7dc9df2d0955bbf5d86b2601e0d215c8960db127da03bc724918a06704da9855

Analysis

max time kernel
154s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27449edfca7c5c783a8fbeb79d043fb3.exe
Size

77KB
MD5

27449edfca7c5c783a8fbeb79d043fb3
SHA1

e94543ce83df58b0eea82adc4e5c278b319d0cb4
SHA256

7dc9df2d0955bbf5d86b2601e0d215c8960db127da03bc724918a06704da9855
SHA512

1f4a7276e37e5e03b90b0e507318f090436c6913f1a0ae328b9255669ee243c24ff71e1b3cd9771735f545d504717259f616272c72e34fe8864b9a201b148497
SSDEEP

1536:o11e2AKCdKLp6FNQlE+WpijsRQli+fBx1wEQ2PYDYtFfWJG3wP:oQwpImdjARQfl9d33fWE3wP

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	KB00555371.exe

Loads dropped DLL 2 IoCs

pid	Process
2704	27449edfca7c5c783a8fbeb79d043fb3.exe
2704	27449edfca7c5c783a8fbeb79d043fb3.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2704-1-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000c0000000132dc-11.dat	upx
behavioral1/files/0x000c0000000132dc-12.dat	upx
behavioral1/files/0x000c0000000132dc-8.dat	upx
behavioral1/memory/2704-7-0x0000000000390000-0x00000000003BF000-memory.dmp	upx
behavioral1/files/0x000c0000000132dc-5.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\KB00555371.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\KB00555371.exe\""	27449edfca7c5c783a8fbeb79d043fb3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe
2992	KB00555371.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	KB00555371.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2992	2704	27449edfca7c5c783a8fbeb79d043fb3.exe	17
PID 2704 wrote to memory of 2992	2704	27449edfca7c5c783a8fbeb79d043fb3.exe	17
PID 2704 wrote to memory of 2992	2704	27449edfca7c5c783a8fbeb79d043fb3.exe	17
PID 2704 wrote to memory of 2992	2704	27449edfca7c5c783a8fbeb79d043fb3.exe	17
PID 2992 wrote to memory of 1120	2992	KB00555371.exe	24
PID 2992 wrote to memory of 1120	2992	KB00555371.exe	24
PID 2992 wrote to memory of 1120	2992	KB00555371.exe	24
PID 2992 wrote to memory of 1120	2992	KB00555371.exe	24
PID 2992 wrote to memory of 1120	2992	KB00555371.exe	24
PID 2992 wrote to memory of 1180	2992	KB00555371.exe	23
PID 2992 wrote to memory of 1180	2992	KB00555371.exe	23
PID 2992 wrote to memory of 1180	2992	KB00555371.exe	23
PID 2992 wrote to memory of 1180	2992	KB00555371.exe	23
PID 2992 wrote to memory of 1180	2992	KB00555371.exe	23
PID 2992 wrote to memory of 1248	2992	KB00555371.exe	22
PID 2992 wrote to memory of 1248	2992	KB00555371.exe	22
PID 2992 wrote to memory of 1248	2992	KB00555371.exe	22
PID 2992 wrote to memory of 1248	2992	KB00555371.exe	22
PID 2992 wrote to memory of 1248	2992	KB00555371.exe	22
PID 2992 wrote to memory of 1940	2992	KB00555371.exe	21
PID 2992 wrote to memory of 1940	2992	KB00555371.exe	21
PID 2992 wrote to memory of 1940	2992	KB00555371.exe	21
PID 2992 wrote to memory of 1940	2992	KB00555371.exe	21
PID 2992 wrote to memory of 1940	2992	KB00555371.exe	21
PID 2992 wrote to memory of 2704	2992	KB00555371.exe	14
PID 2992 wrote to memory of 2704	2992	KB00555371.exe	14
PID 2992 wrote to memory of 2704	2992	KB00555371.exe	14
PID 2992 wrote to memory of 2704	2992	KB00555371.exe	14
PID 2992 wrote to memory of 2704	2992	KB00555371.exe	14
PID 2704 wrote to memory of 2712	2704	27449edfca7c5c783a8fbeb79d043fb3.exe	16
PID 2704 wrote to memory of 2712	2704	27449edfca7c5c783a8fbeb79d043fb3.exe	16
PID 2704 wrote to memory of 2712	2704	27449edfca7c5c783a8fbeb79d043fb3.exe	16
PID 2704 wrote to memory of 2712	2704	27449edfca7c5c783a8fbeb79d043fb3.exe	16
PID 2992 wrote to memory of 456	2992	KB00555371.exe	33
PID 2992 wrote to memory of 456	2992	KB00555371.exe	33
PID 2992 wrote to memory of 456	2992	KB00555371.exe	33
PID 2992 wrote to memory of 456	2992	KB00555371.exe	33
PID 2992 wrote to memory of 456	2992	KB00555371.exe	33
PID 2992 wrote to memory of 2024	2992	KB00555371.exe	34
PID 2992 wrote to memory of 2024	2992	KB00555371.exe	34
PID 2992 wrote to memory of 2024	2992	KB00555371.exe	34
PID 2992 wrote to memory of 2024	2992	KB00555371.exe	34
PID 2992 wrote to memory of 2024	2992	KB00555371.exe	34

C:\Users\Admin\AppData\Local\Temp\27449edfca7c5c783a8fbeb79d043fb3.exe
"C:\Users\Admin\AppData\Local\Temp\27449edfca7c5c783a8fbeb79d043fb3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\POSE1E6.tmp.BAT"
  2⤵
  - Deletes itself
  PID:2712
- C:\Users\Admin\AppData\Roaming\KB00555371.exe
  "C:\Users\Admin\AppData\Roaming\KB00555371.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1940

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:456

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\POSE1E6.tmp.BAT

Filesize
258B

MD5
bc291a8e49c81377cc0bccf34d9a71cd

SHA1
9fa2a4e1f53fc0eaf2d02aaa8736441fa59b5eb7

SHA256
69eef45f1ea3e7530063afc94ecfd03d33aad377fe06a113e68797b6a64c6afd

SHA512
751d5631bae06de70f68e7daa5c8cb303ff4a070395f5eb33485aaed2e9fb72cb6fcda2ddeaa2bd8a1fe3ae02b2be2099ebef47e304584eef1262a1ea712bf96

Download Submit
C:\Users\Admin\AppData\Roaming\KB00555371.exe

Filesize
54KB

MD5
44e981b427864fcbf689c1f465d1f540

SHA1
c0944a84f885f8c9900a3a4d97265f9e275893e5

SHA256
f2355af20afe9dc4ebe48f79b1ad5f076ed32d52748a4349201cc4690fe0a467

SHA512
13dd60d827dfe2f8376c00d0e77dc28fe57f715f187c76169b9da9becedf9b9211900d18bce693716559d91df623f9b02f01862f59ee524e7043fa76c6f1e930

Download Submit
C:\Users\Admin\AppData\Roaming\KB00555371.exe

Filesize
58KB

MD5
b7df1fe5f6d9fa81d0d57e893f04b4ff

SHA1
6a68bc4dbe8965cb6207d432b2b32d61ea15d494

SHA256
5982c76759292fe00c401dc0e1f0b2cd98239988887985ad561b67e2b5e004cc

SHA512
82dbb89a08cf62a238386a641e8a2197e4826a8f6c86f9d0e31c5ff8d9ea6419983afcdad660b8d805fdf609c12d48e09f9155240e904f3d81bf4bfc3d235be2

Download Submit
\Users\Admin\AppData\Roaming\KB00555371.exe

Filesize
77KB

MD5
27449edfca7c5c783a8fbeb79d043fb3

SHA1
e94543ce83df58b0eea82adc4e5c278b319d0cb4

SHA256
7dc9df2d0955bbf5d86b2601e0d215c8960db127da03bc724918a06704da9855

SHA512
1f4a7276e37e5e03b90b0e507318f090436c6913f1a0ae328b9255669ee243c24ff71e1b3cd9771735f545d504717259f616272c72e34fe8864b9a201b148497

Download Submit
\Users\Admin\AppData\Roaming\KB00555371.exe

Filesize
56KB

MD5
3669e290bbe6264dc86dafa5ea5f731c

SHA1
f702f08585e5f08eafbeb05e38eb52494c77a6f6

SHA256
f257f69a6ae18f13406e2095aff3c8713086890736bbd4adac50e33af9d181ae

SHA512
e2e30672c0cc830c1a93f33d82d7e2e5fc936bc8195a9a26816d3682c4edb9c9a09e41bcfffa3583a9b8abe017cc4838722d4a0d6e6cea97aea8063555983018

Download Submit
memory/456-120-0x0000000000330000-0x0000000000351000-memory.dmp

Filesize
132KB

Download
memory/456-118-0x0000000000330000-0x0000000000351000-memory.dmp

Filesize
132KB

Download
memory/1120-29-0x0000000001F30000-0x0000000001F51000-memory.dmp

Filesize
132KB

Download
memory/1120-31-0x0000000001F30000-0x0000000001F51000-memory.dmp

Filesize
132KB

Download
memory/1180-42-0x0000000001C40000-0x0000000001C61000-memory.dmp

Filesize
132KB

Download
memory/1180-44-0x0000000001C40000-0x0000000001C61000-memory.dmp

Filesize
132KB

Download
memory/1248-58-0x0000000002A30000-0x0000000002A51000-memory.dmp

Filesize
132KB

Download
memory/1248-56-0x0000000002A30000-0x0000000002A51000-memory.dmp

Filesize
132KB

Download
memory/1940-71-0x0000000000380000-0x00000000003A1000-memory.dmp

Filesize
132KB

Download
memory/1940-69-0x0000000000380000-0x00000000003A1000-memory.dmp

Filesize
132KB

Download
memory/2024-131-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/2024-133-0x0000000000120000-0x0000000000141000-memory.dmp

Filesize
132KB

Download
memory/2704-2-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2704-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-84-0x0000000000390000-0x00000000003B1000-memory.dmp

Filesize
132KB

Download
memory/2704-102-0x0000000000390000-0x00000000003B1000-memory.dmp

Filesize
132KB

Download
memory/2704-106-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-7-0x0000000000390000-0x00000000003BF000-memory.dmp

Filesize
188KB

Download
memory/2704-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-82-0x0000000000390000-0x00000000003B1000-memory.dmp

Filesize
132KB

Download
memory/2704-13-0x0000000000390000-0x00000000003BF000-memory.dmp

Filesize
188KB

Download
memory/2992-100-0x00000000002E0000-0x0000000000301000-memory.dmp

Filesize
132KB

Download
memory/2992-98-0x00000000002E0000-0x0000000000301000-memory.dmp

Filesize
132KB

Download
memory/2992-103-0x00000000002E0000-0x0000000000301000-memory.dmp

Filesize
132KB

Download
memory/2992-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download