f01e8bc34f521a846f58072c86f22eb920e4389244fa7eccae973b2bdc5781aa

General

Target

0dbbbfda3be63153770863cc8ee46759.exe
Size

70KB
MD5

0dbbbfda3be63153770863cc8ee46759
SHA1

db3f259ae39428b221b73714313c5b1552c4bd6b
SHA256

f01e8bc34f521a846f58072c86f22eb920e4389244fa7eccae973b2bdc5781aa
SHA512

42f1e1aa6ba81de25eb5c8e8967fc4e90990ba34eae9a763e042a965fc6204cb78202b4f27dfa30557b23d4a12625c2fe4e21006845983e66f50085d0f7e3ef7
SSDEEP

1536:oRyTmpjkbXzcY9gXKpremrCIsZJ1EZ62lXbO3dRTBsl6+:czp8j0cremGIG/2lC3NM6+

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Public\msnl.exe = "C:\\Users\\Public\\msnl.exe:*:Enabled:Windows System Guard"	0dbbbfda3be63153770863cc8ee46759.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	0dbbbfda3be63153770863cc8ee46759.exe

Executes dropped EXE 2 IoCs

pid	Process
2692	msnl.exe
2608	msnl.exe

Loads dropped DLL 2 IoCs

pid	Process
2336	0dbbbfda3be63153770863cc8ee46759.exe
2336	0dbbbfda3be63153770863cc8ee46759.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2152-0-0x0000000000400000-0x0000000000417001-memory.dmp	upx
behavioral1/memory/2152-3-0x0000000000400000-0x0000000000417001-memory.dmp	upx
behavioral1/memory/2152-8-0x0000000000400000-0x0000000000417001-memory.dmp	upx
behavioral1/memory/2152-6-0x0000000000400000-0x0000000000417001-memory.dmp	upx
behavioral1/files/0x000a00000001226e-18.dat	upx
behavioral1/memory/2692-24-0x0000000000400000-0x0000000000417001-memory.dmp	upx
behavioral1/memory/2692-29-0x0000000000400000-0x0000000000417001-memory.dmp	upx
behavioral1/memory/2692-34-0x0000000000400000-0x0000000000417001-memory.dmp	upx
behavioral1/files/0x000a00000001226e-32.dat	upx
behavioral1/memory/2692-28-0x0000000000400000-0x0000000000417001-memory.dmp	upx
behavioral1/files/0x000a00000001226e-22.dat	upx
behavioral1/files/0x000a00000001226e-17.dat	upx
behavioral1/memory/2336-16-0x0000000002D40000-0x0000000002D58000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows System Guard = "C:\\Users\\Public\\msnl.exe"	0dbbbfda3be63153770863cc8ee46759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System Guard = "C:\\Users\\Public\\msnl.exe"	0dbbbfda3be63153770863cc8ee46759.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2152 set thread context of 2336	2152	0dbbbfda3be63153770863cc8ee46759.exe	28
PID 2692 set thread context of 2608	2692	msnl.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2152	0dbbbfda3be63153770863cc8ee46759.exe
2692	msnl.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2336	2152	0dbbbfda3be63153770863cc8ee46759.exe	28
PID 2152 wrote to memory of 2336	2152	0dbbbfda3be63153770863cc8ee46759.exe	28
PID 2152 wrote to memory of 2336	2152	0dbbbfda3be63153770863cc8ee46759.exe	28
PID 2152 wrote to memory of 2336	2152	0dbbbfda3be63153770863cc8ee46759.exe	28
PID 2152 wrote to memory of 2336	2152	0dbbbfda3be63153770863cc8ee46759.exe	28
PID 2152 wrote to memory of 2336	2152	0dbbbfda3be63153770863cc8ee46759.exe	28
PID 2152 wrote to memory of 2336	2152	0dbbbfda3be63153770863cc8ee46759.exe	28
PID 2152 wrote to memory of 2336	2152	0dbbbfda3be63153770863cc8ee46759.exe	28
PID 2152 wrote to memory of 2336	2152	0dbbbfda3be63153770863cc8ee46759.exe	28
PID 2336 wrote to memory of 2692	2336	0dbbbfda3be63153770863cc8ee46759.exe	30
PID 2336 wrote to memory of 2692	2336	0dbbbfda3be63153770863cc8ee46759.exe	30
PID 2336 wrote to memory of 2692	2336	0dbbbfda3be63153770863cc8ee46759.exe	30
PID 2336 wrote to memory of 2692	2336	0dbbbfda3be63153770863cc8ee46759.exe	30
PID 2692 wrote to memory of 2608	2692	msnl.exe	29
PID 2692 wrote to memory of 2608	2692	msnl.exe	29
PID 2692 wrote to memory of 2608	2692	msnl.exe	29
PID 2692 wrote to memory of 2608	2692	msnl.exe	29
PID 2692 wrote to memory of 2608	2692	msnl.exe	29
PID 2692 wrote to memory of 2608	2692	msnl.exe	29
PID 2692 wrote to memory of 2608	2692	msnl.exe	29
PID 2692 wrote to memory of 2608	2692	msnl.exe	29
PID 2692 wrote to memory of 2608	2692	msnl.exe	29

