d49e3a0100058be2e1d46fd78dbceb21139d0a554c736c77aa664bbe8a3fa40a

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41f15b3dd4bb3fe4f74844aa32a7cd98.exe
Size

446KB
MD5

41f15b3dd4bb3fe4f74844aa32a7cd98
SHA1

a924b0e0747a36f8432d4a5a8a6ed6b0275707a4
SHA256

d49e3a0100058be2e1d46fd78dbceb21139d0a554c736c77aa664bbe8a3fa40a
SHA512

bbd08bc2b74e4e780a2011ee135dd1dabd1b9dafeb9b8d0283cc34933cc1fd7c56f36945f4896262df62b75a3f585cf70e3f66226272ca8d240a30b0b00e337b
SSDEEP

12288://I3XvN06j06W09sPFj/U9MiWUav3j1uLcazMZ:SsPB/U9f4T83

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2680	hO01804AjNlO01804.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	hO01804AjNlO01804.exe

Loads dropped DLL 2 IoCs

pid	Process
2376	41f15b3dd4bb3fe4f74844aa32a7cd98.exe
2376	41f15b3dd4bb3fe4f74844aa32a7cd98.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2376-1-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2376-17-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2680-20-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2680-30-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2680-40-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hO01804AjNlO01804 = "C:\\ProgramData\\hO01804AjNlO01804\\hO01804AjNlO01804.exe"	hO01804AjNlO01804.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	hO01804AjNlO01804.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	41f15b3dd4bb3fe4f74844aa32a7cd98.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	41f15b3dd4bb3fe4f74844aa32a7cd98.exe
Token: SeDebugPrivilege	2680	hO01804AjNlO01804.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2680	hO01804AjNlO01804.exe
2680	hO01804AjNlO01804.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2680	2376	41f15b3dd4bb3fe4f74844aa32a7cd98.exe	28
PID 2376 wrote to memory of 2680	2376	41f15b3dd4bb3fe4f74844aa32a7cd98.exe	28
PID 2376 wrote to memory of 2680	2376	41f15b3dd4bb3fe4f74844aa32a7cd98.exe	28
PID 2376 wrote to memory of 2680	2376	41f15b3dd4bb3fe4f74844aa32a7cd98.exe	28

C:\Users\Admin\AppData\Local\Temp\41f15b3dd4bb3fe4f74844aa32a7cd98.exe
"C:\Users\Admin\AppData\Local\Temp\41f15b3dd4bb3fe4f74844aa32a7cd98.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\ProgramData\hO01804AjNlO01804\hO01804AjNlO01804.exe
  "C:\ProgramData\hO01804AjNlO01804\hO01804AjNlO01804.exe" "C:\Users\Admin\AppData\Local\Temp\41f15b3dd4bb3fe4f74844aa32a7cd98.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hO01804AjNlO01804\hO01804AjNlO01804

Filesize
192B

MD5
6a7d7244477bf83f2045aa8eaf3d2e25

SHA1
669ab9f2ddb0972e7d9471512bebf72ee0522bd6

SHA256
ebc35a4047e186280e31cc9e852fe57f855487b8524153e55235311615a705e3

SHA512
de17386465ddc6b60d18bdd6665cce69bcfc78982b2b78d3c115c6c62136832f27634ac0b9028ca2a6d040875417cfe529acb9a45548bfa3e6f1e7ff74b06ec6

Download Submit
C:\ProgramData\hO01804AjNlO01804\hO01804AjNlO01804.exe

Filesize
201KB

MD5
fcfdb7dd3b68ee5f9281b881aeb5b5fe

SHA1
756d181c326738356b030dd329dcd70bc9efe969

SHA256
8fb012a487d51efb0927a2fa718e575aab0d0e8ff356ecaf042e3e65f5a95c2e

SHA512
5a4fc54e4fef7af3d5b76f95448c877914e9b8d0057466950de1f56d4bddcc02c120f64171fcf50cc901aa1bb09d8af1ac71d918a82dbee24e0c8e9891a3e9bb

Download Submit
C:\ProgramData\hO01804AjNlO01804\hO01804AjNlO01804.exe

Filesize
41KB

MD5
ffa14627f608b39da76477a458713a6c

SHA1
8e8166e2db46b19f030d0ef6e07951ad4805b231

SHA256
777bd0a0e61209504cb1d309dceec3c1da11592c5cf9e1ea8a36cbac97a101a6

SHA512
056673eab79fff88141e9bec07c22f0dc804561c4e8dbe3069b8fde391a2e6a6aa275a90e664c3fec16291c88582b82a8e8831639c4ab00ca84de8a7bb07a09b

Download Submit
C:\ProgramData\hO01804AjNlO01804\hO01804AjNlO01804.exe

Filesize
3KB

MD5
98b253cc293bde53c636f3c71e15c272

SHA1
9363fe6f08f3579b7279fc2afe11cea5a8f2e995

SHA256
4c58538795d3fb34fd5b3e7a5f3e336f049317088e23bceec64ced56e12af9bb

SHA512
7d8ff500242f38f0829845cee9600521d1767644f0c89c324e20e23b5f7b53ccd1405802dccb00f634c30ee33b1c3a13329d65abac13e4a6b365a9daa7d079bd

Download Submit
\ProgramData\hO01804AjNlO01804\hO01804AjNlO01804.exe

Filesize
278KB

MD5
20ab6ff2f9639f2e5a05d101ba2dd354

SHA1
836bc7ee01fa666fb6e84767cfa3898a8a747114

SHA256
95dc47bd645943e247929f1609d5337cb9ecd9f12d4a135f5a1e7555a5ee33b4

SHA512
6f1759c2e2e052fc25778b6fddfdc3542002770eb91a46f74c736b59d9c99faf6445e235cd84cd079164d276462c5c6120b7e48ed27e5ecc3fddd65593f0c3ff

Download Submit
\ProgramData\hO01804AjNlO01804\hO01804AjNlO01804.exe

Filesize
446KB

MD5
604944540c01243172cd149d3d5411a3

SHA1
45eeba141084154095b688d963395cde17983afc

SHA256
f9b464fcb43f5cbb77a819f8b6943690f9ee14b9e587bf251eab9027b28c86b0

SHA512
c832e71c4369d0b455ad88bf1db23d393d4d991b6a27664b2f5b52af34d1fc7463859e67eef71f0ae7b97932af82c89fedfe6ca3954fad66cae890a801bc4d1e

Download Submit
memory/2376-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2376-2-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/2376-1-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2680-20-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2680-21-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/2680-30-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2680-32-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/2680-40-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download