94bfdd9963e0a7fe4ee4488edbeebbd5b0d69fc8f5325f4006f159d4e2067236

Analysis

max time kernel
3s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/01/2024, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dde2cadb794e170aadfa6453a767d3c.exe
Size

940KB
MD5

7dde2cadb794e170aadfa6453a767d3c
SHA1

dc5e8c1cb38f132d8506690348cabb84c104e15b
SHA256

94bfdd9963e0a7fe4ee4488edbeebbd5b0d69fc8f5325f4006f159d4e2067236
SHA512

5c2a2c99b3a97301ff89a4376d244faa536aaba4428467ce2fbe103b4f4411e0bbf400590941f39c91012eceaec27f5f3d151572ee899445f8bd975b61ccfd1a
SSDEEP

24576:ImRKvOCv3utr5OUR0cl6zvozvaHMwINz3eptIC7U:ImovOC/uXgclWoj7wiiptIoU

Score

8^/10

evasion upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2680	ZWO0IBSWIJWNDT.exe
2984	adesao.exe

Loads dropped DLL 2 IoCs

pid	Process
2752	7dde2cadb794e170aadfa6453a767d3c.exe
2680	ZWO0IBSWIJWNDT.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2752-4-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2752-6-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2752-5-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2752-2-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2752-29-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2752-31-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2752-33-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2752-37-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2752-39-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2752-41-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2752-44-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2752-46-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2752-48-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2752-51-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2752-53-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1676 set thread context of 2752	1676	7dde2cadb794e170aadfa6453a767d3c.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2148	reg.exe
2600	reg.exe
2632	reg.exe
2564	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeCreateTokenPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeAssignPrimaryTokenPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeLockMemoryPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeIncreaseQuotaPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeMachineAccountPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeTcbPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeSecurityPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeTakeOwnershipPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeLoadDriverPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeSystemProfilePrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeSystemtimePrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeProfSingleProcessPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeIncBasePriorityPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeCreatePagefilePrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeCreatePermanentPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeBackupPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeRestorePrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeShutdownPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeDebugPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeAuditPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeSystemEnvironmentPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeChangeNotifyPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeRemoteShutdownPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeUndockPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeSyncAgentPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeEnableDelegationPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeManageVolumePrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeImpersonatePrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: SeCreateGlobalPrivilege	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: 31	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: 32	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: 33	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: 34	2752	7dde2cadb794e170aadfa6453a767d3c.exe
Token: 35	2752	7dde2cadb794e170aadfa6453a767d3c.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1676	7dde2cadb794e170aadfa6453a767d3c.exe
2752	7dde2cadb794e170aadfa6453a767d3c.exe
2752	7dde2cadb794e170aadfa6453a767d3c.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2752	1676	7dde2cadb794e170aadfa6453a767d3c.exe	21
PID 1676 wrote to memory of 2752	1676	7dde2cadb794e170aadfa6453a767d3c.exe	21
PID 1676 wrote to memory of 2752	1676	7dde2cadb794e170aadfa6453a767d3c.exe	21
PID 1676 wrote to memory of 2752	1676	7dde2cadb794e170aadfa6453a767d3c.exe	21
PID 1676 wrote to memory of 2752	1676	7dde2cadb794e170aadfa6453a767d3c.exe	21
PID 1676 wrote to memory of 2752	1676	7dde2cadb794e170aadfa6453a767d3c.exe	21
PID 1676 wrote to memory of 2752	1676	7dde2cadb794e170aadfa6453a767d3c.exe	21
PID 1676 wrote to memory of 2752	1676	7dde2cadb794e170aadfa6453a767d3c.exe	21
PID 1676 wrote to memory of 2752	1676	7dde2cadb794e170aadfa6453a767d3c.exe	21
PID 1676 wrote to memory of 2752	1676	7dde2cadb794e170aadfa6453a767d3c.exe	21
PID 2752 wrote to memory of 2680	2752	7dde2cadb794e170aadfa6453a767d3c.exe	23
PID 2752 wrote to memory of 2680	2752	7dde2cadb794e170aadfa6453a767d3c.exe	23
PID 2752 wrote to memory of 2680	2752	7dde2cadb794e170aadfa6453a767d3c.exe	23
PID 2752 wrote to memory of 2680	2752	7dde2cadb794e170aadfa6453a767d3c.exe	23
PID 2752 wrote to memory of 2680	2752	7dde2cadb794e170aadfa6453a767d3c.exe	23
PID 2752 wrote to memory of 2680	2752	7dde2cadb794e170aadfa6453a767d3c.exe	23
PID 2752 wrote to memory of 2680	2752	7dde2cadb794e170aadfa6453a767d3c.exe	23
PID 2680 wrote to memory of 2984	2680	ZWO0IBSWIJWNDT.exe	22
PID 2680 wrote to memory of 2984	2680	ZWO0IBSWIJWNDT.exe	22
PID 2680 wrote to memory of 2984	2680	ZWO0IBSWIJWNDT.exe	22
PID 2680 wrote to memory of 2984	2680	ZWO0IBSWIJWNDT.exe	22
PID 2680 wrote to memory of 2984	2680	ZWO0IBSWIJWNDT.exe	22
PID 2680 wrote to memory of 2984	2680	ZWO0IBSWIJWNDT.exe	22
PID 2680 wrote to memory of 2984	2680	ZWO0IBSWIJWNDT.exe	22

C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe
"C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe
  C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\ZWO0IBSWIJWNDT.exe
    C:\Users\Admin\AppData\Local\Temp\ZWO0IBSWIJWNDT.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe:*:Enabled:Windows Messanger" /f
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    PID:2872

C:\Users\Admin\AppData\Local\Temp\RarSFX0\adesao.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\adesao.exe"
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7dde2cadb794e170aadfa6453a767d3c.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies registry key
PID:2148

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies registry key
PID:2600

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies registry key
PID:2632

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies registry key
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZWO0IBSWIJWNDT.exe

Filesize
92KB

MD5
ec56f82bd8c372a4e8b2787b3f890715

SHA1
178d5a2bb320c1a523dca34f97ce4d80864f53e0

SHA256
100782c74cc8bd64c930de3d83d5bb7b855fb7e2849cea07c7bfb79fe2f781fe

SHA512
c2637f70743b5d7fd31fbf51bcb49f30347412dff94dfbe7958a75836e3e252731d7c035c601c9b7daa082e43014f1b2aa5c7899bdef42cfb4e9991870ba7d3e

Download Submit
\Users\Admin\AppData\Local\Temp\ZWO0IBSWIJWNDT.exe

Filesize
344KB

MD5
4d6f5665dbf00a86b5ab201c77a73794

SHA1
c721a35ec424d93ac7b804697ebfadd4f3c68396

SHA256
ea0c723fcd4ec5bd1fff81bd4ddb4b0e0efcde1eb77bcfd91d4d924a8bb086dc

SHA512
4c976c412d861556365b1e327397fe8dcb59753b822bc53c70d14ebeba552fef198c6711c95acf72816d84d920da5a8bedfb6b51925aed1e2bfb351cf7cc370a

Download Submit
memory/2752-44-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-33-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-6-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-5-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-2-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-28-0x0000000077F21000-0x0000000077F22000-memory.dmp

Filesize
4KB

Download
memory/2752-27-0x0000000076CF0000-0x0000000076D90000-memory.dmp

Filesize
640KB

Download
memory/2752-26-0x0000000076AA0000-0x0000000076BB0000-memory.dmp

Filesize
1.1MB

Download
memory/2752-29-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-62-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-31-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-60-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-58-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-55-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-35-0x0000000076CF0000-0x0000000076D90000-memory.dmp

Filesize
640KB

Download
memory/2752-37-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-39-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-41-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-4-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-46-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-48-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-51-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2752-53-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2984-23-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2984-34-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/2984-32-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2984-30-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download