d9a9ed77f9b7b391bdeddcb96a0e65c3acb089edb6bddfe9e79ea104914053a3

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c742b58546b9f6fb858d46e480e7073.exe
Size

366KB
MD5

1c742b58546b9f6fb858d46e480e7073
SHA1

400b0d2e3a1f6385a6c071b28d0c2c5a3ee90576
SHA256

d9a9ed77f9b7b391bdeddcb96a0e65c3acb089edb6bddfe9e79ea104914053a3
SHA512

6b9cfe5dafe41439b6d22b7ceefca033af04b6589785b11cfff29d8ce4945f47e6894628665fd5f2b1495eea004e9a17f1fac3b99268e27a5bf922274b7a7c86
SSDEEP

6144:T8f5iMeaeRKisc9HMKnK9NG1KKPyqXon9qdpPudbgz++en/HCIUYWICWBP:+iMsnF9Hy9KPyqXk9qdgdbgz++e/HOdq

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	nB28269LoFeP28269.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	nB28269LoFeP28269.exe

Loads dropped DLL 2 IoCs

pid	Process
828	1c742b58546b9f6fb858d46e480e7073.exe
828	1c742b58546b9f6fb858d46e480e7073.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/828-6-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/828-16-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2692-23-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2692-27-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2692-36-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nB28269LoFeP28269 = "C:\\ProgramData\\nB28269LoFeP28269\\nB28269LoFeP28269.exe"	nB28269LoFeP28269.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	nB28269LoFeP28269.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
828	1c742b58546b9f6fb858d46e480e7073.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	828	1c742b58546b9f6fb858d46e480e7073.exe
Token: SeDebugPrivilege	2692	nB28269LoFeP28269.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2692	nB28269LoFeP28269.exe
2692	nB28269LoFeP28269.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 2692	828	1c742b58546b9f6fb858d46e480e7073.exe	28
PID 828 wrote to memory of 2692	828	1c742b58546b9f6fb858d46e480e7073.exe	28
PID 828 wrote to memory of 2692	828	1c742b58546b9f6fb858d46e480e7073.exe	28
PID 828 wrote to memory of 2692	828	1c742b58546b9f6fb858d46e480e7073.exe	28

C:\Users\Admin\AppData\Local\Temp\1c742b58546b9f6fb858d46e480e7073.exe
"C:\Users\Admin\AppData\Local\Temp\1c742b58546b9f6fb858d46e480e7073.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828
- C:\ProgramData\nB28269LoFeP28269\nB28269LoFeP28269.exe
  "C:\ProgramData\nB28269LoFeP28269\nB28269LoFeP28269.exe" "C:\Users\Admin\AppData\Local\Temp\1c742b58546b9f6fb858d46e480e7073.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nB28269LoFeP28269\nB28269LoFeP28269

Filesize
192B

MD5
0c237a7694d86726bd822dd5780a0e33

SHA1
91cb06eb7e70d9b8dc4b829cf39893d3e0b4e269

SHA256
84dca7f702f9a37d2cff9d7e7fc50be2dfd493fc9d490a28302f4774b9559170

SHA512
c5e5aea674bb2f43b284c472abe333853ed9ff7cb700537878cab00d6c1f4ebed45c8928d1b59b9b684f1f4cbf91960d38cf4b3873a49fcd3f78e50ea22d4c33

Download Submit
\ProgramData\nB28269LoFeP28269\nB28269LoFeP28269.exe

Filesize
366KB

MD5
aa0130c82e38c6bb863312207571e25b

SHA1
33d57c969511112b7d631ff84329670e9b4d5dc4

SHA256
d0c4055c2064e6b26922697ba9b286135e171cb99c6186a227f023f17ac5fcea

SHA512
72c22464951376f7775278ddbd0183641566eb4a68648086ab047319659cdd3b420c89ad193e35cd56a00148858d3d535c5304a82c0a23afc6de204b040d2086

Download Submit
memory/828-0-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/828-6-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/828-16-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2692-23-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2692-27-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2692-36-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download