93a039cd592c64a14e6e688f805b8f069cc2ec03a1d07ce6bb8db3b4fefe9745

Analysis

max time kernel
171s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 14:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

93a039cd592c64a14e6e688f805b8f069cc2ec03a1d07ce6bb8db3b4fefe9745.exe
Size

1.7MB
MD5

7468bd52e71f97bc30d3db3a7713b854
SHA1

c5749c92d145ab106d50a9d7423f5f37f3d57577
SHA256

93a039cd592c64a14e6e688f805b8f069cc2ec03a1d07ce6bb8db3b4fefe9745
SHA512

b73f7de7ba00a4b8896056cce0209c056750463155ac292ea41b058eb24eaa80ad749db4a9887add4fc842f59392f4aa9f0d601e11b77affff8dd53c0daebb8c
SSDEEP

49152:FAD4+2lXFPpd1ZtmB4TE/S4kzz/y7H2DGhFCTf:20+2zPpPZcB4TEVE/y7mGhFaf

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3900	PENetwork.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4340-0-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/4340-1-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/4340-25-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/4340-52-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4340-25-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe
behavioral2/files/0x000500000001e7ec-50.dat	autoit_exe
behavioral2/memory/4340-52-0x0000000000400000-0x00000000004C0000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3900	PENetwork.exe
3900	PENetwork.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3900	PENetwork.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3900	PENetwork.exe
3900	PENetwork.exe
3900	PENetwork.exe
3900	PENetwork.exe
3900	PENetwork.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3900	PENetwork.exe
3900	PENetwork.exe
3900	PENetwork.exe
3900	PENetwork.exe
3900	PENetwork.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 4516	4340	93a039cd592c64a14e6e688f805b8f069cc2ec03a1d07ce6bb8db3b4fefe9745.exe	95
PID 4340 wrote to memory of 4516	4340	93a039cd592c64a14e6e688f805b8f069cc2ec03a1d07ce6bb8db3b4fefe9745.exe	95
PID 4340 wrote to memory of 4516	4340	93a039cd592c64a14e6e688f805b8f069cc2ec03a1d07ce6bb8db3b4fefe9745.exe	95
PID 4516 wrote to memory of 2316	4516	cmd.exe	97
PID 4516 wrote to memory of 2316	4516	cmd.exe	97
PID 4516 wrote to memory of 2316	4516	cmd.exe	97
PID 2316 wrote to memory of 3816	2316	cmd.exe	98
PID 2316 wrote to memory of 3816	2316	cmd.exe	98
PID 2316 wrote to memory of 3816	2316	cmd.exe	98
PID 4516 wrote to memory of 4600	4516	cmd.exe	99
PID 4516 wrote to memory of 4600	4516	cmd.exe	99
PID 4516 wrote to memory of 4600	4516	cmd.exe	99
PID 4516 wrote to memory of 5004	4516	cmd.exe	100
PID 4516 wrote to memory of 5004	4516	cmd.exe	100
PID 4516 wrote to memory of 5004	4516	cmd.exe	100
PID 4516 wrote to memory of 2308	4516	cmd.exe	101
PID 4516 wrote to memory of 2308	4516	cmd.exe	101
PID 4516 wrote to memory of 2308	4516	cmd.exe	101
PID 4516 wrote to memory of 2648	4516	cmd.exe	102
PID 4516 wrote to memory of 2648	4516	cmd.exe	102
PID 4516 wrote to memory of 2648	4516	cmd.exe	102
PID 4516 wrote to memory of 936	4516	cmd.exe	103
PID 4516 wrote to memory of 936	4516	cmd.exe	103
PID 4516 wrote to memory of 936	4516	cmd.exe	103
PID 4516 wrote to memory of 672	4516	cmd.exe	104
PID 4516 wrote to memory of 672	4516	cmd.exe	104
PID 4516 wrote to memory of 672	4516	cmd.exe	104
PID 4516 wrote to memory of 380	4516	cmd.exe	105
PID 4516 wrote to memory of 380	4516	cmd.exe	105
PID 4516 wrote to memory of 380	4516	cmd.exe	105
PID 4516 wrote to memory of 4564	4516	cmd.exe	106
PID 4516 wrote to memory of 4564	4516	cmd.exe	106
PID 4516 wrote to memory of 4564	4516	cmd.exe	106