C:\Users\Admin\AppData\Local\Temp\0dbbbfda3be63153770863cc8ee46759.exe
"C:\Users\Admin\AppData\Local\Temp\0dbbbfda3be63153770863cc8ee46759.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\0dbbbfda3be63153770863cc8ee46759.exe
  C:\Users\Admin\AppData\Local\Temp\0dbbbfda3be63153770863cc8ee46759.exe
  2⤵
  - Modifies firewall policy service
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Public\msnl.exe
    "C:\Users\Public\msnl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2692

C:\Users\Public\msnl.exe
C:\Users\Public\msnl.exe
1⤵
- Executes dropped EXE
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\msnl.exe

Filesize
70KB

MD5
0dbbbfda3be63153770863cc8ee46759

SHA1
db3f259ae39428b221b73714313c5b1552c4bd6b

SHA256
f01e8bc34f521a846f58072c86f22eb920e4389244fa7eccae973b2bdc5781aa

SHA512
42f1e1aa6ba81de25eb5c8e8967fc4e90990ba34eae9a763e042a965fc6204cb78202b4f27dfa30557b23d4a12625c2fe4e21006845983e66f50085d0f7e3ef7

Download Submit
C:\Users\Public\msnl.exe

Filesize
55KB

MD5
9fe5026bf8f701b976c2a12da2f5ee27

SHA1
610884d3656f8de260ea11e7bce5660e3cd8dbcb

SHA256
66419c4396bdee7914bc3fe9bde43c0009f77c4d7a5b1bfa2cf76e6c7b4e186c

SHA512
d730ad921059f402d50287668afcd2cc0dd8cb6b71b2f6a934b0b4cf0612d5e41c1242a954e6f039d9f500630c340938e8751b74d740d43f89036244db722d25

Download Submit
C:\Users\Public\msnl.exe

Filesize
54KB

MD5
d1420c5be154be29d1812b6db9755476

SHA1
ce9325d8fd7c021703fd068ee86e10a30965acbc

SHA256
e2c501c8ab1716faefd8ee6b877228b50b8858907368cce5179eaaa227e597ad

SHA512
e44f0766081fd252751bcc87358a75038d0c8a9c9765582b9c2f04f540d22660fef5ef2b463625e03e5d6488c445d337da87f6e5dc18e1c5cc1922246b7a1833

Download Submit
\Users\Public\msnl.exe

Filesize
37KB

MD5
71ac025492b7a22b959efe26ab6c23f9

SHA1
de6d8e61dc80c74f3a36e4ccc745093499cb0e00

SHA256
b6b076917f652647a92a9b94b7fec6d4fda5651c0c89866510e9573345bf42e6

SHA512
6f8d5cd278dd0b061f8fa5a96fde6ba1900a2df1eed338ab9ce66020669472dc94df5a92964ae0820b9184fde49fcec7a2238ca6ee3c89152652d007e26076ef

Download Submit
memory/2152-0-0x0000000000400000-0x0000000000417001-memory.dmp

Filesize
92KB

Download
memory/2152-3-0x0000000000400000-0x0000000000417001-memory.dmp

Filesize
92KB

Download
memory/2152-4-0x0000000000230000-0x0000000000248000-memory.dmp

Filesize
96KB

Download
memory/2152-8-0x0000000000400000-0x0000000000417001-memory.dmp

Filesize
92KB

Download
memory/2152-6-0x0000000000400000-0x0000000000417001-memory.dmp

Filesize
92KB

Download
memory/2152-37-0x0000000000400000-0x0000000000417001-memory.dmp

Filesize
92KB

Download
memory/2336-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2336-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2336-25-0x0000000000410000-0x0000000000477000-memory.dmp

Filesize
412KB

Download
memory/2336-16-0x0000000002D40000-0x0000000002D58000-memory.dmp

Filesize
96KB

Download
memory/2336-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2336-21-0x0000000002D40000-0x0000000002D58000-memory.dmp

Filesize
96KB

Download
memory/2608-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2608-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2692-29-0x0000000000400000-0x0000000000417001-memory.dmp

Filesize
92KB

Download
memory/2692-28-0x0000000000400000-0x0000000000417001-memory.dmp

Filesize
92KB

Download
memory/2692-34-0x0000000000400000-0x0000000000417001-memory.dmp

Filesize
92KB

Download
memory/2692-24-0x0000000000400000-0x0000000000417001-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads