00d785bad69f12e0838413acebeb6bf9b1784a9d004b61698b27c69f6b174bdc

Analysis

max time kernel
3s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

093735edf11dac4f8ec9a7c61d959ad6.exe
Size

195KB
MD5

093735edf11dac4f8ec9a7c61d959ad6
SHA1

8eec2dde0b66f59fd6cc2206d9b6f3511c46689a
SHA256

00d785bad69f12e0838413acebeb6bf9b1784a9d004b61698b27c69f6b174bdc
SHA512

4ea6a46568c45be21f7393bf2160afc0ec2e7b9b7f6b2fc0d8d300cc9d3dde58e2aca1d3faede156fadbda8d3534eec010fc766352f3fac15aab709be69de1df
SSDEEP

6144:AE06JW+MfwCQUkyBDsQprPSkrRUdKB5Ki45QlcN:AF6bMjmyBAGbX2Yf45YcN

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe"	093735edf11dac4f8ec9a7c61d959ad6.exe

Executes dropped EXE 1 IoCs

pid	Process
2836	ttfjfb.exe

Loads dropped DLL 2 IoCs

pid	Process
1472	093735edf11dac4f8ec9a7c61d959ad6.exe
1472	093735edf11dac4f8ec9a7c61d959ad6.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1472-2-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/memory/1472-1-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/files/0x0011000000015c41-18.dat	upx
behavioral1/memory/2836-20-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/1472-12-0x0000000000230000-0x000000000024E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "C:\\Users\\Admin\\ttfjfb.exe \\u"	093735edf11dac4f8ec9a7c61d959ad6.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\secupdat.dat	093735edf11dac4f8ec9a7c61d959ad6.exe
File created	C:\Windows\SysWOW64\secupdat.dat	093735edf11dac4f8ec9a7c61d959ad6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 2836	1472	093735edf11dac4f8ec9a7c61d959ad6.exe	30
PID 1472 wrote to memory of 2836	1472	093735edf11dac4f8ec9a7c61d959ad6.exe	30
PID 1472 wrote to memory of 2836	1472	093735edf11dac4f8ec9a7c61d959ad6.exe	30
PID 1472 wrote to memory of 2836	1472	093735edf11dac4f8ec9a7c61d959ad6.exe	30

C:\Users\Admin\AppData\Local\Temp\093735edf11dac4f8ec9a7c61d959ad6.exe
"C:\Users\Admin\AppData\Local\Temp\093735edf11dac4f8ec9a7c61d959ad6.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\0853.bat" "
  2⤵
  PID:2116
- C:\Users\Admin\ttfjfb.exe
  \u
  2⤵
  - Executes dropped EXE
  PID:2836
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0853.bat

Filesize
103B

MD5
749c8765b2efd0d8d70ba482ef579338

SHA1
2c18d44f941c94eaa8cf80818ca2130383b84980

SHA256
133eec83386d62a921b921a786b08f62471f5fb1c5a321fba621338fd57ef05b

SHA512
a80d04fd045c785b0d5d340efbbfec335fa9412258c813809d4033de8a5f825d78fc97a80b827f2fbe5fc437020009d9a77af96c824d81e754a036aef0be8ba8

Download Submit
C:\Users\Admin\ttfjfb.exe

Filesize
18KB

MD5
37a74e95fd4ecaaa3048e1f05dc55280

SHA1
d8bc42cb8b9c04a9b993f7b98b43251d107bff59

SHA256
dfbe244d8100090dcac04b6f254381f2a322814281f27b1ac1da326634421f83

SHA512
337de5a38fff8dc2ee46d7c68fa5afbd50e69154d446ddad7acabe0270c56d1bd26146151922a804990b12f3ab983ebe6f747d947135cfb1ceb9e83fbe5e2530

Download Submit
C:\Windows\SysWOW64\secupdat.dat

Filesize
44KB

MD5
d3e60058140956006eb1b5fc7a16aadb

SHA1
859ce6612957d444c4799aadc96053db929ce2f9

SHA256
0d441d98d8e1e0406a7794a96378a73aa6c052f32192efabc77a1c3ab72578ec

SHA512
4daf8640316aa30519b05aee4697ebd941688acfbd9f719bdcdb3377ab4cd16acd7b83b6d746c7a67cfa60e13413b78e50af5d9a1e4eadd7313c699047da9982

Download Submit
memory/1472-2-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1472-1-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1472-8-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1472-19-0x0000000000230000-0x000000000024E000-memory.dmp

Filesize
120KB

Download
memory/1472-12-0x0000000000230000-0x000000000024E000-memory.dmp

Filesize
120KB

Download
memory/1472-28-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1472-3-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2200-73-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-68-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-41-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-54-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-66-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-83-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-91-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-90-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-89-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-88-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-141-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2200-33-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-34-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-87-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-86-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-85-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-84-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-82-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-81-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-80-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-79-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-78-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-77-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-76-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-75-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-74-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-32-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-72-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-71-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-70-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-69-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-36-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-67-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-65-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-64-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-63-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-62-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-61-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-60-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-59-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-58-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-57-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-56-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-55-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-53-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-52-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-51-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-50-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-49-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-47-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-48-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-46-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-45-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-44-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-43-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-42-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-40-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-39-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-38-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-37-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2200-35-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2836-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2836-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2836-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads