Analysis
-
max time kernel
12s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/01/2024, 20:09
Behavioral task
behavioral1
Sample
41cc4ad694dee60a1390b3e3d409d68e.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
41cc4ad694dee60a1390b3e3d409d68e.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
41cc4ad694dee60a1390b3e3d409d68e.exe
-
Size
39KB
-
MD5
41cc4ad694dee60a1390b3e3d409d68e
-
SHA1
073aa3e3fd09b4c09e07d2a70273deb034d3faf8
-
SHA256
c5e6f43ab4a37490af01cdce8bc7b8e1f58d5e221b1a4222e6eb5804675400a0
-
SHA512
03c9d4a046fb79a569b9552c2c72ee03b9588bea4eeee0871aba5da5322d6091d2f3c9a9e3df14b90eae40b7236e759f881b24b9d0ddc5d24c16b3b1454f94c9
-
SSDEEP
768:khWRQv9P+xt+lpHwvs2ZSz/ta8fTtwMX8WS9NBVrOXVGr+5HI:yWRi+xepQk2ZWtaQa9aci5HI
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3056 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1812 panel.exe -
Loads dropped DLL 1 IoCs
pid Process 2212 41cc4ad694dee60a1390b3e3d409d68e.exe -
resource yara_rule behavioral1/files/0x000a0000000144eb-12.dat upx behavioral1/memory/1812-17-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral1/memory/2212-10-0x0000000000340000-0x0000000000365000-memory.dmp upx behavioral1/memory/2212-0-0x0000000000400000-0x0000000000425000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\panel = "C:\\Users\\Admin\\AppData\\Roaming\\panel\\panel.exe -b" 41cc4ad694dee60a1390b3e3d409d68e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe 1812 panel.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2212 41cc4ad694dee60a1390b3e3d409d68e.exe Token: SeDebugPrivilege 1812 panel.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2212 wrote to memory of 1812 2212 41cc4ad694dee60a1390b3e3d409d68e.exe 14 PID 2212 wrote to memory of 1812 2212 41cc4ad694dee60a1390b3e3d409d68e.exe 14 PID 2212 wrote to memory of 1812 2212 41cc4ad694dee60a1390b3e3d409d68e.exe 14 PID 2212 wrote to memory of 1812 2212 41cc4ad694dee60a1390b3e3d409d68e.exe 14 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 2212 wrote to memory of 3056 2212 41cc4ad694dee60a1390b3e3d409d68e.exe 30 PID 2212 wrote to memory of 3056 2212 41cc4ad694dee60a1390b3e3d409d68e.exe 30 PID 2212 wrote to memory of 3056 2212 41cc4ad694dee60a1390b3e3d409d68e.exe 30 PID 2212 wrote to memory of 3056 2212 41cc4ad694dee60a1390b3e3d409d68e.exe 30 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18 PID 1812 wrote to memory of 1244 1812 panel.exe 18
Processes
-
C:\Users\Admin\AppData\Roaming\panel\panel.exe-b1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812
-
C:\Users\Admin\AppData\Local\Temp\41cc4ad694dee60a1390b3e3d409d68e.exe"C:\Users\Admin\AppData\Local\Temp\41cc4ad694dee60a1390b3e3d409d68e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Roaming\panel\upd.bat"2⤵
- Deletes itself
PID:3056
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD541cc4ad694dee60a1390b3e3d409d68e
SHA1073aa3e3fd09b4c09e07d2a70273deb034d3faf8
SHA256c5e6f43ab4a37490af01cdce8bc7b8e1f58d5e221b1a4222e6eb5804675400a0
SHA51203c9d4a046fb79a569b9552c2c72ee03b9588bea4eeee0871aba5da5322d6091d2f3c9a9e3df14b90eae40b7236e759f881b24b9d0ddc5d24c16b3b1454f94c9
-
Filesize
1KB
MD5afef7731b49b1ccb90c8f33d87926df8
SHA137cfbd997d9b7ed51c9029ccda9ebecc876a99d0
SHA2568d4504e070c845f9471fd192360721d452574fde25ef4ab53f29bca261d1fb79
SHA512e267524dfe4aacb6f55d857f8e94fb96bdfcec52bf91ab371ed5d0aa251bae82bc4ce68226d644d1fe436771cac8da900e9dc8101c5f95ed5ff914c0addc7430