11f3d63b6e0d7e22364594d2ec5d3c9f8ce2498fb6986304e0784e4ef1f13488

Analysis

max time kernel
152s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0778b4bbdb044f9f42039399187776c4.exe
Size

404KB
MD5

0778b4bbdb044f9f42039399187776c4
SHA1

8e0e7606f2791ab845aa354a1a20eabe4396296f
SHA256

11f3d63b6e0d7e22364594d2ec5d3c9f8ce2498fb6986304e0784e4ef1f13488
SHA512

2c1035d87491efaf5eea5bdf757f79e29926c05f63fc3358cef27d6e156b137c0136f8050cb559dc3cd0357a3b0702a7eb6b780ba12d5a4483ceaef5045a588d
SSDEEP

6144:RSvqY04+Vq3bVTb3XLxfYUl0wadXmrGexE28PET/GqZ/T7t:0DBJX3XLwwa2v7LJ7t

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	0778b4bbdb044f9f42039399187776c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Userinit = "rundll32.exe C:\\Windows\\system32\\winsys16_071010.dll start"	0778b4bbdb044f9f42039399187776c4.exe

Executes dropped EXE 1 IoCs

pid	Process
2068	AlxRes071010.exe

Loads dropped DLL 1 IoCs

pid	Process
924	rundll32.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winsys32_071010.dll	0778b4bbdb044f9f42039399187776c4.exe
File opened for modification	C:\Windows\SysWOW64\winsys32_071010.dll	0778b4bbdb044f9f42039399187776c4.exe
File created	C:\Windows\SysWOW64\inf\scrsys16_071010.dll	0778b4bbdb044f9f42039399187776c4.exe
File opened for modification	C:\Windows\SysWOW64\inf\scrsys16_071010.dll	0778b4bbdb044f9f42039399187776c4.exe
File created	C:\Windows\SysWOW64\winsys16_071010.dll	0778b4bbdb044f9f42039399187776c4.exe
File opened for modification	C:\Windows\SysWOW64\winsys16_071010.dll	0778b4bbdb044f9f42039399187776c4.exe
File opened for modification	C:\Windows\SysWOW64\winsys32_071010.dll	AlxRes071010.exe
File opened for modification	C:\Windows\SysWOW64\inf\scrsys071010.scr	0778b4bbdb044f9f42039399187776c4.exe
File created	C:\Windows\SysWOW64\winsys32_071010.dll	AlxRes071010.exe
File created	C:\Windows\SysWOW64\inf\scrsys071010.scr	0778b4bbdb044f9f42039399187776c4.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system\AlxRes071010.exe	0778b4bbdb044f9f42039399187776c4.exe
File opened for modification	C:\Windows\system\AlxRes071010.exe	0778b4bbdb044f9f42039399187776c4.exe
File opened for modification	C:\Windows\mwinsys.ini	AlxRes071010.exe
File opened for modification	C:\Windows\mwinsys.ini	0778b4bbdb044f9f42039399187776c4.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	AlxRes071010.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1452	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3080	0778b4bbdb044f9f42039399187776c4.exe
3080	0778b4bbdb044f9f42039399187776c4.exe
3080	0778b4bbdb044f9f42039399187776c4.exe
3080	0778b4bbdb044f9f42039399187776c4.exe
3080	0778b4bbdb044f9f42039399187776c4.exe
3080	0778b4bbdb044f9f42039399187776c4.exe
2068	AlxRes071010.exe
2068	AlxRes071010.exe
2068	AlxRes071010.exe
2068	AlxRes071010.exe
2068	AlxRes071010.exe
2068	AlxRes071010.exe
2068	AlxRes071010.exe
2068	AlxRes071010.exe
2068	AlxRes071010.exe
2068	AlxRes071010.exe
2068	AlxRes071010.exe
2068	AlxRes071010.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
924	rundll32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3080	0778b4bbdb044f9f42039399187776c4.exe
Token: SeDebugPrivilege	3080	0778b4bbdb044f9f42039399187776c4.exe
Token: SeDebugPrivilege	3080	0778b4bbdb044f9f42039399187776c4.exe
Token: SeDebugPrivilege	2068	AlxRes071010.exe
Token: SeDebugPrivilege	2068	AlxRes071010.exe
Token: SeDebugPrivilege	2068	AlxRes071010.exe
Token: SeDebugPrivilege	2068	AlxRes071010.exe
Token: SeDebugPrivilege	2068	AlxRes071010.exe
Token: SeDebugPrivilege	2068	AlxRes071010.exe
Token: SeDebugPrivilege	2068	AlxRes071010.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 924	3080	0778b4bbdb044f9f42039399187776c4.exe	96
PID 3080 wrote to memory of 924	3080	0778b4bbdb044f9f42039399187776c4.exe	96
PID 3080 wrote to memory of 924	3080	0778b4bbdb044f9f42039399187776c4.exe	96
PID 3080 wrote to memory of 4816	3080	0778b4bbdb044f9f42039399187776c4.exe	101
PID 3080 wrote to memory of 4816	3080	0778b4bbdb044f9f42039399187776c4.exe	101
PID 3080 wrote to memory of 4816	3080	0778b4bbdb044f9f42039399187776c4.exe	101
PID 4816 wrote to memory of 1452	4816	cmd.exe	103
PID 4816 wrote to memory of 1452	4816	cmd.exe	103
PID 4816 wrote to memory of 1452	4816	cmd.exe	103
PID 924 wrote to memory of 2832	924	rundll32.exe	105
PID 924 wrote to memory of 2832	924	rundll32.exe	105
PID 924 wrote to memory of 2832	924	rundll32.exe	105
PID 2832 wrote to memory of 2068	2832	cmd.exe	107
PID 2832 wrote to memory of 2068	2832	cmd.exe	107
PID 2832 wrote to memory of 2068	2832	cmd.exe	107
PID 2068 wrote to memory of 1708	2068	AlxRes071010.exe	109
PID 2068 wrote to memory of 1708	2068	AlxRes071010.exe	109
PID 2068 wrote to memory of 1708	2068	AlxRes071010.exe	109

C:\Users\Admin\AppData\Local\Temp\0778b4bbdb044f9f42039399187776c4.exe
"C:\Users\Admin\AppData\Local\Temp\0778b4bbdb044f9f42039399187776c4.exe"
1⤵
- Adds policy Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\winsys16_071010.dll start
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\mycj.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system\AlxRes071010.exe
      "C:\Windows\system\AlxRes071010.exe" i
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\program files\internet explorer\iexplore.exe
        
        "C:\program files\internet explorer\iexplore.exe"
        5⤵
        
        PID:1708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\myDelm.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winsys16_071010.dll

Filesize
24KB

MD5
46835748752d463a38267affe2f86dc2

SHA1
628f14fdab8442d781d3fefe09cdd97d8e29e85f

SHA256
3d74364a4abedb96406840965e993da219ec4c6e1dc107be48f2670ee56701c8

SHA512
3d4bb3fe78139f6466bd875d5ac06d6c280381dcabbdef257ee16b330ce0b900d79df4fb3584eda01a9018fcd3e189951fd6d2b344d7b55612f6a57121640dab

Download Submit
C:\Windows\SysWOW64\winsys32_071010.dll

Filesize
194KB

MD5
8a699b5ff4e8267900b000ee63551636

SHA1
6c0ee9c040ea4e6ac86e42d41bb717084cecf7b0

SHA256
cfed0242d284c78c384b0256d3e4f0430ab00d1b9ff19bd8b33a3858a0384fca

SHA512
597d3ce68d61dd6d9680623bf7f318546fc02835a369de59aa6471df5f7d64fbbbb411f0e3540b43ebd9ef6aa87d2c2b60bbdd1fae7e0da2ecd48aa2738b1d8b

Download Submit
C:\Windows\System\AlxRes071010.exe

Filesize
404KB

MD5
0778b4bbdb044f9f42039399187776c4

SHA1
8e0e7606f2791ab845aa354a1a20eabe4396296f

SHA256
11f3d63b6e0d7e22364594d2ec5d3c9f8ce2498fb6986304e0784e4ef1f13488

SHA512
2c1035d87491efaf5eea5bdf757f79e29926c05f63fc3358cef27d6e156b137c0136f8050cb559dc3cd0357a3b0702a7eb6b780ba12d5a4483ceaef5045a588d

Download Submit
C:\Windows\mwinsys.ini

Filesize
343B

MD5
21f4a9fbb365beafeb4113fa66475ea2

SHA1
c2a1a2a3dcec89c157f993c74f70e85a1d48314c

SHA256
51170b12ed6b89405cab16d11f0d5d54eb942785a46459af87a8f00b04a36935

SHA512
38b7a32270f702796a6928395cc12cd3fef0712706fe0df2028550d3f978ed2cb14bd393c8392e5fa3ad575af1e3bfdc77c4120008bc77065119087290bd57a7

Download Submit
C:\Windows\mwinsys.ini

Filesize
369B

MD5
62afb0a206f7c0182047e2d980804a76

SHA1
8868f3cb7e9e84f141124b7a9e33b63c4cd1d273

SHA256
faf05e362d30c0182e80fea3b7b0e18376970ef5a8a5d2d7b608a2ecef027388

SHA512
5199f151a6ad62843e8c6ee547f54801d837d50cbe19ff5b2250eb7e35f129d3de06e17525bdda2f0d8d2a9935b7c21074702dadf4c02800423106b77e415302

Download Submit
C:\Windows\mwinsys.ini

Filesize
31B

MD5
99f5f4fecdc224fbdea56046edd40953

SHA1
7828d63bbadc64b0e51f60baf6f4fbc2a81faf85

SHA256
8dcba5e379f3201dbfb6f64e566be8f89c074440a03263fd9e177003149cc8d5

SHA512
dd374ecbfd137c91a333013f5732adb3171e806425066bb04526cc1500449384f8beceae3f66e12aea6555faa33425904889368cc4ebf6ca32738baa3abc8e47

Download Submit
C:\Windows\mwinsys.ini

Filesize
402B

MD5
733619cbc0ebcc051f0f40e42d66172a

SHA1
2513c874aad79188b3dece43862bf3a38f4af757

SHA256
a9e7993e634ff4ef298c7d947d03f3fee5ddaf66eb07f43ca31165fe70ab0477

SHA512
747eb8a6c02484b76d826fb8a954ad3f4bf44ec148ee66dd4c736fb0ef1799c8b8a1c267ce34a0d825b7f1dd214c16c8f6fb30f4e82fefc569cab419f93f8253

Download Submit
\??\c:\myDelm.bat

Filesize
205B

MD5
6f32b9cc61e14c8e255c2f5c0a4566a6

SHA1
af2600012925b646361336213d53edec4c01a978

SHA256
7ec19a2c0a3eda4e135e9fe50bab6301d218ba2f6e7fdb19c340f63de5de959b

SHA512
2f61e5235176843ac875b76cb8c6ba100ddf577cebc96dfe65a80e916ac7893153ab806e957f4c0b43f50427c7719f284a25b4baf8ade81dbbaa4f200c965451

Download Submit
\??\c:\mycj.bat

Filesize
48B

MD5
31570f120fc67880f89d818eb6c5215a

SHA1
79ceef0b8fb9e622d04f19245a0c07e00198e22e

SHA256
524f7b4f8c2c480f40b4477935f089a7f8826f04c013c162ba8d6041bd2892d0

SHA512
37349f7c2a5ae3dc4cab69569df5c608cd18eca9e795da003cecef8b0a9e303872154498b1d3059c562b6466b80ccd1535a5d1796dde1bd7588edc41a9f55ac6

Download Submit
memory/924-40-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/924-54-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/924-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download