36d417665c7d98e3e82095509d17836e100ad3f124b65744af794383ecadaca7

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06-01-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46f8e3029712190540b5f4b163f11f45.exe
Size

108KB
MD5

46f8e3029712190540b5f4b163f11f45
SHA1

3aa78e80cabb2a33816084e033301048b93aa155
SHA256

36d417665c7d98e3e82095509d17836e100ad3f124b65744af794383ecadaca7
SHA512

91714f70e3d763172a07976a53458a2e71e65e433486235061a336179f906254777c44ec4b791475929f3c4868cf12d3d62b8baf107feff56a85691deca940d9
SSDEEP

3072:Fl6jf3BJC4rojIz72ldvsH4zW72OtED3yV:y36If2Dv04zWaOqD3M

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{njuicgou-kalh-rech-puhf-aejsiiubjcot}\stubpath = "C:\\Windows\\msoxlnd.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{njuicgou-kalh-rech-puhf-aejsiiubjcot}	svchost.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000012266-133.dat	acprotect

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msoxlnd.rpl	svchost.exe
File opened for modification	C:\Windows\msoxlnd.exe	46f8e3029712190540b5f4b163f11f45.exe
File created	C:\Windows\msoxlnd.exe	46f8e3029712190540b5f4b163f11f45.exe
File opened for modification	C:\Windows\msoxlnd.dll	46f8e3029712190540b5f4b163f11f45.exe
File created	C:\Windows\msoxlnd.dll	46f8e3029712190540b5f4b163f11f45.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2844	svchost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeSecurityPrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeTakeOwnershipPrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeLoadDriverPrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeSystemProfilePrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeSystemtimePrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeProfSingleProcessPrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeIncBasePriorityPrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeCreatePagefilePrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeBackupPrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeRestorePrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeShutdownPrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeDebugPrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeSystemEnvironmentPrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeRemoteShutdownPrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeUndockPrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeManageVolumePrivilege	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: 33	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: 34	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: 35	2080	46f8e3029712190540b5f4b163f11f45.exe
Token: SeShutdownPrivilege	2844	svchost.exe
Token: SeShutdownPrivilege	2844	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28
PID 2080 wrote to memory of 2844	2080	46f8e3029712190540b5f4b163f11f45.exe	28

C:\Users\Admin\AppData\Local\Temp\46f8e3029712190540b5f4b163f11f45.exe
"C:\Users\Admin\AppData\Local\Temp\46f8e3029712190540b5f4b163f11f45.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Modifies Installed Components in the registry
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\msoxlnd.dll

Filesize
87KB

MD5
ee43f31d41c41328c7657cc1d2a2d6d6

SHA1
d0b7cd58f060830ff562080f1d0c51fcb3d4f780

SHA256
8840113f2d1aeb8ffc9cbe77ae94c1ba6daac553ef72beb49d45b6c0041f1e1d

SHA512
5c3829515443031eb4a4cefe2a87727625c733d4e36eb1c84afa21945731d03cf4ad9d8476a836e7dd999f45b2f00cdd711e1152fba3e256ed7aa8fb8526ccd7

Download Submit
C:\Windows\msoxlnd.exe

Filesize
108KB

MD5
46f8e3029712190540b5f4b163f11f45

SHA1
3aa78e80cabb2a33816084e033301048b93aa155

SHA256
36d417665c7d98e3e82095509d17836e100ad3f124b65744af794383ecadaca7

SHA512
91714f70e3d763172a07976a53458a2e71e65e433486235061a336179f906254777c44ec4b791475929f3c4868cf12d3d62b8baf107feff56a85691deca940d9

Download Submit
memory/2080-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2080-4-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2080-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2844-11-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2844-14-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2844-21-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2844-132-0x0000000010410000-0x000000001044E000-memory.dmp

Filesize
248KB

Download
memory/2844-149-0x0000000010410000-0x000000001044E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads