de51f37f5cb828a9d5d9ae3784a9e7ecf75ea8a8f35c9f2a5ebdef5edd5ae6f9

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f24e4d5fc6693648e7c404d4b31be49.exe
Size

23KB
MD5

1f24e4d5fc6693648e7c404d4b31be49
SHA1

710bfeeaf7084a7c65b337d6de92126f3de4fed7
SHA256

de51f37f5cb828a9d5d9ae3784a9e7ecf75ea8a8f35c9f2a5ebdef5edd5ae6f9
SHA512

ffd9fd04c55dba77ae9ba818c08dbfbd42db5c99671b4201334af400a73d6233719a7a01dc5fccca19512bd30d27fb4b772c9f67341bc49ca79f633616caa46f
SSDEEP

384:pzARALrTUe7ZPbfHgLRlk3L5I0ldpG3IJ6SbTyrzhpRdLZ3hj0i6Frlx9:Ga/TlPbfO/uL5/dpG306SiXhpbTYj

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	imsmain.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\rare = "C:\\Program Files (x86)\\Security Tools\\imsmain.exe"	imsmain.exe

Deletes itself 1 IoCs

pid	Process
2840	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2296	imsmain.exe
2792	imsmn.exe

Loads dropped DLL 4 IoCs

pid	Process
2120	1f24e4d5fc6693648e7c404d4b31be49.exe
2120	1f24e4d5fc6693648e7c404d4b31be49.exe
2296	imsmain.exe
2296	imsmain.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2120-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0007000000016d58-12.dat	upx
behavioral1/memory/2792-21-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2120-29-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Security Tools\imsunst.exe	1f24e4d5fc6693648e7c404d4b31be49.exe
File created	C:\Program Files (x86)\Security Tools\imsmn.exe	imsmain.exe
File created	C:\Program Files (x86)\Security Tools\imsmain.exe	1f24e4d5fc6693648e7c404d4b31be49.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2120	1f24e4d5fc6693648e7c404d4b31be49.exe
2296	imsmain.exe
2792	imsmn.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2296	imsmain.exe
2792	imsmn.exe
2792	imsmn.exe
2296	imsmain.exe
2296	imsmain.exe
2792	imsmn.exe
2792	imsmn.exe
2296	imsmain.exe
2296	imsmain.exe
2792	imsmn.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2296	imsmain.exe
2792	imsmn.exe
2792	imsmn.exe
2296	imsmain.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe
2296	imsmain.exe
2792	imsmn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2296	2120	1f24e4d5fc6693648e7c404d4b31be49.exe	28
PID 2120 wrote to memory of 2296	2120	1f24e4d5fc6693648e7c404d4b31be49.exe	28
PID 2120 wrote to memory of 2296	2120	1f24e4d5fc6693648e7c404d4b31be49.exe	28
PID 2120 wrote to memory of 2296	2120	1f24e4d5fc6693648e7c404d4b31be49.exe	28
PID 2296 wrote to memory of 2792	2296	imsmain.exe	29
PID 2296 wrote to memory of 2792	2296	imsmain.exe	29
PID 2296 wrote to memory of 2792	2296	imsmain.exe	29
PID 2296 wrote to memory of 2792	2296	imsmain.exe	29
PID 2120 wrote to memory of 2840	2120	1f24e4d5fc6693648e7c404d4b31be49.exe	30
PID 2120 wrote to memory of 2840	2120	1f24e4d5fc6693648e7c404d4b31be49.exe	30
PID 2120 wrote to memory of 2840	2120	1f24e4d5fc6693648e7c404d4b31be49.exe	30
PID 2120 wrote to memory of 2840	2120	1f24e4d5fc6693648e7c404d4b31be49.exe	30
PID 2120 wrote to memory of 2840	2120	1f24e4d5fc6693648e7c404d4b31be49.exe	30
PID 2120 wrote to memory of 2840	2120	1f24e4d5fc6693648e7c404d4b31be49.exe	30
PID 2120 wrote to memory of 2840	2120	1f24e4d5fc6693648e7c404d4b31be49.exe	30

C:\Users\Admin\AppData\Local\Temp\1f24e4d5fc6693648e7c404d4b31be49.exe
"C:\Users\Admin\AppData\Local\Temp\1f24e4d5fc6693648e7c404d4b31be49.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Program Files (x86)\Security Tools\imsmain.exe
  "C:\Program Files (x86)\Security Tools\imsmain.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Program Files (x86)\Security Tools\imsmn.exe
    "C:\Program Files (x86)\Security Tools\imsmn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninst0.bat" "
  2⤵
  - Deletes itself
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninst0.bat

Filesize
277B

MD5
c6c6039e439218cfa2f75af9b0a87096

SHA1
24904e70af7ec048559f57747e4a9ea056235cf3

SHA256
61d7ee048ac596a8349812b79e117e59ac879476e05d61085fcc07d7ad64fe01

SHA512
221c59428ff925669ef143aaa5d4ce1f1bb809c1479f0df1033a7c590bd58af2f09624e76888a998c7245e6f1cf55f55012c26ff6e2444d50701945e6de82eb7

Download Submit
\Program Files (x86)\Security Tools\imsmain.exe

Filesize
28KB

MD5
986749db854219ea6860ad5c2fc1d347

SHA1
a1fe81b15ed79a057624cbb78d1d7b097865d15a

SHA256
ac4c0a16fffc876af4ff3a30f5c684816acf6073dfd95f98a7c3959a216684a2

SHA512
992728b788fc3b871668611ebbd475d8b932bc3523366fa5c8006a70c39ed823e9b954897dadfd494226216bb571c38a12001ccb1ab989be17fe4640f7e0b40b

Download Submit
\Program Files (x86)\Security Tools\imsmn.exe

Filesize
7KB

MD5
1d33a0839a337cc60967510d5b0fb218

SHA1
aad20595e3aaea690bccbf70633242b0ef6df049

SHA256
9351a96c20bb8d8cb4a1814a038a72493e19e8386a25bd3197e996bdd0aa43b3

SHA512
857f9412a150aaca3a8b25c6bbb3cad041912f9c3625f3ffc6e1f4badd2d764db99b7dbe84355c46454622e312dd5ca1ffeaadb67105ee0498cb8285239a0a10

Download Submit
memory/2120-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2120-29-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2296-19-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/2296-14-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/2296-32-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/2296-33-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/2792-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download