e3ca14b23d3f2a4d4642477183a4a52e804da09eb1576e9f9da49e016080bf0d

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44a832d85d5b5faf8eac1787295ba98d.exe
Size

364KB
MD5

44a832d85d5b5faf8eac1787295ba98d
SHA1

5b22a597b001c65127a40907cc65b1a4ebda30e9
SHA256

e3ca14b23d3f2a4d4642477183a4a52e804da09eb1576e9f9da49e016080bf0d
SHA512

5a275792652f5ae45450ef8a41c3424915e8951ff10d2ef25e2e26b42dc7475a1c5a4de3bc7519c567f20a4b4f7aafc0030e5c3587b873c97245ce097849af0a
SSDEEP

6144:MiRV+qT5KYaGySK87aog7NTOog89WA8CcPTHhBjLX0/6ql/JqpHq:MiCi5KYaGTaoye885CSThzq

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2724	hBn01831bKbJa01831.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe

Loads dropped DLL 4 IoCs

pid	Process
1748	44a832d85d5b5faf8eac1787295ba98d.exe
1748	44a832d85d5b5faf8eac1787295ba98d.exe
1748	44a832d85d5b5faf8eac1787295ba98d.exe
1748	44a832d85d5b5faf8eac1787295ba98d.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1748-1-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2840-29-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/1748-28-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2724-39-0x0000000000400000-0x00000000004CB000-memory.dmp	upx
behavioral1/memory/2724-49-0x0000000000400000-0x00000000004CB000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hBn01831bKbJa01831 = "C:\\ProgramData\\hBn01831bKbJa01831\\hBn01831bKbJa01831.exe"	hBn01831bKbJa01831.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	hBn01831bKbJa01831.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1748	44a832d85d5b5faf8eac1787295ba98d.exe
1748	44a832d85d5b5faf8eac1787295ba98d.exe
1748	44a832d85d5b5faf8eac1787295ba98d.exe
1748	44a832d85d5b5faf8eac1787295ba98d.exe
1748	44a832d85d5b5faf8eac1787295ba98d.exe
1748	44a832d85d5b5faf8eac1787295ba98d.exe
2840	hBn01831bKbJa01831.exe
1748	44a832d85d5b5faf8eac1787295ba98d.exe
2840	hBn01831bKbJa01831.exe
1748	44a832d85d5b5faf8eac1787295ba98d.exe
2840	hBn01831bKbJa01831.exe
1748	44a832d85d5b5faf8eac1787295ba98d.exe
2840	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	44a832d85d5b5faf8eac1787295ba98d.exe
Token: SeDebugPrivilege	2840	hBn01831bKbJa01831.exe
Token: SeDebugPrivilege	2724	hBn01831bKbJa01831.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2724	hBn01831bKbJa01831.exe
2724	hBn01831bKbJa01831.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2840	1748	44a832d85d5b5faf8eac1787295ba98d.exe	28
PID 1748 wrote to memory of 2840	1748	44a832d85d5b5faf8eac1787295ba98d.exe	28
PID 1748 wrote to memory of 2840	1748	44a832d85d5b5faf8eac1787295ba98d.exe	28
PID 1748 wrote to memory of 2840	1748	44a832d85d5b5faf8eac1787295ba98d.exe	28
PID 1748 wrote to memory of 2724	1748	44a832d85d5b5faf8eac1787295ba98d.exe	29
PID 1748 wrote to memory of 2724	1748	44a832d85d5b5faf8eac1787295ba98d.exe	29
PID 1748 wrote to memory of 2724	1748	44a832d85d5b5faf8eac1787295ba98d.exe	29
PID 1748 wrote to memory of 2724	1748	44a832d85d5b5faf8eac1787295ba98d.exe	29

C:\Users\Admin\AppData\Local\Temp\44a832d85d5b5faf8eac1787295ba98d.exe
"C:\Users\Admin\AppData\Local\Temp\44a832d85d5b5faf8eac1787295ba98d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748
- C:\ProgramData\hBn01831bKbJa01831\hBn01831bKbJa01831.exe
  "C:\ProgramData\hBn01831bKbJa01831\hBn01831bKbJa01831.exe" BOMBARDAMAXIMUM
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\ProgramData\hBn01831bKbJa01831\hBn01831bKbJa01831.exe
  "C:\ProgramData\hBn01831bKbJa01831\hBn01831bKbJa01831.exe" "C:\Users\Admin\AppData\Local\Temp\44a832d85d5b5faf8eac1787295ba98d.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hBn01831bKbJa01831\hBn01831bKbJa01831

Filesize
192B

MD5
a1cdbbe63b82dbd2d9f1ac471050a7fb

SHA1
d6654cb1fd01da7b02b654a11ed3b4557a3af1ea

SHA256
e2f5c0376d20dd732ec99d3cdf438d200fffdc394cfd28eaabe5f3f45bcc5a65

SHA512
f9b30c5cefeab63074a419ea450cd308c0f96bbc2b8ffb644c8e45bf61f21a600973ec4eaf90427b2b0b57b19d72b120c1c78d55480a529ef1bc404b87ba6b01

Download Submit
C:\ProgramData\hBn01831bKbJa01831\hBn01831bKbJa01831

Filesize
192B

MD5
1e26fb944e67cf252e9926c28b7eab6a

SHA1
710ead59875b2ea5934a428fcf17aa43bd95e0f3

SHA256
18eddcc0d77e3920503bcf8d686f448425c21e7abec09d0b0ccae3989de6fd6a

SHA512
b000636246fe3b28d9839f9d9a1a8bda48eb6cf51cf2f28059d1873ef8cfe7b3bd0a1c1a7c15f3e8af7cb0f3f28ffdb43f5da7c0fa40c8926b08c15fbecdf36e

Download Submit
\ProgramData\hBn01831bKbJa01831\hBn01831bKbJa01831.exe

Filesize
364KB

MD5
363fba7ad9a5f50e7ace1d04a3100732

SHA1
1c89ba957eb68db58931d6bcfe2a50a5db666e18

SHA256
02edd611e2d8a3dac0195c95841a9b73570fc649a3a97e2f67a6db28e8d197fa

SHA512
bcfa5334db7cb9b56bf654844d8a31481330a2ff3ba29845a253374d0316296253443fe3d23a91e7f4c5b04d1ce33ee54cfb5d493af7fd71abaa92ed18f637d0

Download Submit
memory/1748-1-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1748-2-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/1748-28-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2724-32-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/2724-39-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2724-41-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/2724-49-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2840-19-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2840-29-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download