Analysis

  • max time kernel
    179s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 03:31

General

  • Target

    0d08da8785cc1eb2b6db9a94d38a0188.exe

  • Size

    386KB

  • MD5

    0d08da8785cc1eb2b6db9a94d38a0188

  • SHA1

    a41e12ddb375f6263bc60e53c72f5bc52b69d064

  • SHA256

    0860877b1e3b93c6099e176490d87b3a04cad91004656747222c3da596abd1b9

  • SHA512

    600e7c44e1ec1a21aea031173b6708b44aa4767d6498f439a680da53e66ec7784add63c58c9cba6fe3b502ec3d91fb55f32107504134283559937aa6b4afe92b

  • SSDEEP

    6144:WfnqZiQxB4MbxBlcPfhe6cZweMMhf15zwsSpR5kf0AT/tE:iqZD7ZxBlcnAF+J+w958/tE

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d08da8785cc1eb2b6db9a94d38a0188.exe
    "C:\Users\Admin\AppData\Local\Temp\0d08da8785cc1eb2b6db9a94d38a0188.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\ProgramData\hK27502DlGaJ27502\hK27502DlGaJ27502.exe
      "C:\ProgramData\hK27502DlGaJ27502\hK27502DlGaJ27502.exe" "C:\Users\Admin\AppData\Local\Temp\0d08da8785cc1eb2b6db9a94d38a0188.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\hK27502DlGaJ27502\hK27502DlGaJ27502.exe
    Filesize

    386KB

    MD5

    7182cfddf7904f050ff87280745d9283

    SHA1

    2cff06535d185bea0569c6f08057960ad09222d7

    SHA256

    750930f8e37b440ec763f9cc2ab43effcf2100a57b866b5ef2675175c55386b0

    SHA512

    2a2f3586da7ab1a73f3f6b47505500a1049b392450b7202245f6fa900830b86c394d5407cfe6190e87ec02e7b60bdf4617d732af8755b63bc29a4b1a28fc818c

  • memory/1160-0-0x0000000000530000-0x0000000000532000-memory.dmp
    Filesize

    8KB

  • memory/1160-6-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

  • memory/1160-16-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

  • memory/2600-23-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

  • memory/2600-27-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

  • memory/2600-33-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB

  • memory/2600-37-0x0000000000400000-0x00000000004C1000-memory.dmp
    Filesize

    772KB