23b2253631080c89ec207e5c58f807b9b5304edb21cad27a1e01cb69a43e6a14

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62765977c698cc28d25cce7a59c4f612.exe
Size

700KB
MD5

62765977c698cc28d25cce7a59c4f612
SHA1

124f59d1ba517200aef6fea8df8bc2d7aec1fd02
SHA256

23b2253631080c89ec207e5c58f807b9b5304edb21cad27a1e01cb69a43e6a14
SHA512

702e63d50990130852971349016bb112753eaedae47ab7503fa28b79b38b06009f317ee77c4d1d8ea250c561e5d6ac70ceb76201c8b393b6e428bce2eaa35dcb
SSDEEP

12288:v6Wq4aaE6KwyF5L0Y2D1PqLPJv4RgeOFj+kkDzTI7UP+AoIio9xMpj6qd3RD0:tthEVaPqLPJvleOUbzT4U2HIiV6AO

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3056	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2ca5ed51564c3c4743760e9065b29230.exe	FlashPlayer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2ca5ed51564c3c4743760e9065b29230.exe	FlashPlayer.exe

Executes dropped EXE 4 IoCs

pid	Process
2140	hh.exe
1764	hah.exe
2924	FlashPlayer.exe
796	hh.exe

Loads dropped DLL 5 IoCs

pid	Process
2304	62765977c698cc28d25cce7a59c4f612.exe
2304	62765977c698cc28d25cce7a59c4f612.exe
2304	62765977c698cc28d25cce7a59c4f612.exe
1764	hah.exe
2140	hh.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2304-0-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2304-22-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\2ca5ed51564c3c4743760e9065b29230 = "\"C:\\Users\\Admin\\AppData\\Roaming\\FlashPlayer.exe\" .."	FlashPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2ca5ed51564c3c4743760e9065b29230 = "\"C:\\Users\\Admin\\AppData\\Roaming\\FlashPlayer.exe\" .."	FlashPlayer.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2304-22-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 796	2140	hh.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2924	FlashPlayer.exe
2924	FlashPlayer.exe
2924	FlashPlayer.exe
796	hh.exe
796	hh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	hh.exe
Token: SeDebugPrivilege	2924	FlashPlayer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2304	62765977c698cc28d25cce7a59c4f612.exe
2304	62765977c698cc28d25cce7a59c4f612.exe
2304	62765977c698cc28d25cce7a59c4f612.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2304	62765977c698cc28d25cce7a59c4f612.exe
2304	62765977c698cc28d25cce7a59c4f612.exe
2304	62765977c698cc28d25cce7a59c4f612.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2140	2304	62765977c698cc28d25cce7a59c4f612.exe	33
PID 2304 wrote to memory of 2140	2304	62765977c698cc28d25cce7a59c4f612.exe	33
PID 2304 wrote to memory of 2140	2304	62765977c698cc28d25cce7a59c4f612.exe	33
PID 2304 wrote to memory of 2140	2304	62765977c698cc28d25cce7a59c4f612.exe	33
PID 2304 wrote to memory of 1764	2304	62765977c698cc28d25cce7a59c4f612.exe	32
PID 2304 wrote to memory of 1764	2304	62765977c698cc28d25cce7a59c4f612.exe	32
PID 2304 wrote to memory of 1764	2304	62765977c698cc28d25cce7a59c4f612.exe	32
PID 2304 wrote to memory of 1764	2304	62765977c698cc28d25cce7a59c4f612.exe	32
PID 1764 wrote to memory of 2924	1764	hah.exe	31
PID 1764 wrote to memory of 2924	1764	hah.exe	31
PID 1764 wrote to memory of 2924	1764	hah.exe	31
PID 1764 wrote to memory of 2924	1764	hah.exe	31
PID 2924 wrote to memory of 3056	2924	FlashPlayer.exe	30
PID 2924 wrote to memory of 3056	2924	FlashPlayer.exe	30
PID 2924 wrote to memory of 3056	2924	FlashPlayer.exe	30
PID 2924 wrote to memory of 3056	2924	FlashPlayer.exe	30
PID 2140 wrote to memory of 796	2140	hh.exe	28
PID 2140 wrote to memory of 796	2140	hh.exe	28
PID 2140 wrote to memory of 796	2140	hh.exe	28
PID 2140 wrote to memory of 796	2140	hh.exe	28
PID 2140 wrote to memory of 796	2140	hh.exe	28
PID 2140 wrote to memory of 796	2140	hh.exe	28
PID 2140 wrote to memory of 796	2140	hh.exe	28
PID 796 wrote to memory of 1192	796	hh.exe	20
PID 796 wrote to memory of 1192	796	hh.exe	20
PID 796 wrote to memory of 1192	796	hh.exe	20
PID 796 wrote to memory of 1192	796	hh.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\62765977c698cc28d25cce7a59c4f612.exe
  "C:\Users\Admin\AppData\Local\Temp\62765977c698cc28d25cce7a59c4f612.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\hah.exe
    C:\Users\Admin\AppData\Local\Temp/hah.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1764
- - C:\Users\Admin\AppData\Local\Temp\hh.exe
    C:\Users\Admin\AppData\Local\Temp/hh.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2140

C:\Users\Admin\AppData\Local\Temp\hh.exe
C:\Users\Admin\AppData\Local\Temp\hh.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\FlashPlayer.exe" "FlashPlayer.exe" ENABLE
1⤵
- Modifies Windows Firewall
PID:3056

C:\Users\Admin\AppData\Roaming\FlashPlayer.exe
"C:\Users\Admin\AppData\Roaming\FlashPlayer.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hh.exe

Filesize
410KB

MD5
38e8463187e7ebc85774eba3474d929a

SHA1
a6e0d0c0d74f57afcc1060d78546e6cbe689e408

SHA256
22f317b96172637201b93793c99899bb13d2e21cdb46d98de6f9a51312707ede

SHA512
fff2c98b8f33130f3408a81a469af32f94930079f6fb07b11efd4f7b8ae7ff850a214c7aba63e18abdc2d5ef38d7f8f72041d9391d083e6f1c6d1c0ba9ecceaf

Download Submit
C:\Users\Admin\AppData\Roaming\FlashPlayer.exe

Filesize
26KB

MD5
0ce9160647d6f0a19f39100677ba4e6f

SHA1
7d07ad52a4d9699aa4792864b88bc5725385ea10

SHA256
46bb4c85226783ebc68fca0186fe51b543a58a6a3f74af4baf8d81bec186ae5c

SHA512
5f9bb6735c7b8e01202ca3e56c6c9b3b1e8cc8aa26352863b0595fb392cd1afc3487c577a99477bf911d1ad17443f76b1ab8223ce127972a2d0760f57069aa77

Download Submit
memory/796-114-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/796-130-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/796-125-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1764-109-0x0000000074920000-0x0000000074ECB000-memory.dmp

Filesize
5.7MB

Download
memory/1764-52-0x0000000074920000-0x0000000074ECB000-memory.dmp

Filesize
5.7MB

Download
memory/1764-39-0x00000000022D0000-0x0000000002310000-memory.dmp

Filesize
256KB

Download
memory/2140-75-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-69-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-124-0x0000000077120000-0x0000000077230000-memory.dmp

Filesize
1.1MB

Download
memory/2140-126-0x0000000074920000-0x0000000074ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2140-36-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/2140-37-0x0000000074920000-0x0000000074ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2140-20-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-76-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-33-0x0000000077120000-0x0000000077230000-memory.dmp

Filesize
1.1MB

Download
memory/2140-105-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-100-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-98-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-97-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-96-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-95-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-94-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-92-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-91-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-90-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-89-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-88-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-87-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-86-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-85-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-84-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-83-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-82-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-70-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-80-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-79-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-78-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-77-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-51-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-74-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-73-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-72-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-93-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-71-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-81-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-68-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-67-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-66-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-65-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-64-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-63-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-62-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-61-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-60-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-59-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-58-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-57-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-56-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-55-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-54-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-53-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-49-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-47-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-46-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-45-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-44-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-43-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-42-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-41-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-50-0x0000000074920000-0x0000000074ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2140-48-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2140-38-0x0000000000720000-0x0000000000760000-memory.dmp

Filesize
256KB

Download
memory/2140-35-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/2140-34-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/2304-22-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2304-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2924-108-0x0000000074920000-0x0000000074ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2924-110-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2924-111-0x0000000074920000-0x0000000074ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2924-146-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2924-145-0x0000000074920000-0x0000000074ECB000-memory.dmp

Filesize
5.7MB

Download