ab4606d40874f5c5c0044bdd6598485a7d45f87b25f64ad034400df477e2f20c

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-01-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fb21dcb653ee8796dbdf959c34a8081.exe
Size

384KB
MD5

3fb21dcb653ee8796dbdf959c34a8081
SHA1

4e670e27950b60aa4a435c8111ef7f043eb01503
SHA256

ab4606d40874f5c5c0044bdd6598485a7d45f87b25f64ad034400df477e2f20c
SHA512

4773f2a5728ce33cd067e670dae09ef6c1762cb991280030f3f1f55a02cff1037accbe048047822e1b1b3947453bdd3cb95f2eba6773cbff13aa95456f0d589e
SSDEEP

6144:Bg0g+ma4UeVyws29usBaUzSEkNF5QkjGhLb2uYGBLQ/X3W0neeMn9n55ZZt:Bg1+4FVy529usBvzSEyLGFqtyQvDeeMJ

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2744	kA28321PlEhN28321.exe

Executes dropped EXE 1 IoCs

pid	Process
2744	kA28321PlEhN28321.exe

Loads dropped DLL 2 IoCs

pid	Process
2912	3fb21dcb653ee8796dbdf959c34a8081.exe
2912	3fb21dcb653ee8796dbdf959c34a8081.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2912-6-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral1/memory/2912-17-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral1/memory/2744-23-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral1/memory/2744-27-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral1/memory/2744-36-0x0000000000400000-0x00000000004EE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kA28321PlEhN28321 = "C:\\ProgramData\\kA28321PlEhN28321\\kA28321PlEhN28321.exe"	kA28321PlEhN28321.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	kA28321PlEhN28321.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2912	3fb21dcb653ee8796dbdf959c34a8081.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	3fb21dcb653ee8796dbdf959c34a8081.exe
Token: SeDebugPrivilege	2744	kA28321PlEhN28321.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2744	kA28321PlEhN28321.exe
2744	kA28321PlEhN28321.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2744	2912	3fb21dcb653ee8796dbdf959c34a8081.exe	28
PID 2912 wrote to memory of 2744	2912	3fb21dcb653ee8796dbdf959c34a8081.exe	28
PID 2912 wrote to memory of 2744	2912	3fb21dcb653ee8796dbdf959c34a8081.exe	28
PID 2912 wrote to memory of 2744	2912	3fb21dcb653ee8796dbdf959c34a8081.exe	28

C:\Users\Admin\AppData\Local\Temp\3fb21dcb653ee8796dbdf959c34a8081.exe
"C:\Users\Admin\AppData\Local\Temp\3fb21dcb653ee8796dbdf959c34a8081.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\ProgramData\kA28321PlEhN28321\kA28321PlEhN28321.exe
  "C:\ProgramData\kA28321PlEhN28321\kA28321PlEhN28321.exe" "C:\Users\Admin\AppData\Local\Temp\3fb21dcb653ee8796dbdf959c34a8081.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kA28321PlEhN28321\kA28321PlEhN28321

Filesize
192B

MD5
95369f0407a92111878995b3264e6d76

SHA1
de7177b50ba19899296ec99143cf47922fc4b6aa

SHA256
66f2dc9ebc991bc07d3e193a1216079d155fb4b19d26c9c5fb868346b44fde71

SHA512
443d81ea443bc81700356ae97ed24a80f9e842b911b9cbd6acc53e57d95be6c3a9bb5ea1cfc56c893878fc661a94780713817837bdce1ca59fd26c94e5baf610

Download Submit
\ProgramData\kA28321PlEhN28321\kA28321PlEhN28321.exe

Filesize
384KB

MD5
9cd9dbf0d05f55d984b7f3baf57ae127

SHA1
30ddb109629c630f1939e273c8929b2313a80aa5

SHA256
24e230111c0de04d33f780d1242916a639abcf0f54f7a3d1d2220a4f4841d503

SHA512
e29a4cb9a77770a91f441a7e7a2d7cc734a9c9adb1af1570ff4e6f59e59d6a3bb7aecbaddc72c3971eab7c606020acb0db0f71c7d59da2cf56ae5667b7a6c7ac

Download Submit
memory/2744-23-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2744-27-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2744-36-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2912-0-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2912-6-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2912-17-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download