1c58a3e251141732bc27e6f058625ff14c46b79af02f907f535ce3200d241a75

Analysis

max time kernel
215s
max time network
256s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38e11adbc07bd32bf5159bdac1f4788e.exe
Size

264KB
MD5

38e11adbc07bd32bf5159bdac1f4788e
SHA1

650a205cf54b64d9bc5bcddf65595dd0c18d76cf
SHA256

1c58a3e251141732bc27e6f058625ff14c46b79af02f907f535ce3200d241a75
SHA512

7ab6e7dca0ed92ef6349fd8bd713cd09c57bc9227e847b974e6674838ff9423a27e42029a89529c079c7f19f448aaec227bdebee76d9945d09077c0e7d9bdbc7
SSDEEP

6144:dIlUbo4dxbVMGA1nOS/j07lKLiAeBRuRMMDngtinmv7LoIl:dGULxBy1OS7u4eAeBRkMMctxzp

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2028	ulun.exe
1008	ulun.exe

Loads dropped DLL 3 IoCs

pid	Process
2968	38e11adbc07bd32bf5159bdac1f4788e.exe
2968	38e11adbc07bd32bf5159bdac1f4788e.exe
2028	ulun.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C5EC6B71-B0B4-4258-A347-835F550FC76D} = "C:\\Users\\Admin\\AppData\\Roaming\\Fake\\ulun.exe"	ulun.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2528 set thread context of 2968	2528	38e11adbc07bd32bf5159bdac1f4788e.exe	29
PID 2028 set thread context of 1008	2028	ulun.exe	31

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe
1008	ulun.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2968	38e11adbc07bd32bf5159bdac1f4788e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2968	2528	38e11adbc07bd32bf5159bdac1f4788e.exe	29
PID 2528 wrote to memory of 2968	2528	38e11adbc07bd32bf5159bdac1f4788e.exe	29
PID 2528 wrote to memory of 2968	2528	38e11adbc07bd32bf5159bdac1f4788e.exe	29
PID 2528 wrote to memory of 2968	2528	38e11adbc07bd32bf5159bdac1f4788e.exe	29
PID 2528 wrote to memory of 2968	2528	38e11adbc07bd32bf5159bdac1f4788e.exe	29
PID 2528 wrote to memory of 2968	2528	38e11adbc07bd32bf5159bdac1f4788e.exe	29
PID 2528 wrote to memory of 2968	2528	38e11adbc07bd32bf5159bdac1f4788e.exe	29
PID 2528 wrote to memory of 2968	2528	38e11adbc07bd32bf5159bdac1f4788e.exe	29
PID 2528 wrote to memory of 2968	2528	38e11adbc07bd32bf5159bdac1f4788e.exe	29
PID 2968 wrote to memory of 2028	2968	38e11adbc07bd32bf5159bdac1f4788e.exe	30
PID 2968 wrote to memory of 2028	2968	38e11adbc07bd32bf5159bdac1f4788e.exe	30
PID 2968 wrote to memory of 2028	2968	38e11adbc07bd32bf5159bdac1f4788e.exe	30
PID 2968 wrote to memory of 2028	2968	38e11adbc07bd32bf5159bdac1f4788e.exe	30
PID 2028 wrote to memory of 1008	2028	ulun.exe	31
PID 2028 wrote to memory of 1008	2028	ulun.exe	31
PID 2028 wrote to memory of 1008	2028	ulun.exe	31
PID 2028 wrote to memory of 1008	2028	ulun.exe	31
PID 2028 wrote to memory of 1008	2028	ulun.exe	31
PID 2028 wrote to memory of 1008	2028	ulun.exe	31
PID 2028 wrote to memory of 1008	2028	ulun.exe	31
PID 2028 wrote to memory of 1008	2028	ulun.exe	31
PID 2028 wrote to memory of 1008	2028	ulun.exe	31
PID 1008 wrote to memory of 1116	1008	ulun.exe	14
PID 1008 wrote to memory of 1116	1008	ulun.exe	14
PID 1008 wrote to memory of 1116	1008	ulun.exe	14
PID 1008 wrote to memory of 1116	1008	ulun.exe	14
PID 1008 wrote to memory of 1116	1008	ulun.exe	14
PID 1008 wrote to memory of 1180	1008	ulun.exe	6
PID 1008 wrote to memory of 1180	1008	ulun.exe	6
PID 1008 wrote to memory of 1180	1008	ulun.exe	6
PID 1008 wrote to memory of 1180	1008	ulun.exe	6
PID 1008 wrote to memory of 1180	1008	ulun.exe	6
PID 1008 wrote to memory of 1208	1008	ulun.exe	13
PID 1008 wrote to memory of 1208	1008	ulun.exe	13
PID 1008 wrote to memory of 1208	1008	ulun.exe	13
PID 1008 wrote to memory of 1208	1008	ulun.exe	13
PID 1008 wrote to memory of 1208	1008	ulun.exe	13
PID 1008 wrote to memory of 2968	1008	ulun.exe	29
PID 1008 wrote to memory of 2968	1008	ulun.exe	29
PID 1008 wrote to memory of 2968	1008	ulun.exe	29
PID 1008 wrote to memory of 2968	1008	ulun.exe	29
PID 1008 wrote to memory of 2968	1008	ulun.exe	29
PID 1008 wrote to memory of 488	1008	ulun.exe	32
PID 1008 wrote to memory of 488	1008	ulun.exe	32
PID 1008 wrote to memory of 488	1008	ulun.exe	32
PID 1008 wrote to memory of 488	1008	ulun.exe	32
PID 1008 wrote to memory of 488	1008	ulun.exe	32
PID 1008 wrote to memory of 3020	1008	ulun.exe	33
PID 1008 wrote to memory of 3020	1008	ulun.exe	33
PID 1008 wrote to memory of 3020	1008	ulun.exe	33
PID 1008 wrote to memory of 3020	1008	ulun.exe	33
PID 1008 wrote to memory of 3020	1008	ulun.exe	33
PID 1008 wrote to memory of 1496	1008	ulun.exe	34
PID 1008 wrote to memory of 1496	1008	ulun.exe	34
PID 1008 wrote to memory of 1496	1008	ulun.exe	34
PID 1008 wrote to memory of 1496	1008	ulun.exe	34
PID 1008 wrote to memory of 1496	1008	ulun.exe	34
PID 1008 wrote to memory of 1644	1008	ulun.exe	35
PID 1008 wrote to memory of 1644	1008	ulun.exe	35
PID 1008 wrote to memory of 1644	1008	ulun.exe	35
PID 1008 wrote to memory of 1644	1008	ulun.exe	35
PID 1008 wrote to memory of 1644	1008	ulun.exe	35
PID 1008 wrote to memory of 2840	1008	ulun.exe	36
PID 1008 wrote to memory of 2840	1008	ulun.exe	36

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\38e11adbc07bd32bf5159bdac1f4788e.exe
  "C:\Users\Admin\AppData\Local\Temp\38e11adbc07bd32bf5159bdac1f4788e.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\38e11adbc07bd32bf5159bdac1f4788e.exe
    "C:\Users\Admin\AppData\Local\Temp\38e11adbc07bd32bf5159bdac1f4788e.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Users\Admin\AppData\Roaming\Fake\ulun.exe
      "C:\Users\Admin\AppData\Roaming\Fake\ulun.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Users\Admin\AppData\Roaming\Fake\ulun.exe
        
        "C:\Users\Admin\AppData\Roaming\Fake\ulun.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1008
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd8070f2c.bat"
      4⤵
      PID:488

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Fake\ulun.exe

Filesize
264KB

MD5
59c61493375834297233f949a9ae5f3c

SHA1
0ef7855488a2b0ea09ed8b55bff2847bd68e210a

SHA256
a0ce426411a8b0b124fed0b142ef052a958bbe73288c55a2c96fa8f9f3efcdd3

SHA512
e66f30150bf6c2b32be463e31a81a18e23db15dd3d52ba812594cd82c1df623e1b28649722a846eb01d6d38c6e6aa7a71c565388e54a107fafef02a84749f1e4

Download Submit
memory/1008-103-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1008-75-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1008-78-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1008-79-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1008-47-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1116-50-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1116-51-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1116-52-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1116-49-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1180-57-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1180-56-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1180-55-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1180-54-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1208-60-0x0000000002650000-0x0000000002677000-memory.dmp

Filesize
156KB

Download
memory/1208-59-0x0000000002650000-0x0000000002677000-memory.dmp

Filesize
156KB

Download
memory/1208-61-0x0000000002650000-0x0000000002677000-memory.dmp

Filesize
156KB

Download
memory/1208-62-0x0000000002650000-0x0000000002677000-memory.dmp

Filesize
156KB

Download
memory/2028-28-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2028-29-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2528-0-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2528-1-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2968-76-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2968-73-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2968-65-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2968-69-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2968-67-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2968-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2968-8-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2968-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2968-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2968-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2968-71-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/2968-18-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2968-16-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2968-17-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2968-15-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2968-14-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2968-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download