PID 4516 wrote to memory of 2728	4516	cmd.exe	107
PID 4516 wrote to memory of 2728	4516	cmd.exe	107
PID 4516 wrote to memory of 2728	4516	cmd.exe	107
PID 4516 wrote to memory of 1740	4516	cmd.exe	108
PID 4516 wrote to memory of 1740	4516	cmd.exe	108
PID 4516 wrote to memory of 1740	4516	cmd.exe	108
PID 4516 wrote to memory of 1444	4516	cmd.exe	109
PID 4516 wrote to memory of 1444	4516	cmd.exe	109
PID 4516 wrote to memory of 1444	4516	cmd.exe	109
PID 4516 wrote to memory of 2484	4516	cmd.exe	110
PID 4516 wrote to memory of 2484	4516	cmd.exe	110
PID 4516 wrote to memory of 2484	4516	cmd.exe	110
PID 4516 wrote to memory of 324	4516	cmd.exe	111
PID 4516 wrote to memory of 324	4516	cmd.exe	111
PID 4516 wrote to memory of 324	4516	cmd.exe	111
PID 4516 wrote to memory of 4104	4516	cmd.exe	112
PID 4516 wrote to memory of 4104	4516	cmd.exe	112
PID 4516 wrote to memory of 4104	4516	cmd.exe	112
PID 4516 wrote to memory of 3900	4516	cmd.exe	113
PID 4516 wrote to memory of 3900	4516	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\93a039cd592c64a14e6e688f805b8f069cc2ec03a1d07ce6bb8db3b4fefe9745.exe
"C:\Users\Admin\AppData\Local\Temp\93a039cd592c64a14e6e688f805b8f069cc2ec03a1d07ce6bb8db3b4fefe9745.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PENetwork-White\PENetwork.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "PROCESSOR_ARCHITECTURE" 2>nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\reg.exe
      REG query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "PROCESSOR_ARCHITECTURE"
      4⤵
      PID:3816
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKCU\Software\PENetwork" /v "GlobalFont" /t REG_SZ /d "Microsoft YaHei UI" /f
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKCU\Software\PENetwork" /v "UseOSFont" /t REG_DWORD /d "1" /f
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKCU\Software\PENetwork" /v "Scheme" /t REG_SZ /d "Win10" /f
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKCU\Software\PENetwork" /v "Debug" /t REG_DWORD /d "0" /f
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKCU\Software\PENetwork" /v "StartToTray" /t REG_DWORD /d "1" /f
    3⤵
    PID:936
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKCU\Software\PENetwork" /v "MinimizeToTray" /t REG_DWORD /d "1" /f
    3⤵
    PID:672
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKCU\Software\PENetwork" /v "CloseToTray" /t REG_DWORD /d "1" /f
    3⤵
    PID:380
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKCU\Software\PENetwork" /v "ShowTrayActivity" /t REG_DWORD /d "1" /f
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKCU\Software\PENetwork" /v "SaveWinPos" /t REG_DWORD /d "0" /f
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKCU\Software\PENetwork" /v "OpenPage" /t REG_DWORD /d "1" /f
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKCU\Software\PENetwork" /v "OpenLastPage" /t REG_DWORD /d "0" /f
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKCU\Software\PENetwork" /v "LastPage" /t REG_DWORD /d "3" /f
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKCU\Software\PENetwork" /v "SchemeDefault" /t REG_DWORD /d "0" /f
    3⤵
    PID:324
- - C:\Windows\SysWOW64\reg.exe
    Reg.exe add "HKCU\Software\PENetwork" /v "SchemeClassic" /t REG_DWORD /d "0" /f
    3⤵
    PID:4104
- - C:\Users\Admin\AppData\Local\Temp\PENetwork-White\PENetwork.exe
    "PENetwork.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PENetwork-White\MY.icl

Filesize
1.1MB

MD5
8a7e39ba0ea679a783f2d514c105b1b1

SHA1
141366ab6cbe7ee6992d1d3a4d34ad7f92ef67d9

SHA256
0dcfab2f634e82764938da8ac32386f799e488d7011e3e9bdbea0ea304d29e6a

SHA512
2e91bc4a2e5aa67fe2c63a06f0404e890efcb6d8d850a984e05895c97b59ebb076512c4c1e887169b963037cc0f7ed92ed6a79bd4d9b156691e4c54bb5d5bd57

Download Submit
C:\Users\Admin\AppData\Local\Temp\PENetwork-White\Network.exe

Filesize
578KB

MD5
d3b7bac529f8d1a176db386ab891b32b

SHA1
bd927386385fc33391d906f972ac6b1a229e7942

SHA256
68f2dbbb0f704958f2b8b3711d45d26053d3c9feb20c9f46cdaa04331ecc617f

SHA512
9aaf6b1512163cae99398632f3a84a2d9cf23c1c9665fb4c8a644b5c07b20a2edd9551fb86e37453d251e99659f7879251aa18424d0121359a09cf13a26c48c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PENetwork-White\PENetwork.cmd

Filesize
1KB

MD5
eb6c33e61087ac60b7d8e3b07b664644

SHA1
8736cc2996badce9b00f155e501d749dfd8f539f

SHA256
695ee0c8ed2fdbb596dfd999856c84f80512e6c48bb55d9d9ef2c309bde2d773

SHA512
572d41a4f9ddbe45af88f6909712c71403a3eb0559bf328e7717fee5d4840b7a245126a2a511945c22c58e21a016a5656b0e0c3bc2e03e9a3904381982504198

Download Submit
C:\Users\Admin\AppData\Local\Temp\PENetwork-White\PENetwork.exe

Filesize
1.8MB

MD5
cb70a3e8f34c64ae9d8745dfdce89128

SHA1
10f683cb7a6b5602ce76bce8c4586970e9b5b176

SHA256
50c0de125ad41583f45a4b6bb8813f4ec0556c68cb6f93a0d95c4b9ce43fe053

SHA512
c288351fa428488b0c87d85fb3665e486cccb9e775e0889b2659ca60a929f4eb753b27840bf9c32436065e32167107499fbb311be00c05f2908bb47c102b8919

Download Submit
C:\Users\Admin\AppData\Local\Temp\PENetwork-White\PENetwork.ini

Filesize
31KB

MD5
1b1278e99bf14cbc049d7546a651a84b

SHA1
a6be2ce54adcc089bbe09e19459ea9c7fc66c608

SHA256
70e355d0ebec0e368e0d1f7d1c6d88700fac50e2308e5478bf66345d0d7c788e

SHA512
1f9112d24e7004eeff98f07d26597072c0b011f53c21095d1e301946d2734570f93aca520a178d4005cf2a99ac7a7038d8458601c8cdb5a891ad6271d4e38b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\PENetwork-White\PENetwork_zh-CN.lng

Filesize
22KB

MD5
130c871a5d386c51846d1225999acf89

SHA1
bd4e31ce4ece5948dcba16e685cad1a91f45fb9c

SHA256
82219a84b117211e4004cf10cf2f7c6ff100f32c7bf6df512df2ea663d284be8

SHA512
535dc82438368101d4fee1b6d1ecda741d7adcdfbac34930090e8818b702d768086e11f831889be822222b37e42a9e46bfb6696f8d439391491de01f0c761d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\autB67E.tmp

Filesize
147KB

MD5
82a27f644fff134a1acccf7870c8f1fd

SHA1
44b9933f1555a1f75ca2a4c7b66795f1e44a4598

SHA256
c03f280e5a33401104339f75559d3ca91feeff03d6e9c179fcb3baf0cfaffebc

SHA512
96b753b55713179c157db33dd1ae763eede4c2f4f08a4609a57be428bcb9962ad8f219890938a456c05dac62610ad1b85ab3450a1d73060266aa7bd6084971f2

Download Submit
memory/4340-0-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4340-1-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4340-25-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/4340-52-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download