a1ea988c9b8bb71be31da72660d3ec18babe7b8aed1101d03ab62c0c037a6c87

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04c6edff9076cefcc036da59a349bf6f.exe
Size

242KB
MD5

04c6edff9076cefcc036da59a349bf6f
SHA1

a68cf988973fb17bb6e05803563dc4308735a611
SHA256

a1ea988c9b8bb71be31da72660d3ec18babe7b8aed1101d03ab62c0c037a6c87
SHA512

040376b7ade6f4a94d4c1d1e000a032367df90475bcc95a698370acc7cfff5b86d3c758932ee25ac7642f9b1cf25116d964aff9171f79e54922b625d0a6e7960
SSDEEP

6144:bYpSnN1sLYGShjWWrUNKnUiyPZ+QQieWB6CFlH4/F5uQiOB:bYpSN1Eni2iyZ+SPFq9AQiOB

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

04c6edff9076cefcc036da59a349bf6f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe"	04c6edff9076cefcc036da59a349bf6f.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3052 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

necq.exe

pid process

2576 necq.exe
Loads dropped DLL 2 IoCs

Processes:

04c6edff9076cefcc036da59a349bf6f.exe

pid process

2660 04c6edff9076cefcc036da59a349bf6f.exe
2660 04c6edff9076cefcc036da59a349bf6f.exe

pid	process
3052	cmd.exe

pid	process
2576	necq.exe

pid	process
2660	04c6edff9076cefcc036da59a349bf6f.exe
2660	04c6edff9076cefcc036da59a349bf6f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2660-1-0x0000000000400000-0x0000000000497000-memory.dmp	upx
behavioral1/memory/2660-2-0x0000000000400000-0x0000000000497000-memory.dmp	upx
C:\Users\Admin\necq.exe	upx
behavioral1/memory/2576-20-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

04c6edff9076cefcc036da59a349bf6f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "C:\\Users\\Admin\\necq.exe \\u"	04c6edff9076cefcc036da59a349bf6f.exe

Drops file in System32 directory 3 IoCs

Processes:

04c6edff9076cefcc036da59a349bf6f.exenecq.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\secupdat.dat	04c6edff9076cefcc036da59a349bf6f.exe
File created	C:\Windows\SysWOW64\secupdat.dat	04c6edff9076cefcc036da59a349bf6f.exe
File opened for modification	C:\Windows\SysWOW64\secupdat.dat	necq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

necq.exe

description pid process target process

PID 2576 set thread context of 2648 2576 necq.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2576 set thread context of 2648	2576	necq.exe	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

04c6edff9076cefcc036da59a349bf6f.exenecq.exe

description	pid	process	target process
PID 2660 wrote to memory of 2576	2660	04c6edff9076cefcc036da59a349bf6f.exe	necq.exe
PID 2660 wrote to memory of 2576	2660	04c6edff9076cefcc036da59a349bf6f.exe	necq.exe
PID 2660 wrote to memory of 2576	2660	04c6edff9076cefcc036da59a349bf6f.exe	necq.exe
PID 2660 wrote to memory of 2576	2660	04c6edff9076cefcc036da59a349bf6f.exe	necq.exe
PID 2660 wrote to memory of 3052	2660	04c6edff9076cefcc036da59a349bf6f.exe	cmd.exe
PID 2660 wrote to memory of 3052	2660	04c6edff9076cefcc036da59a349bf6f.exe	cmd.exe
PID 2660 wrote to memory of 3052	2660	04c6edff9076cefcc036da59a349bf6f.exe	cmd.exe
PID 2660 wrote to memory of 3052	2660	04c6edff9076cefcc036da59a349bf6f.exe	cmd.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe
PID 2576 wrote to memory of 2648	2576	necq.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\04c6edff9076cefcc036da59a349bf6f.exe
"C:\Users\Admin\AppData\Local\Temp\04c6edff9076cefcc036da59a349bf6f.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\necq.exe
\u
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2262.bat" "
2⤵
- Deletes itself
PID:3052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2262.bat
Filesize
103B

MD5
9cba6e45ae8ca1c18d44385dc6576f1a

SHA1
aef15effb6a4002c14dc9c39e40f16befae1cf39

SHA256
1ce070d97234a2cbc86173691944fae7e3889025483ce70dd839d27209fbd6be

SHA512
4c9895a743ea0eba0d5fb4e738721246aacde72befe6581bbd2281fa6a6856eca28e788e0ac74b6b3bff2ad6ca591ecda020dc4263f6f324ee55a38edede5601

Download Submit
C:\Users\Admin\necq.exe
Filesize
20KB

MD5
aa1ae29b65b47d5d21cd2a0fdadb4dc1

SHA1
a62409fb17f40ae7e43bec05daa89c08c50a744d

SHA256
dd4d67eedb592dc144af40a8f529f6f8470e78dce9c474056451dc2aa069a69b

SHA512
27a83a83bdcc9b21e9e54948d9829820ed7f5801f8b48cdd08d8f638b3d914d2fb7442a455bfea26967025c9682a792ff6624600a04305bd539bc84ec93dae0e

Download Submit
C:\Windows\SysWOW64\secupdat.dat
Filesize
70KB

MD5
385d72644b16a26bdf2681015dd6faf9

SHA1
6fb47623bce4623f5b66041fd11c0cbe8cc13e64

SHA256
ad09d7cc3d40cc4aba78a1979b879d753fa7bf91235a798bd2c979f91effde34

SHA512
954c54969cf3de29dbca52b7f864ee74907207a8bc5f234d12d0d2d393ff2c59518b80fedce1ee7963e603d303f0513d098dc47fa7151e57de16bf81bdec9037

Download Submit
memory/2576-142-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2576-20-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2576-30-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2648-69-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-86-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-32-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-33-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-47-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-56-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-91-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-34-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-148-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2648-90-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-89-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-88-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-87-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-66-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-85-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-84-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-83-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-82-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-81-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-80-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-79-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-78-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-77-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-76-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-65-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-74-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-73-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-72-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-71-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-70-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-35-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-68-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-59-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-36-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-75-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-64-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-63-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-62-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-61-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-60-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-67-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-58-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-57-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-55-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-54-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-53-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-52-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-51-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-50-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-49-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-48-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-46-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-45-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-44-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-43-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-42-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-39-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-41-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-40-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-38-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2648-37-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/2660-3-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2660-1-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2660-2-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2660-17-0x00000000002D0000-0x00000000002ED000-memory.dmp

Filesize
116KB

Download
memory/2660-9-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2660-19-0x00000000002D0000-0x00000000002ED000-memory.dmp

Filesize
116KB

Download
memory/2660-28-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download