6b604235eafe60490fce7854ae5391b2e0e3157e9db42262a92e4573c8b4e657

Analysis

max time kernel
150s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/01/2024, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5803d10dba05acbc6c83bdc63a991933.exe
Size

321KB
MD5

5803d10dba05acbc6c83bdc63a991933
SHA1

1fda4366dac7efc1b2604a08871a418a0be47f21
SHA256

6b604235eafe60490fce7854ae5391b2e0e3157e9db42262a92e4573c8b4e657
SHA512

f65e1d16bd849c32689c3d5857bdc63315ce0df64c913569cf2ba894eddc3d256561b00992338b8cdf58116be2f820f716263f8b3461104f54142229660eea98
SSDEEP

6144:36YajbofxCvXQhHLwiVwkI4aZoOg43LiyIlm0kz2taotsoeOXXKx:xWPu8ibI4aSOg4O1taotsoeOXXKx

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2704	rinst.exe
2788	Lagger.exe
2756	spk.exe

Loads dropped DLL 18 IoCs

pid	Process
1512	5803d10dba05acbc6c83bdc63a991933.exe
1512	5803d10dba05acbc6c83bdc63a991933.exe
2704	rinst.exe
2704	rinst.exe
2704	rinst.exe
2704	rinst.exe
2704	rinst.exe
2788	Lagger.exe
2788	Lagger.exe
2788	Lagger.exe
2704	rinst.exe
2704	rinst.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2788	Lagger.exe
1512	5803d10dba05acbc6c83bdc63a991933.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000155f7-13.dat	upx
behavioral1/memory/1512-15-0x0000000003070000-0x0000000003077000-memory.dmp	upx
behavioral1/files/0x00070000000155e9-29.dat	upx
behavioral1/memory/2788-46-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/files/0x0007000000016d09-54.dat	upx
behavioral1/memory/2704-55-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral1/memory/2756-60-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/files/0x0007000000016d09-59.dat	upx
behavioral1/files/0x0007000000016d09-58.dat	upx
behavioral1/files/0x0007000000016d09-57.dat	upx
behavioral1/files/0x0007000000016d09-56.dat	upx
behavioral1/memory/2788-73-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2756-74-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2756-76-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2756-77-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2756-79-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2756-81-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2756-83-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2756-85-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2756-87-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2756-89-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2756-91-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2756-93-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2756-95-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2756-97-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2756-99-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral1/memory/2756-101-0x0000000000400000-0x0000000000483000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\spk = "C:\\Windows\\SysWOW64\\spk.exe"	spk.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\spk.exe	rinst.exe
File created	C:\Windows\SysWOW64\spkhk.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	spk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2756	spk.exe
2756	spk.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe
2756	spk.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2704	1512	5803d10dba05acbc6c83bdc63a991933.exe	28
PID 1512 wrote to memory of 2704	1512	5803d10dba05acbc6c83bdc63a991933.exe	28
PID 1512 wrote to memory of 2704	1512	5803d10dba05acbc6c83bdc63a991933.exe	28
PID 1512 wrote to memory of 2704	1512	5803d10dba05acbc6c83bdc63a991933.exe	28
PID 1512 wrote to memory of 2704	1512	5803d10dba05acbc6c83bdc63a991933.exe	28
PID 1512 wrote to memory of 2704	1512	5803d10dba05acbc6c83bdc63a991933.exe	28
PID 1512 wrote to memory of 2704	1512	5803d10dba05acbc6c83bdc63a991933.exe	28
PID 2704 wrote to memory of 2788	2704	rinst.exe	29
PID 2704 wrote to memory of 2788	2704	rinst.exe	29
PID 2704 wrote to memory of 2788	2704	rinst.exe	29
PID 2704 wrote to memory of 2788	2704	rinst.exe	29
PID 2704 wrote to memory of 2788	2704	rinst.exe	29
PID 2704 wrote to memory of 2788	2704	rinst.exe	29
PID 2704 wrote to memory of 2788	2704	rinst.exe	29
PID 2704 wrote to memory of 2756	2704	rinst.exe	30
PID 2704 wrote to memory of 2756	2704	rinst.exe	30
PID 2704 wrote to memory of 2756	2704	rinst.exe	30
PID 2704 wrote to memory of 2756	2704	rinst.exe	30
PID 2704 wrote to memory of 2756	2704	rinst.exe	30
PID 2704 wrote to memory of 2756	2704	rinst.exe	30
PID 2704 wrote to memory of 2756	2704	rinst.exe	30

C:\Users\Admin\AppData\Local\Temp\5803d10dba05acbc6c83bdc63a991933.exe
"C:\Users\Admin\AppData\Local\Temp\5803d10dba05acbc6c83bdc63a991933.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lagger.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lagger.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2788
- - C:\Windows\SysWOW64\spk.exe
    C:\Windows\system32\spk.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Lagger.exe

Filesize
36KB

MD5
3a77583b727102f607a09887b8ec63f8

SHA1
b0c49f6ec5804d2901b4cb2153d9a792b2313ff6

SHA256
a998e6006c6a2b8115c237df5e372c161d5bb5520f33706c8aa8b9cdad1811ca

SHA512
d55c44bb119cbedc99546d5d2b1da9b53cc1feff1ff74327f2badb698b165465f95a0e569e9d069375061a965aa2eb96ed7ca3e52e24364d0c2a9e6625f902c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
964B

MD5
6e8a97a13a5354287695a8c3557444a4

SHA1
3549d293aaef82428edc4e6c7ff3a92119286722

SHA256
ba78732a606c9b738bcaeba437f185fe89111d7da2f476b87094d516b415ef3e

SHA512
814f5fa13e8cdf215c4d3a07b566fa4b9fcb95dd7ccb480ea0e515b9ca2e297e77a581d9980c0817ed5b3106613204b58deda46adccfd138f0a91768a827bade

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
3KB

MD5
321f3d62e732b5af058577db2963ae78

SHA1
7fd4546ffdacd2c3672623ae460019c74b86d5a2

SHA256
f5c9b6f55bd437cd94e340f7b01e1a3a4f03321f73b7d7bb4a9821db6ca0de40

SHA512
1660ff45166d476336c4c662850579e773c38764feb2d68a9898a60a9849611cd7cc7d28d07bb1b7d169307a683831b38b2f3624bab27a3036779ace5509f030

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\spk.exe

Filesize
213KB

MD5
a392b38b05fda8a4c43283eb6a78fcc1

SHA1
ed9b6ed983bd6706e5af7833c7a42f389970aebe

SHA256
112b017583aa7f61ed5c651c304bb6d22948dcd93f2d1a09d648c76bc4c6a492

SHA512
c4969978d8bec385ba5614ee6ca92b0e427ea7a766d296ee7a5bd3f739cdda17876ab9f87089e98359b5e81b804d68c13800008853ab9fec4f093c8e85155d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\spkhk.dll

Filesize
19KB

MD5
22193f3140cf0ad1adf6461c00e337c4

SHA1
29e2746738a4c82b05291ed0f7b306c02660f2fb

SHA256
f78c156a8a76fb11c479fcbe94a7a599812c34ce71ddea5ed4d0cc9c8f42a690

SHA512
9b05d3e91dacd93355adfb92271e67535f1fd7e7211f9c2c7bf1c1030aab235447b16a5e6f01659812f353bce56ec0bd610a9bc960b8a6ae81577c93c5a26170

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
3KB

MD5
d2df04d0189de76ab5922edaa7122e4d

SHA1
70cf07378dc4aa1eeeb5fefd25df14e97166f8fb

SHA256
91d3affb4ce756b39f3a3a7c32ddda60f235773bf8f9f1b3dfc228ad10666128

SHA512
0c348f587e5d15885995e994e85d357e8e444ad815b369b845bf9aa8333be5ab040565d3948011794c9c444e717b0b93531c3ec13ecab7588220d1aca8fbb7a8

Download Submit
C:\Windows\SysWOW64\spk.exe

Filesize
213KB

MD5
d0572ddefa42687cf903a123500faf20

SHA1
f154692f339a4d4d24257e57afdb85d2466c88c7

SHA256
d506c74a96796a530f974a7e2337707e9da18f201e12f2539ecf12f4dd098221

SHA512
e594b07f5d1a9b03f9878db333aa85fae79e9b9e840c093b23c97840b25a062969deb5baa312dabd979c32a363c6a37c7fbe661135b7766fc0e26ad9cf1296f5

Download Submit
C:\Windows\SysWOW64\spk.exe

Filesize
118KB

MD5
c52ec0081c186b517de06549de183d04

SHA1
abe879bdfa76342deef55613d4c40f280389fa48

SHA256
ecd986446e1b3e391f591f9d5dc4a26689f2bb2631df1423b0f7d11ab8fe7e1a

SHA512
5f085e2b5429fdc013f920cf1b54559c7ac4c1f4d2e9df82f7ea956e851e2c611432b9716594c456277d5cd46c5daeaf09e55a5630b75b9f54785a91c21a2456

Download Submit
C:\Windows\SysWOW64\spkhk.dll

Filesize
19KB

MD5
09e08e10336e8652ae19ade8f18c3893

SHA1
7bdb749cbb45a1532d00ef08426a667dc11b7d0b

SHA256
72a81a5179271a1f7a7da748ef5e2b53edc955efff690126f50856dd2befc65b

SHA512
248b10a00890dd7624446749263adac9c6674b25b433b10153fdd47e018734bd97705e50aba1813759ba622242e4f1a840038e6028dfd46c89319f9f2b7b7752

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
7KB

MD5
24f3e464fef5452377b580f3c087304d

SHA1
9ce0c9babc8b2a23d31aa24aad5fef8a763b3484

SHA256
0abb07381e293e021b8d2e185feffdc9a66addf503561ad71576b1ee924d8d6a

SHA512
45caa8ce639e9248821c72268db83a43c6de7b1be3eec4823e19ff4f31b5da5f8c353854bba392980391cbdb69acbe0c546e531e7950dcd8fdbfd67ae74d458e

Download Submit
\Windows\SysWOW64\spk.exe

Filesize
56KB

MD5
654654ac8c915949806eff020a2c9409

SHA1
3f595982d437c5fd0672dafed9848a7b05b038b1

SHA256
c6054c4a40f78920e22fc6f9f87528bfe4ef8c9f3614dddb87ccfd812c6c53e5

SHA512
2f08381f0196140693172deed6a1cabb0a611347d9aa9944d5704daa0df2671de04be75329723166a32f149b6716cb956265ffd684fc0263a7f9fa95520568d3

Download Submit
\Windows\SysWOW64\spk.exe

Filesize
114KB

MD5
ee43e407fb40da6b6eb36f4d7ecdb608

SHA1
35a006c7453ee4fd07d8ac0fc70d64aab4d456a4

SHA256
987f03e4d60d4b27f1458bf6f9f3f733f1ce6035ea6cdcf8b313faf2fddce594

SHA512
6bf39574aa6ea8dd58eb4a3e1e1064b37c45069dc52b72acea8c81e1d43815c3ac4208a4f1fe1fd6d162c9c8ea045bbbffbff8cc419d375ead1b4760bab4e1b9

Download Submit
\Windows\SysWOW64\spk.exe

Filesize
98KB

MD5
84edabef7f4ae5bcf8ee3d3b0ff25778

SHA1
0b355f272e0cb2ab17999ed870fd982fa32f3d47

SHA256
92cbbe2f1ed67b500469b476037369c85e335d053ea7cc453437466d8f6c19ea

SHA512
ff03c83fbfb69df7f2ad473c000392984c58c990eef95cd4f6f940582303a7bd6fc59ed1d0aba477c6441a9e0afe50bca397f3cb7de29f6d0803934c072396e8

Download Submit
memory/1512-72-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1512-19-0x0000000003070000-0x0000000003077000-memory.dmp

Filesize
28KB

Download
memory/1512-15-0x0000000003070000-0x0000000003077000-memory.dmp

Filesize
28KB

Download
memory/2704-28-0x0000000000020000-0x0000000000027000-memory.dmp

Filesize
28KB

Download
memory/2704-27-0x0000000000020000-0x0000000000027000-memory.dmp

Filesize
28KB

Download
memory/2704-45-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/2704-55-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2704-41-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/2756-76-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2756-83-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2756-61-0x0000000000240000-0x00000000002C3000-memory.dmp

Filesize
524KB

Download
memory/2756-101-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2756-99-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2756-97-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2756-74-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2756-60-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2756-77-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2756-79-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2756-81-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2756-95-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2756-85-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2756-87-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2756-89-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2756-91-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2756-93-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2788-62-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2788-73-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2788-46-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2788-49-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads