85231a8f5e9c681d7d5e6cdcc19da450eab541ba0c981f3d15322e8abfbb93e7

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6434eaf1e3f70480bc40f1216bc4641f.exe
Size

38KB
MD5

6434eaf1e3f70480bc40f1216bc4641f
SHA1

bb7f3d02034b1267724983518cd831d2d4518c1a
SHA256

85231a8f5e9c681d7d5e6cdcc19da450eab541ba0c981f3d15322e8abfbb93e7
SHA512

ea6fdeeaac48418b3af99bde17ae77ac4b4e892a2665d997de4453b80df574bea3440d174b02c62c7c8e47c6bbfcdc39e2cd980b6134f1de81f204a690013496
SSDEEP

768:T7WXtbVrCBN29+eiYc3OZ6CV2ZVO8GEDcinf:T7WXtb1Cv+YYc3c65ZVOpUnf

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1052	.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	6434eaf1e3f70480bc40f1216bc4641f.exe
2236	6434eaf1e3f70480bc40f1216bc4641f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1052-12-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000c000000012243-10.dat	upx
behavioral1/memory/2236-20-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	6434eaf1e3f70480bc40f1216bc4641f.exe
File created	F:\autorun.inf	6434eaf1e3f70480bc40f1216bc4641f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	6434eaf1e3f70480bc40f1216bc4641f.exe
Token: SeShutdownPrivilege	2236	6434eaf1e3f70480bc40f1216bc4641f.exe
Token: SeShutdownPrivilege	2236	6434eaf1e3f70480bc40f1216bc4641f.exe
Token: SeDebugPrivilege	2236	6434eaf1e3f70480bc40f1216bc4641f.exe
Token: SeDebugPrivilege	1052	.exe
Token: SeShutdownPrivilege	608	LogonUI.exe
Token: SeShutdownPrivilege	608	LogonUI.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1052	2236	6434eaf1e3f70480bc40f1216bc4641f.exe	28
PID 2236 wrote to memory of 1052	2236	6434eaf1e3f70480bc40f1216bc4641f.exe	28
PID 2236 wrote to memory of 1052	2236	6434eaf1e3f70480bc40f1216bc4641f.exe	28
PID 2236 wrote to memory of 1052	2236	6434eaf1e3f70480bc40f1216bc4641f.exe	28
PID 2236 wrote to memory of 2092	2236	6434eaf1e3f70480bc40f1216bc4641f.exe	30
PID 2236 wrote to memory of 2092	2236	6434eaf1e3f70480bc40f1216bc4641f.exe	30
PID 2236 wrote to memory of 2092	2236	6434eaf1e3f70480bc40f1216bc4641f.exe	30
PID 2236 wrote to memory of 2092	2236	6434eaf1e3f70480bc40f1216bc4641f.exe	30
PID 2092 wrote to memory of 2436	2092	net.exe	32
PID 2092 wrote to memory of 2436	2092	net.exe	32
PID 2092 wrote to memory of 2436	2092	net.exe	32
PID 2092 wrote to memory of 2436	2092	net.exe	32
PID 1720 wrote to memory of 608	1720	csrss.exe	36
PID 1720 wrote to memory of 608	1720	csrss.exe	36
PID 2544 wrote to memory of 608	2544	winlogon.exe	36
PID 2544 wrote to memory of 608	2544	winlogon.exe	36
PID 2544 wrote to memory of 608	2544	winlogon.exe	36
PID 1720 wrote to memory of 608	1720	csrss.exe	36
PID 1720 wrote to memory of 608	1720	csrss.exe	36
PID 1720 wrote to memory of 608	1720	csrss.exe	36
PID 1720 wrote to memory of 608	1720	csrss.exe	36
PID 1720 wrote to memory of 608	1720	csrss.exe	36
PID 1720 wrote to memory of 608	1720	csrss.exe	36
PID 1720 wrote to memory of 608	1720	csrss.exe	36
PID 1720 wrote to memory of 608	1720	csrss.exe	36

C:\Users\Admin\AppData\Local\Temp\6434eaf1e3f70480bc40f1216bc4641f.exe
"C:\Users\Admin\AppData\Local\Temp\6434eaf1e3f70480bc40f1216bc4641f.exe"
1⤵
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\.exe
  C:\Users\Admin\AppData\Local\Temp\.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" user Admin
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user Admin
    3⤵
    PID:2436

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2044

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.exe

Filesize
38KB

MD5
b84f4d30d66b22bbfe3c86ee3bfcda7b

SHA1
dcc9edbe553b4c15e55df8a7ee7d4403e962d2ff

SHA256
b3e108bd65af42b1ac999c34420e015c8521cc263b39b829982b21eefb816e2f

SHA512
37016c1f9fe9e2409c9516ba86d843fb1980136e30091342094cbcb9f2acf3c8b8239ee5dd15b493f38d32f454b64920a852b852b964821f9e1e95c8dcbaaa69

Download Submit
memory/608-21-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/608-22-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1052-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2044-19-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2236-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2236-9-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2236-11-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/2236-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads