7c77dfc4193baf07665f410ff1aa78658833300e172d2016c95e6b3765331344

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16190c451e52c9d33666f52c694d66e7.exe
Size

78KB
MD5

16190c451e52c9d33666f52c694d66e7
SHA1

6dc41230a9ca05bb57ba41672125f7949a1d5c46
SHA256

7c77dfc4193baf07665f410ff1aa78658833300e172d2016c95e6b3765331344
SHA512

bdcc0e1a6f89260c3e28598a59f3da9d64422bd9f906417d0a870ed5fc47b91b4e2e61037a7f7428b6db20c1f3b243c04ba000cc8421b5e39b9a72a12d725ee0
SSDEEP

1536:fKiYAF65m3jCPcVo6r7S/rab7tnouy8uOWPcVo6r7S/rabHnouy8aO:fKzAU5uh7cWbZoutb7cWbHout

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2576	color.exe
772	copy.exe

Loads dropped DLL 4 IoCs

pid	Process
2788	cmd.exe
2788	cmd.exe
2400	cmd.exe
2400	cmd.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015e82-33.dat	upx
behavioral1/files/0x0009000000015e09-30.dat	upx
behavioral1/memory/2576-55-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2576-71-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2400-85-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/772-107-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2576-122-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe gamma load = "C:\\ProgramData\\adob\\color.exe"	regedit.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2616	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
2848	regedit.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
572	PING.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2788	1984	16190c451e52c9d33666f52c694d66e7.exe	28
PID 1984 wrote to memory of 2788	1984	16190c451e52c9d33666f52c694d66e7.exe	28
PID 1984 wrote to memory of 2788	1984	16190c451e52c9d33666f52c694d66e7.exe	28
PID 1984 wrote to memory of 2788	1984	16190c451e52c9d33666f52c694d66e7.exe	28
PID 2788 wrote to memory of 2848	2788	cmd.exe	30
PID 2788 wrote to memory of 2848	2788	cmd.exe	30
PID 2788 wrote to memory of 2848	2788	cmd.exe	30
PID 2788 wrote to memory of 2848	2788	cmd.exe	30
PID 2788 wrote to memory of 2060	2788	cmd.exe	31
PID 2788 wrote to memory of 2060	2788	cmd.exe	31
PID 2788 wrote to memory of 2060	2788	cmd.exe	31
PID 2788 wrote to memory of 2060	2788	cmd.exe	31
PID 2060 wrote to memory of 2740	2060	net.exe	32
PID 2060 wrote to memory of 2740	2060	net.exe	32
PID 2060 wrote to memory of 2740	2060	net.exe	32
PID 2060 wrote to memory of 2740	2060	net.exe	32
PID 2788 wrote to memory of 2616	2788	cmd.exe	33
PID 2788 wrote to memory of 2616	2788	cmd.exe	33
PID 2788 wrote to memory of 2616	2788	cmd.exe	33
PID 2788 wrote to memory of 2616	2788	cmd.exe	33
PID 2788 wrote to memory of 2576	2788	cmd.exe	34
PID 2788 wrote to memory of 2576	2788	cmd.exe	34
PID 2788 wrote to memory of 2576	2788	cmd.exe	34
PID 2788 wrote to memory of 2576	2788	cmd.exe	34
PID 2576 wrote to memory of 2400	2576	color.exe	35
PID 2576 wrote to memory of 2400	2576	color.exe	35
PID 2576 wrote to memory of 2400	2576	color.exe	35
PID 2576 wrote to memory of 2400	2576	color.exe	35
PID 2400 wrote to memory of 572	2400	cmd.exe	37
PID 2400 wrote to memory of 572	2400	cmd.exe	37
PID 2400 wrote to memory of 572	2400	cmd.exe	37
PID 2400 wrote to memory of 572	2400	cmd.exe	37
PID 2400 wrote to memory of 772	2400	cmd.exe	40
PID 2400 wrote to memory of 772	2400	cmd.exe	40
PID 2400 wrote to memory of 772	2400	cmd.exe	40
PID 2400 wrote to memory of 772	2400	cmd.exe	40
PID 772 wrote to memory of 464	772	copy.exe	41
PID 772 wrote to memory of 464	772	copy.exe	41
PID 772 wrote to memory of 464	772	copy.exe	41
PID 772 wrote to memory of 464	772	copy.exe	41
PID 464 wrote to memory of 436	464	cmd.exe	43
PID 464 wrote to memory of 436	464	cmd.exe	43
PID 464 wrote to memory of 436	464	cmd.exe	43
PID 464 wrote to memory of 436	464	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\16190c451e52c9d33666f52c694d66e7.exe
"C:\Users\Admin\AppData\Local\Temp\16190c451e52c9d33666f52c694d66e7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\903E.tmp\1.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s 123.reg
    3⤵
    - Adds Run key to start application
    - Runs .reg file with regedit
    PID:2848
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:2740
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2616
- - C:\ProgramData\adob\color.exe
    C:\ProgramData\adob\color.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\94B1.tmp\123.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 100
        5⤵
        Runs ping.exe
        
        PID:572
    - - C:\ProgramData\adob\copy.exe
        
        C:\ProgramData\adob\copy.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1ED6.tmp\copy.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\ftp.exe
        
        FTP -s:123.txt
        7⤵
        
        PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1ED6.tmp\123.txt

Filesize
249B

MD5
189da580470829a6b7d3a7bc8790a630

SHA1
9ee26f8e6b64824e5ffe5a5f2cf4ee76105a59c0

SHA256
e0117336db5fa6934eaf9242ac143b71b3aa8d0b4092ecdb0f4825dbac5ae62c

SHA512
9b1c33c119b8d2a620a600f40119235f5ba49195e552f84518ec7bb45ef2a12a7ea8f49b90e16d1c9edd5c308e56e416da64abf902c0250d4c249f20b231e7f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ED6.tmp\copy.bat

Filesize
16B

MD5
6051f6edaeb72cf07b7119837fabd3d7

SHA1
30c5cb4b72ae59dfedc76d99820cbd4c0bac7a96

SHA256
a7559088cc7fa2c7882e95ec001296dff7fbe482a1a7c8664ca391789ce1e677

SHA512
5dc5a3e23a0696dd8dea0eeeb96e2ad40f41dfd8d09ca512df7bd801edee5ac98f52dee3f4ce8155b548e8c0d86f4c4810cab50782d536f768775d0777a32ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\903E.tmp\1.bat

Filesize
109B

MD5
5fd25964e9b6f81ff172e80d1c7b6af4

SHA1
c2acded3847b8c8a4f373f48c7f0ea2f254c5080

SHA256
8471d34b6bc8fbb6e386d2c0a86b7815d93efbd25928d952ecaf316456a55ed4

SHA512
62fced5af86bc5c5766e3705226f1b79f1fde24c6506e0ba0531443c4691f511216430c25f4d71ba16323657b0111a0fbdcca4f298b82644f4d241676c08f845

Download Submit
C:\Users\Admin\AppData\Local\Temp\903E.tmp\123.reg

Filesize
332B

MD5
aaa5d717209daca5a9287d9d4f0cb454

SHA1
657dcb0af1436eaf1180f6d46f1476db23d9c573

SHA256
4ff88c295d89a746f96add13abc600f8c485ca5fce752bae377931b672b36023

SHA512
216e6d4fdc4dc53c2d811ce661bcf8dbee534e529b274cec4150fe7f62a64649838b51fa0d153d06231de793a4e6a6bde0e75ef5ad97b8eb8b3066382804ea9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\903E.tmp\color.exe

Filesize
21KB

MD5
648666c2b3c6781b54f904ffdab14de3

SHA1
3a5e257d1e17b46e6bf649b23359b2f317815620

SHA256
6d742cca69f05e951c1e12d20007f58bb7a1e11e4981dd11a1948cc9edb98bb0

SHA512
fbec2b3532cc2d8b4362697f8bee39d92b64ac768fe57b1395d336f2cde6509e31a4e9679dc1e8bc95fb2a9fa0de7b79e21f257f4577fa2ccdf6fc48d7d4196c

Download Submit
C:\Users\Admin\AppData\Local\Temp\903E.tmp\copy.exe

Filesize
21KB

MD5
c1acc477923df9ebf4eab7484dcae003

SHA1
1b1575145dd37acb0540d75d50c34106f2e8a727

SHA256
f69a4dfb347bf285d238e57d896ac7ae4974d105b1fb20aa5f40655022a0a888

SHA512
1a58a41b00210517bedb68e4d6dd0bdf2f469ca30343a18c951a4b16d7db3b9951f60d52b4475899f0b8772a7b6e4d1c5962ecab424a3925ebb103784f40d6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\903E.tmp\stop.bat

Filesize
87B

MD5
7e62f6fa7ba08a845e69e30dc2e98b4c

SHA1
bcc455715430f023a91eed7558b9a1d2f54b4e4b

SHA256
811e3e5424be53ca7266b3bfe6300e6250086772cc7685848f910a0e92cb039f

SHA512
af35557f65c1c7562fa2e018cafbdbb9a77b92c75bcdf641e98eaeafab97b10e39fc8f42246f85a3fdb75c9cf3813dd813509842a0011b17e9fcaf4b35efa96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\94B1.tmp\123.bat

Filesize
158B

MD5
ee8492b5b429e650b89048e92f4f9d68

SHA1
ce4e2b661350d086c05b4d61cefb111676a7cdb5

SHA256
df84b19075d92eccd37782734fd51d95f3b7c2a61380ccf5a701b902be6d95db

SHA512
c6238f2f30e8d6d665be44aba4495cfe320858dd46d0d97ed7b6468c3ec7708d188422b71b85c849114bf266b0680e24724703d8bb52b9e749677ba0050c9a1f

Download Submit
memory/772-107-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2400-113-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2400-85-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2400-87-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2400-121-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2576-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2576-122-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2576-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2788-48-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2788-73-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2788-72-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2788-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads