d3aca76694eff041d62a71a7d63c2810f6702023e8862b71435dd049e65cbc05

Analysis

max time kernel
152s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c77f542d062150e9a3216cb0b71efaf.exe
Size

399KB
MD5

0c77f542d062150e9a3216cb0b71efaf
SHA1

760cc7d3d09702f38e1193e312f218115fdc2d0f
SHA256

d3aca76694eff041d62a71a7d63c2810f6702023e8862b71435dd049e65cbc05
SHA512

4141a0c20b11066b05caaa8bd53ee7d0105e5a6b0382f04535dcf8cc7f15d26e8f7520bc596c3d393d2c3720d50ff4f5ba4a45c3c0866f06a72f7048f1da2494
SSDEEP

12288:CRFgXpS9r7HqIBBoxV4GDC+gl3/SSJR5+:CAXMB7He4qglPSm

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2536	dMdNbEc16633.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	dMdNbEc16633.exe

Loads dropped DLL 2 IoCs

pid	Process
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1544-1-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1544-20-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2536-21-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2536-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2536-34-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1544-53-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dMdNbEc16633 = "C:\\ProgramData\\dMdNbEc16633\\dMdNbEc16633.exe"	dMdNbEc16633.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	dMdNbEc16633.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe
1544	0c77f542d062150e9a3216cb0b71efaf.exe
2536	dMdNbEc16633.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	0c77f542d062150e9a3216cb0b71efaf.exe
Token: SeDebugPrivilege	2536	dMdNbEc16633.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2536	dMdNbEc16633.exe
2536	dMdNbEc16633.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2536	dMdNbEc16633.exe
2536	dMdNbEc16633.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2536	dMdNbEc16633.exe
2536	dMdNbEc16633.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2536	1544	0c77f542d062150e9a3216cb0b71efaf.exe	28
PID 1544 wrote to memory of 2536	1544	0c77f542d062150e9a3216cb0b71efaf.exe	28
PID 1544 wrote to memory of 2536	1544	0c77f542d062150e9a3216cb0b71efaf.exe	28
PID 1544 wrote to memory of 2536	1544	0c77f542d062150e9a3216cb0b71efaf.exe	28

C:\Users\Admin\AppData\Local\Temp\0c77f542d062150e9a3216cb0b71efaf.exe
"C:\Users\Admin\AppData\Local\Temp\0c77f542d062150e9a3216cb0b71efaf.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\ProgramData\dMdNbEc16633\dMdNbEc16633.exe
  "C:\ProgramData\dMdNbEc16633\dMdNbEc16633.exe" "C:\Users\Admin\AppData\Local\Temp\0c77f542d062150e9a3216cb0b71efaf.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dMdNbEc16633\dMdNbEc16633.exe

Filesize
27KB

MD5
35c2cfd30b28059a0148755c6f6f5ac0

SHA1
626ba083026efa7312e8f7dd111d4b278c22eefa

SHA256
5a10a1ffb223f1285d03223178236f50fad9d608884b183ff0e824ab92504cb7

SHA512
8abc34e10a5a9d50e2faa7604b400ca0538422ac2d47baef4a946e119e05d4250b4125d2c8fa5ed52baaa4f969286c905a38c67955ecf6d8c188e6f2ff9247cd

Download Submit
C:\ProgramData\dMdNbEc16633\dMdNbEc16633.exe

Filesize
38KB

MD5
9c75ae0f1da3e67383d969773b85ce38

SHA1
dd1f847f8b49b009ddba2641c78896f869ca1bb5

SHA256
22a944973d4bf441bcc4d1ddc3448fa805672d0faf6db7ca93e194e45a263985

SHA512
c8fbf5683d6ea7e1860e899bb45d2198f01e406a93b636c5e46d3d3ff78d52ec47e76d2c3593775bdb0ec7dfe4e0f488099e1042b066216a89e25d1acf22f825

Download Submit
C:\ProgramData\dMdNbEc16633\dMdNbEc16633.exe

Filesize
162KB

MD5
dec978169e1cf1a0e2ce1d2112008f7c

SHA1
993b4acc6bed79d37f04d8ef85b957bef536ddb0

SHA256
864d9af49c39d11a7fb3e35b553348276cfe8e58c9810d653b16f2ad7371d557

SHA512
a727ce42b79a848a1579956699bfe7f19f46d51256f8175d965cb6eda7b52895409783d525e42627cb3505a709716bc845d6361f120c106023bb77cc1ea23e0e

Download Submit
\ProgramData\dMdNbEc16633\dMdNbEc16633.exe

Filesize
156KB

MD5
186ed32598caab54ad8b78b3e1ed04b8

SHA1
d9952554b8439815f450b55a11594a89753d7cd5

SHA256
5ebeda1ca8c8f9aa8295bb9ab791b42c8cb402713f824b25dc064069d067147e

SHA512
3a95981a663f4fa47cd20e5cd18930369933f19037e50c07e9e53196df4d2af2015c64cd5aaa76c54f2450614ffee60a2b5c494664934d1d8f1e5d44b9e6dcf3

Download Submit
\ProgramData\dMdNbEc16633\dMdNbEc16633.exe

Filesize
172KB

MD5
2c362fb8bf06e14990ff8c41a87adb3d

SHA1
1d04d024e6f96035c2a3b7693eae338704bc66e7

SHA256
34b3c59a45147bc96f13a3555bd511a492e68ffb41a955b0bbb84fff120b95b8

SHA512
c4cdd9938981965cf3daa3f290b42241922b61878f14b7291781abc82cb57169668c80882c20d7dd43bd07931d9d5fd1c992cf6c90361961067eaacb3d8795c1

Download Submit
memory/1544-24-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/1544-1-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1544-2-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/1544-20-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1544-53-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2536-16-0x0000000000900000-0x0000000000A00000-memory.dmp

Filesize
1024KB

Download
memory/2536-25-0x0000000000900000-0x0000000000A00000-memory.dmp

Filesize
1024KB

Download
memory/2536-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2536-34-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2536-21-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download