ab4606d40874f5c5c0044bdd6598485a7d45f87b25f64ad034400df477e2f20c

Analysis

max time kernel
148s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 02:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3fb21dcb653ee8796dbdf959c34a8081.exe
Size

384KB
MD5

3fb21dcb653ee8796dbdf959c34a8081
SHA1

4e670e27950b60aa4a435c8111ef7f043eb01503
SHA256

ab4606d40874f5c5c0044bdd6598485a7d45f87b25f64ad034400df477e2f20c
SHA512

4773f2a5728ce33cd067e670dae09ef6c1762cb991280030f3f1f55a02cff1037accbe048047822e1b1b3947453bdd3cb95f2eba6773cbff13aa95456f0d589e
SSDEEP

6144:Bg0g+ma4UeVyws29usBaUzSEkNF5QkjGhLb2uYGBLQ/X3W0neeMn9n55ZZt:Bg1+4FVy529usBvzSEyLGFqtyQvDeeMJ

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3268	eK28321EmGjC28321.exe

Executes dropped EXE 1 IoCs

pid	Process
3268	eK28321EmGjC28321.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1460-6-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral2/memory/1460-13-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral2/memory/3268-19-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral2/memory/3268-22-0x0000000000400000-0x00000000004EE000-memory.dmp	upx
behavioral2/memory/3268-29-0x0000000000400000-0x00000000004EE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eK28321EmGjC28321 = "C:\\ProgramData\\eK28321EmGjC28321\\eK28321EmGjC28321.exe"	eK28321EmGjC28321.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4356	1460	WerFault.exe	14
3756	3268	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1460	3fb21dcb653ee8796dbdf959c34a8081.exe
1460	3fb21dcb653ee8796dbdf959c34a8081.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	3fb21dcb653ee8796dbdf959c34a8081.exe
Token: SeDebugPrivilege	3268	eK28321EmGjC28321.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3268	eK28321EmGjC28321.exe
3268	eK28321EmGjC28321.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 3268	1460	3fb21dcb653ee8796dbdf959c34a8081.exe	72
PID 1460 wrote to memory of 3268	1460	3fb21dcb653ee8796dbdf959c34a8081.exe	72
PID 1460 wrote to memory of 3268	1460	3fb21dcb653ee8796dbdf959c34a8081.exe	72

C:\Users\Admin\AppData\Local\Temp\3fb21dcb653ee8796dbdf959c34a8081.exe
"C:\Users\Admin\AppData\Local\Temp\3fb21dcb653ee8796dbdf959c34a8081.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 668
  2⤵
  - Program crash
  PID:4356
- C:\ProgramData\eK28321EmGjC28321\eK28321EmGjC28321.exe
  "C:\ProgramData\eK28321EmGjC28321\eK28321EmGjC28321.exe" "C:\Users\Admin\AppData\Local\Temp\3fb21dcb653ee8796dbdf959c34a8081.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 668
    3⤵
    - Program crash
    PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1460 -ip 1460
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3268 -ip 3268
1⤵
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eK28321EmGjC28321\eK28321EmGjC28321

Filesize
192B

MD5
941dad6ad2634eaa228d8ce8bd40b5d3

SHA1
97b8205e583ec3b206a75a550708ded781899806

SHA256
03c5fe827f93fa27119536c2a24f29d2575e0d73ff4016a07eaf7216f09dcefc

SHA512
dda604b7010ec9626fea92daf1ab58a0511ac2b738aa0ab7afc653f5e0d5ef896d31e4d86d6a40e6bf16389bb6cf7a6d600012cb54bac0ed2851381e6eae3a0d

Download Submit
C:\ProgramData\eK28321EmGjC28321\eK28321EmGjC28321.exe

Filesize
86KB

MD5
5446e54707fe82b6afe26274e09d48ff

SHA1
8d65c41167d6666b32640acd51f86ca81d7d85e1

SHA256
07d48e8807f88a74d5ca92e112d75d4440a4bc673016ef90e32de46df09ed44c

SHA512
a3509737347b2cdab6af83c2089216be33dd0b81deaafb5e7ac1bd06470de2809b4b44e0c78f09522b187797e5d39f514e13b5cb210f89db871154b01f8c50a1

Download Submit
memory/1460-0-0x0000000002250000-0x0000000002252000-memory.dmp

Filesize
8KB

Download
memory/1460-6-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1460-13-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3268-19-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3268-22-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/3268-29-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download