f18ad703cc2b530cfff24429ac45a08f9aa3fe31b45499adbe023aa8ca7f0aee

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d8338e90dfa51b555e1f52c685ab753.exe
Size

396KB
MD5

1d8338e90dfa51b555e1f52c685ab753
SHA1

343953dd3a49189e0657c1fd740a6199dc4f4802
SHA256

f18ad703cc2b530cfff24429ac45a08f9aa3fe31b45499adbe023aa8ca7f0aee
SHA512

14ab020f7434aec53af8733df9ce156c4b8c3676017a461f986cc14b437be17831ac27a2db51a6dbadb9bfd3c7060a2485667d00c5885b810efca1e8ec6c07db
SSDEEP

6144:jVuuil5rV9qdLC6dV8QwkkgPNUhhPW66uLIA/lwnbfTx1tamCK3E:x+nSxVHrWPW3usA/cbfV1UmC

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2880	nE09100BhMeM09100.exe

Executes dropped EXE 1 IoCs

pid	Process
2880	nE09100BhMeM09100.exe

Loads dropped DLL 2 IoCs

pid	Process
2184	1d8338e90dfa51b555e1f52c685ab753.exe
2184	1d8338e90dfa51b555e1f52c685ab753.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2184-3-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral1/memory/2184-17-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral1/memory/2880-23-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral1/memory/2880-27-0x0000000000400000-0x00000000004F0000-memory.dmp	upx
behavioral1/memory/2880-36-0x0000000000400000-0x00000000004F0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nE09100BhMeM09100 = "C:\\ProgramData\\nE09100BhMeM09100\\nE09100BhMeM09100.exe"	nE09100BhMeM09100.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	nE09100BhMeM09100.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2184	1d8338e90dfa51b555e1f52c685ab753.exe
2184	1d8338e90dfa51b555e1f52c685ab753.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	1d8338e90dfa51b555e1f52c685ab753.exe
Token: SeDebugPrivilege	2880	nE09100BhMeM09100.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2880	nE09100BhMeM09100.exe
2880	nE09100BhMeM09100.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2880	2184	1d8338e90dfa51b555e1f52c685ab753.exe	28
PID 2184 wrote to memory of 2880	2184	1d8338e90dfa51b555e1f52c685ab753.exe	28
PID 2184 wrote to memory of 2880	2184	1d8338e90dfa51b555e1f52c685ab753.exe	28
PID 2184 wrote to memory of 2880	2184	1d8338e90dfa51b555e1f52c685ab753.exe	28

C:\Users\Admin\AppData\Local\Temp\1d8338e90dfa51b555e1f52c685ab753.exe
"C:\Users\Admin\AppData\Local\Temp\1d8338e90dfa51b555e1f52c685ab753.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\ProgramData\nE09100BhMeM09100\nE09100BhMeM09100.exe
  "C:\ProgramData\nE09100BhMeM09100\nE09100BhMeM09100.exe" "C:\Users\Admin\AppData\Local\Temp\1d8338e90dfa51b555e1f52c685ab753.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nE09100BhMeM09100\nE09100BhMeM09100

Filesize
192B

MD5
6910a1f2c8fd0d64e446c0b0fc2f2ec2

SHA1
beb7650a223a3a54c08ff8d39506ec8f2d441c7d

SHA256
0a2e41c79e30e54a0ac4b5cc116e1b9649b99a69ffcf76f453ee2d80a8495418

SHA512
7329ff7f010939be348fcd14298b87a34acbff2e14cf5c20368119b5b0a7e9874f15e29746d38673dd961d7fcad57095d4ac8b4e28271fd0c4acfb32b121f1f9

Download Submit
C:\ProgramData\nE09100BhMeM09100\nE09100BhMeM09100.exe

Filesize
396KB

MD5
6da5c6305b5ad94739776fead75b693c

SHA1
bc9ddfd406eee3702d510bf31362cbb79f46bfcd

SHA256
231a9f84fe944c33992502f84936363eed0eceea0f33367b8fdaec51d1c6e7c2

SHA512
c8a1976ce2c59d86c4c4e661c043622c3f653ed38d78d81c2ad6bd99555ebf97bc0e00fae9c0f26b2a59ba077163b3f0be57922d46f49aa8fd3d5dc6dc131bde

Download Submit
C:\ProgramData\nE09100BhMeM09100\nE09100BhMeM09100.exe

Filesize
382KB

MD5
869f02d4f3c9fc954709df3aa3ae862d

SHA1
40b6971329480b4fc8dd8ad9c40b7fb1c942bfd5

SHA256
c7ce32d6aa0e417a37508b3ff1687774ed2ca54488593e08fe47f96d48f68766

SHA512
713a578a5ec82244fee9a921bcd37c80a9bf094729a8d7b5f6699bc9cd5de041aba445f6f5054c6866a808c9db40bbe54f11b66c11566c8143a06cfa4f39866d

Download Submit
memory/2184-0-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/2184-3-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2184-17-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2880-23-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2880-27-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2880-36-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download