71f8d67454fc5341f12bb1f2a9f1f9dafd867ee53d2dde42e2979697f952d05f

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54695921cba45873f83abd20fd48fe44.exe
Size

2.3MB
MD5

54695921cba45873f83abd20fd48fe44
SHA1

efbb580af2e686d2470f239a6688a18c89910e98
SHA256

71f8d67454fc5341f12bb1f2a9f1f9dafd867ee53d2dde42e2979697f952d05f
SHA512

9b283288af0de4db8593a557d67486f4b7d2af90bf0d8c22f55d61c82e4e1c222bf675d447c62a644c30e847b682eb6c740325cbb0a7f829e300ebe903549e22
SSDEEP

49152:/4EDgkyNw8yhyiwn9QUQi2QOPiSBUuhIKnNpaYZ6u4v3nt4zm/DBFHqAYAyYjrn:QEDgVNNL9QUQiePPTnLa06xv3nZDBZqO

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\trs.sys	54695921cba45873f83abd20fd48fe44.exe
File created	C:\Windows\SysWOW64\drivers\gxnfombr.sys	TITI.EXE

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ppoopvq\ImagePath = "system32\\drivers\\gxnfombr.sys"	TITI.EXE
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\pelodlo\ImagePath = "system32\\drivers\\trs.sys"	54695921cba45873f83abd20fd48fe44.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	TITI.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00300000000170b7-8.dat	upx
behavioral1/memory/2456-9-0x0000000003220000-0x00000000034D4000-memory.dmp	upx
behavioral1/memory/2692-10-0x0000000000400000-0x00000000006B4000-memory.dmp	upx
behavioral1/memory/2692-17-0x0000000000400000-0x00000000006B4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\ctmon.exe"	54695921cba45873f83abd20fd48fe44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Cleanup = "C:\\cleanup.exe"	TITI.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\dsqxsz.txt	TITI.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2456	54695921cba45873f83abd20fd48fe44.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2692	TITI.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2692	TITI.EXE
2692	TITI.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2692	2456	54695921cba45873f83abd20fd48fe44.exe	28
PID 2456 wrote to memory of 2692	2456	54695921cba45873f83abd20fd48fe44.exe	28
PID 2456 wrote to memory of 2692	2456	54695921cba45873f83abd20fd48fe44.exe	28
PID 2456 wrote to memory of 2692	2456	54695921cba45873f83abd20fd48fe44.exe	28

C:\Users\Admin\AppData\Local\Temp\54695921cba45873f83abd20fd48fe44.exe
"C:\Users\Admin\AppData\Local\Temp\54695921cba45873f83abd20fd48fe44.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2456
- \??\c:\TITI.EXE
  c:\TITI.EXE /nogui c:\kill.txt
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TITI.EXE

Filesize
714KB

MD5
30f3680e007d924960fd65524de36601

SHA1
23f1e67e28052188432d2031335a79cb5ae72a8f

SHA256
6485271fe48f7be4cb49735c60fa4cf2ff52f235e2b24bfba22df6ea75fda1d7

SHA512
33323b60353430962ef0e07dd166625ae8cb1d2080f75859d35cf0c807d146ccd7272feef37ebbe8ce77f988658ef0dee6602f9b1bcf429cd0c1898862b5091a

Download Submit
C:\cleanup.bat

Filesize
574B

MD5
f729045a51896f374fee1ab23eb8fe7f

SHA1
62890664667b1f3361eadf1d7c4bf61ae0477370

SHA256
40bf96d24a051c9fd666c603e29ce70e1dab97feea0406fd32a167bb44c2c8c6

SHA512
40b7fd24237046761700364e4d3be4fff69913862385d1833d43430a90b0b90ca0762b8c971bda16ec8c6c936f344a5898375212b25073ae2f9e7932efac9c36

Download Submit
C:\zip.exe

Filesize
132KB

MD5
db9b1cc34b35136f35e333de520c15f5

SHA1
538bc7ab67c44c44e998bac022fefdddbaa1976f

SHA256
f192a871ed2e942275aa3629351c08eb8383dedec7c10024fda9b642633685e1

SHA512
c4e48ed3691c6396a8e2829718276edf12d5537d007266ae796b8089f0967bb0659b2fbc757ed9b36e88a2a1d5e5f22f7b8f675396982d01fe5fcfb91ffda580

Download Submit
\??\c:\kill.txt

Filesize
220B

MD5
9fe21a38099fb1bfbbb0d8555d538c79

SHA1
efd76f4b54e003aca641ac0474298bbf39a193b0

SHA256
5d2b8cd96c7721e2eaecdf7d9b3aec6f8599b2202c159886005581112f4f557b

SHA512
25935e8989ff09cbfe5fe682aae3e5c6c64bd71b947a8c580e5fbc93170c6b3602826a2deadb2450a149beb4530301734a7b4a7e29ed8ed59076c995bd8f91da

Download Submit
memory/2456-23-0x0000000003220000-0x00000000034D4000-memory.dmp

Filesize
2.7MB

Download
memory/2456-22-0x0000000000400000-0x00000000008FA000-memory.dmp

Filesize
5.0MB

Download
memory/2456-30-0x0000000000400000-0x00000000008FA000-memory.dmp

Filesize
5.0MB

Download
memory/2456-9-0x0000000003220000-0x00000000034D4000-memory.dmp

Filesize
2.7MB

Download
memory/2456-5-0x0000000000400000-0x00000000008FA000-memory.dmp

Filesize
5.0MB

Download
memory/2456-20-0x0000000000400000-0x00000000008FA000-memory.dmp

Filesize
5.0MB

Download
memory/2456-21-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2456-28-0x0000000000400000-0x00000000008FA000-memory.dmp

Filesize
5.0MB

Download
memory/2456-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2456-24-0x0000000000400000-0x00000000008FA000-memory.dmp

Filesize
5.0MB

Download
memory/2456-25-0x0000000000400000-0x00000000008FA000-memory.dmp

Filesize
5.0MB

Download
memory/2456-26-0x0000000000400000-0x00000000008FA000-memory.dmp

Filesize
5.0MB

Download
memory/2456-27-0x0000000000400000-0x00000000008FA000-memory.dmp

Filesize
5.0MB

Download
memory/2692-10-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2692-17-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads