9fa06fcf8defc5d8fb7bcad83587d21e829358f64b6ac53bf0641c02bb47f52b

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bf37a2e303b272bfa457cb81fda60ee.exe
Size

384KB
MD5

0bf37a2e303b272bfa457cb81fda60ee
SHA1

5c7f6afd35e9818458aa54dcc58479c0d34a45eb
SHA256

9fa06fcf8defc5d8fb7bcad83587d21e829358f64b6ac53bf0641c02bb47f52b
SHA512

6d7cf132894666958856b13f1c7befccebd935ee419dca38c9797d28305e5a55af2fd3faf9ae5b99583da728d2fcf41d6257fff3e083afebddff1d72a2a9d508
SSDEEP

6144:qHRpFfAoY1GDFalhVMAPthi/dJ8cD4L7LFkxfhmITTdHurgy6bav8YpMB:4YeDFMhOmhi12GfTFHugy6QMB

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2648	cC28321DkBfH28321.exe

Executes dropped EXE 1 IoCs

pid	Process
2648	cC28321DkBfH28321.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	0bf37a2e303b272bfa457cb81fda60ee.exe
2208	0bf37a2e303b272bfa457cb81fda60ee.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2208-1-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral1/memory/2208-17-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral1/memory/2648-18-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral1/memory/2648-27-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral1/memory/2648-36-0x0000000000400000-0x00000000004EE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cC28321DkBfH28321 = "C:\\ProgramData\\cC28321DkBfH28321\\cC28321DkBfH28321.exe"	cC28321DkBfH28321.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	cC28321DkBfH28321.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	0bf37a2e303b272bfa457cb81fda60ee.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	0bf37a2e303b272bfa457cb81fda60ee.exe
Token: SeDebugPrivilege	2648	cC28321DkBfH28321.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2648	cC28321DkBfH28321.exe
2648	cC28321DkBfH28321.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2648	2208	0bf37a2e303b272bfa457cb81fda60ee.exe	28
PID 2208 wrote to memory of 2648	2208	0bf37a2e303b272bfa457cb81fda60ee.exe	28
PID 2208 wrote to memory of 2648	2208	0bf37a2e303b272bfa457cb81fda60ee.exe	28
PID 2208 wrote to memory of 2648	2208	0bf37a2e303b272bfa457cb81fda60ee.exe	28

C:\Users\Admin\AppData\Local\Temp\0bf37a2e303b272bfa457cb81fda60ee.exe
"C:\Users\Admin\AppData\Local\Temp\0bf37a2e303b272bfa457cb81fda60ee.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\ProgramData\cC28321DkBfH28321\cC28321DkBfH28321.exe
  "C:\ProgramData\cC28321DkBfH28321\cC28321DkBfH28321.exe" "C:\Users\Admin\AppData\Local\Temp\0bf37a2e303b272bfa457cb81fda60ee.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cC28321DkBfH28321\cC28321DkBfH28321

Filesize
192B

MD5
3f3e677012e15113744f411f35840cd6

SHA1
e0c6a51f3127734b884503e07c8fab74dbbed1b8

SHA256
d69e9ec0ccb8c8a006debb354f5db071a47f44123223b933e2ffe46b9830ade1

SHA512
06581a08668e7f40313c50e81129c98c6e9123cc3d8a1c3cd679a1dd5c2b2d3ce31aa473dcfb8429c85c475ce2e9dcd6ea1395af3cfc28359714e9590e37af2a

Download Submit
C:\ProgramData\cC28321DkBfH28321\cC28321DkBfH28321.exe

Filesize
92KB

MD5
873730e466084e3c1b6f8a05182b9e4a

SHA1
d4312ca670b84f888ab322568eaaec934e201c5a

SHA256
9640ff95d44d7f0e8970ca3ebe7ea55128426492b6e8e62c1774d4811b987969

SHA512
5f8e09a28abe63ca67e49ade0605ef8adcad1d1b339eacc334fab16b94f49f3d97dcfeb99ac3276a26374957c52ec69a4341020cb9e9c250dab6ac1abadc5440

Download Submit
\ProgramData\cC28321DkBfH28321\cC28321DkBfH28321.exe

Filesize
384KB

MD5
84098c9149e8b1bfac88c4e7f123be2e

SHA1
608e4d7b7c9859b742f887fb069c0706e9d2ff16

SHA256
a935745bc95a9f276cf875a5ba027c2d936b46195851ce210a237ec85b7ed6ab

SHA512
923d5429332674f0fcc9fc3edb607500b6285bd72d420b57bb707f58c83664c842dd56544457a69f1575caae35bd8e7b2617d2c5d1e07fe5cea425a0a2899d66

Download Submit
memory/2208-0-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2208-1-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2208-17-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2648-18-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2648-27-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2648-36-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download