d51d273c6712285a44444a23d42c3ef936e167dc6be08bceaecda08cf3c827f2

Analysis

max time kernel
223s
max time network
175s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

427fed2121c2defc757d052c1eb2819b.exe
Size

459KB
MD5

427fed2121c2defc757d052c1eb2819b
SHA1

1325e54cb3f258cfa2e6800fad16b2ce52bfd474
SHA256

d51d273c6712285a44444a23d42c3ef936e167dc6be08bceaecda08cf3c827f2
SHA512

b7cca4dffeab5211a2a3670504f93c198d0d4ddcde465a8c0edfec279d6608f4c0729d999934df21f74f72f4fbd72ef4e0e96e15553391678940e818936c4b21
SSDEEP

6144:7VUQ2xBlohtKWu0gGgVt3M9EZL5Ac6QIynxtAMrxXFWO/w0apEwwWKRO:3SMhtKJ0WL3Mibh6QJpVWO/w9gJU

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1724	gL06501LaBpC06501.exe

Executes dropped EXE 1 IoCs

pid	Process
1724	gL06501LaBpC06501.exe

Loads dropped DLL 2 IoCs

pid	Process
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2684-1-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2684-3-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2684-4-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2684-7-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2684-21-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/1724-33-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/1724-43-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gL06501LaBpC06501 = "C:\\ProgramData\\gL06501LaBpC06501\\gL06501LaBpC06501.exe"	gL06501LaBpC06501.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	gL06501LaBpC06501.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
2684	427fed2121c2defc757d052c1eb2819b.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	427fed2121c2defc757d052c1eb2819b.exe
Token: SeDebugPrivilege	1724	gL06501LaBpC06501.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1724	gL06501LaBpC06501.exe
1724	gL06501LaBpC06501.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 1724	2684	427fed2121c2defc757d052c1eb2819b.exe	28
PID 2684 wrote to memory of 1724	2684	427fed2121c2defc757d052c1eb2819b.exe	28
PID 2684 wrote to memory of 1724	2684	427fed2121c2defc757d052c1eb2819b.exe	28
PID 2684 wrote to memory of 1724	2684	427fed2121c2defc757d052c1eb2819b.exe	28

C:\Users\Admin\AppData\Local\Temp\427fed2121c2defc757d052c1eb2819b.exe
"C:\Users\Admin\AppData\Local\Temp\427fed2121c2defc757d052c1eb2819b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\ProgramData\gL06501LaBpC06501\gL06501LaBpC06501.exe
  "C:\ProgramData\gL06501LaBpC06501\gL06501LaBpC06501.exe" "C:\Users\Admin\AppData\Local\Temp\427fed2121c2defc757d052c1eb2819b.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gL06501LaBpC06501\gL06501LaBpC06501

Filesize
192B

MD5
630b79ccd83070c808324eb52ce39984

SHA1
02d02fd7fdb6cd583d309613b363e6c2c96e6dc5

SHA256
892701286a2f483e8a8cbebeaa0eb46659ac33b9749f3719102a268349a62cf0

SHA512
b32be3dbbf0afbce9922526a6dd38761d0603d6888a595d7082aceef0315d713feeaffc6f8b11fb8dd6975d6f776ee5874a26772afa0327091f95e38f02f41a1

Download Submit
C:\ProgramData\gL06501LaBpC06501\gL06501LaBpC06501.exe

Filesize
459KB

MD5
ee4a18bf918c5b9d0333c89bbac192af

SHA1
c7d6bb2e3d6f424f88c9575e4f5aaae0b96664bf

SHA256
698e15f0abf696f09e91dd85191170231cdf9d14c0293f44c6bc6e6a2a581454

SHA512
5ae6d7820c792610c551356fef9c994a2b23b82dbf2398aa2cc9a6e8586f97179c41ee1ac73ab45cd4e3817c5a2485e9a1d94751f0978c132fd85dac618bed5b

Download Submit
memory/1724-43-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1724-35-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/1724-33-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1724-24-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/2684-4-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2684-21-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2684-8-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/2684-7-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2684-1-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2684-3-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2684-2-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download