
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" stop PolicyAgent
  2⤵
  - Launches sc.exe
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\bs259436823.exe
  "C:\Users\Admin\AppData\Local\Temp\bs259436823.exe"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 668
  2⤵
  - Program crash
  PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\3120.mp4

Filesize
56KB

MD5
bc8025bc98da7f4ed891c9f9991d3ff1

SHA1
70a69a7fcebe9b43f00a1fa713e3a0621bf3ac6d

SHA256
59b9dc39d69f8b0aa350f550e42e632b396237865776d0ce75477f8fe3f9016f

SHA512
7f772261e003d2df9162ae4aeaab2bda674ee2721b3300cc8b2a2f4904af6bc9c565c7f2c3e67a7394eb1a387860a2544fc5bdc3e6de384b664f8d232ad6acf5

Download Submit
\PROGRA~1\Len0v0\One.dll

Filesize
9KB

MD5
bce7f7febc4138622f9010e9e54436f4

SHA1
cc0dd40d0bd74f9c282cc49b95f4f9b86ff62d18

SHA256
20f5998e5ae247b70437594f0208272e73b4acdbfd2d32b7893b79214a941d1c

SHA512
a73c2edccb7b28e0c438466dc8601a0c4db2d21754e1b413ca553a9675ce97aedf98f8cce7a3a81e657ad4dbd55a86fe365d07c5be24c98d6386c0e1cfc541a5

Download Submit
\Users\Admin\AppData\Local\Temp\bs259436823.exe

Filesize
16KB

MD5
44bb474906b1b2fdd0506f93874d982b

SHA1
c580ec0611d025b7832793e1d38e900c7dddf975

SHA256
0ec5416a8fb6e6c0d83d2c8e4555fa3525bf0f0889dcefbf9dabe249d9827f17

SHA512
b1a0253e202915c9b013f8d8f7441f6bd85bd711b7d8228d2c953c730ba639ec38cd3316f0f67bd7327097d8301c6ace3822717d61aa0a6810eb5311c8bfa54f

Download Submit
\Windows\SysWOW64\kdfnba.idx

Filesize
16KB

MD5
add4832059173fcdb135d949194ad52b

SHA1
33f1dfd83e76e0897bd134d380fd56431a7cde6b

SHA256
2f9b075862a8509928a48c20bd988215c4f754d2ee3171cf15320ffe6f77f957

SHA512
ac04e7ec33592423a85dbcd0aa7a40e5e63671ad712101f007db8551be49b407c508e17d80fd3dcdece2a9d0a8cf9980aae5aa76e8452af73485fd62f31ad0d5

Download Submit
memory/1064-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-9-0x0000000010000000-0x0000000010004000-memory.dmp

Filesize
16KB

Download
memory/1064-29-0x0000000002520000-0x0000000002526000-memory.dmp

Filesize
24KB

Download
memory/1064-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-32-0x0000000002520000-0x0000000002526000-memory.dmp

Filesize
24KB

Download