3f0370b98331c743c2f3d780073d9fd3028754ae53850ef399c1483d4f45a494

Analysis

max time kernel
143s
max time network
137s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-01-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

585f00ecad2f6b1082b9e47a92a1ea9f.exe
Size

655KB
MD5

585f00ecad2f6b1082b9e47a92a1ea9f
SHA1

126caf66ddca3ca145d858671b6c5a228fe6b5ac
SHA256

3f0370b98331c743c2f3d780073d9fd3028754ae53850ef399c1483d4f45a494
SHA512

997453fb853f0901b757dee777d3026963cc6155b35734c9bbd8ed3d96ac006ee45e31d8f91e4acad7848d61af3788e0207d43b44fee90bcbd2da962365ed720
SSDEEP

12288:irGEyAaqbKJ6T/FJG3NoA9VzngfCcLUOzLE/u/lmE6pTmz6EImA370MSBoSn:irGdgbK4D+BUfCMZJmE6sO34vT

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2272	svcwwba.exe

Loads dropped DLL 3 IoCs

pid	Process
2716	cmd.exe
2716	cmd.exe
3008	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2108-5-0x0000000000400000-0x0000000001954000-memory.dmp	upx
behavioral1/memory/2108-58-0x0000000000400000-0x0000000001954000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user	attrib.exe
File created	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	cmd.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	cmd.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Shutdown	attrib.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\user\Scripts\Startup	attrib.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Debug\error.gg	cmd.exe
File created	C:\Windows\ime\scripts.ini	cmd.exe
File opened for modification	C:\Windows\ime\svcwwba.dat	cmd.exe
File created	C:\Windows\ime\svcwwba.exe	cmd.exe
File opened for modification	C:\Windows\Debug\debug.dat	cmd.exe
File opened for modification	C:\Windows\Debug\ttb.dat	cmd.exe
File opened for modification	C:\Windows\ime\scripts.ini	cmd.exe
File created	C:\Windows\ime\svcwwba.dat	cmd.exe
File opened for modification	C:\Windows\ime\svcwwba.exe	cmd.exe
File opened for modification	C:\Windows\ime\de-DE\svcwwba.ini	svcwwba.exe
File created	C:\Windows\ime\de-DE\msadotb.htm	svcwwba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2752	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	svcwwba.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3008	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2272	svcwwba.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	tasklist.exe
Token: 33	2272	svcwwba.exe
Token: SeIncBasePriorityPrivilege	2272	svcwwba.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2272	svcwwba.exe
2272	svcwwba.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2716	2108	585f00ecad2f6b1082b9e47a92a1ea9f.exe	28
PID 2108 wrote to memory of 2716	2108	585f00ecad2f6b1082b9e47a92a1ea9f.exe	28
PID 2108 wrote to memory of 2716	2108	585f00ecad2f6b1082b9e47a92a1ea9f.exe	28
PID 2108 wrote to memory of 2716	2108	585f00ecad2f6b1082b9e47a92a1ea9f.exe	28
PID 2716 wrote to memory of 2804	2716	cmd.exe	30
PID 2716 wrote to memory of 2804	2716	cmd.exe	30
PID 2716 wrote to memory of 2804	2716	cmd.exe	30
PID 2716 wrote to memory of 2804	2716	cmd.exe	30
PID 2716 wrote to memory of 2200	2716	cmd.exe	31
PID 2716 wrote to memory of 2200	2716	cmd.exe	31
PID 2716 wrote to memory of 2200	2716	cmd.exe	31
PID 2716 wrote to memory of 2200	2716	cmd.exe	31
PID 2716 wrote to memory of 2752	2716	cmd.exe	32
PID 2716 wrote to memory of 2752	2716	cmd.exe	32
PID 2716 wrote to memory of 2752	2716	cmd.exe	32
PID 2716 wrote to memory of 2752	2716	cmd.exe	32
PID 2716 wrote to memory of 2760	2716	cmd.exe	33
PID 2716 wrote to memory of 2760	2716	cmd.exe	33
PID 2716 wrote to memory of 2760	2716	cmd.exe	33
PID 2716 wrote to memory of 2760	2716	cmd.exe	33
PID 2716 wrote to memory of 3008	2716	cmd.exe	35
PID 2716 wrote to memory of 3008	2716	cmd.exe	35
PID 2716 wrote to memory of 3008	2716	cmd.exe	35
PID 2716 wrote to memory of 3008	2716	cmd.exe	35
PID 2716 wrote to memory of 3008	2716	cmd.exe	35
PID 2716 wrote to memory of 3008	2716	cmd.exe	35
PID 2716 wrote to memory of 3008	2716	cmd.exe	35
PID 2716 wrote to memory of 2272	2716	cmd.exe	36
PID 2716 wrote to memory of 2272	2716	cmd.exe	36
PID 2716 wrote to memory of 2272	2716	cmd.exe	36
PID 2716 wrote to memory of 2272	2716	cmd.exe	36

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2804	attrib.exe

C:\Users\Admin\AppData\Local\Temp\585f00ecad2f6b1082b9e47a92a1ea9f.exe
"C:\Users\Admin\AppData\Local\Temp\585f00ecad2f6b1082b9e47a92a1ea9f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\3A33.tmp\sso.bat" "
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\Windows\system32\GroupPolicy\*.* -r -s -h /s /d
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2804
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" /v "PendingFileRenameOperations2" /t "REG_MULTI_SZ" /d "\??\C:\Windows\ime0\0\??C:\Windows\ime\0\??\C:\Windows\ime\scripts.ini\0\??\C:\Windows\System32\GroupPolicy\user\Scripts\scripts.ini" /f
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i "ravmond.exe 360tray.exe kxetray.exe "
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\ime\svcwwba.dat,Launch
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3008
- - C:\Windows\ime\svcwwba.exe
    C:\Windows\ime\svcwwba.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3A33.tmp\sso.bat

Filesize
1KB

MD5
05ce73c7df89fcb6b8bfef2f44256084

SHA1
0474694e74ff2c0a1144542e5f6ccafca0c696a7

SHA256
fc605ee8b99c79265f13187c30b8b89332628c53ac200adcc2309eaa0456883d

SHA512
3af6fc8a838084c873be69069aea3a34985a4ec21deab492706d3d105b7ac2cb8703e31ea9f81c226e011faf4ee38fc78748f4e17d060efad4d59e95f21783ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A33.tmp\tb.dat

Filesize
545KB

MD5
3d9d72213fd3be2cbf4b406c8fa81c37

SHA1
dfa74749dcea3d69170ec9c8592be809e175f34e

SHA256
c6aa1b58906d0f96e2628ef1a3306e7036d74120e948626b27ebfb84d1f17dbc

SHA512
cbe0c65ee7eb467ce9b811ab2e5777d34e898ea7e97aef810c021bb721d34f377b0fff002a3f141f76867ae337742cc03f9caecf909ee2be57c19e26437a5ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A33.tmp\win.bat

Filesize
1013B

MD5
1232389a6f9ba08d3edd8df525f8887b

SHA1
cc7f3f3e30eeb997fb0edf68dcc468f053944e1e

SHA256
e4f953a6ef323ba224bea831fd2b2ab035d45a020876effea5dbf5a3902fb750

SHA512
486d8e18fe381dcbc88d306fb76531697a0c51d60faaf45030f9f9f0fb9fa98adb21d725a4f5695e0b9ec13731c93f0dfdd13b4296154ab8499067289dbea170

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A33.tmp\woti.dat

Filesize
542KB

MD5
7efb67c5c0372c43269d818b5a5d8e67

SHA1
fa27acbb9dc0d1edf6a13bfb01d3da50533b0ad8

SHA256
b2bbcd6aef2e78e88197fb3944587ad7c095c103d84d3a145c80a24a9ee98af9

SHA512
00b1701bf9d3f6098d202bf62088cfb6c6cde1c6dabdc3ec7eeabbd58962d3a22c6c55c3b7e036440f1d59d6d61f7c5ef83ae1cbd204b282e57deba67df6dd20

Download Submit
C:\Windows\IME\de-DE\msadotb.htm

Filesize
443B

MD5
3e46af675d8002a9be76fd45ea0cb064

SHA1
2e8021e926b73f9e61147360a6c88630ccc88892

SHA256
d06062ccef5cabb3576a760485ec37fcd47d2b5c86ce8da504fe72f4d46fd2f7

SHA512
6d72bd99b55711461fc009ec1e18ff679589531fac81bad979686c908d3bbb32b3a091cfc9209ee9b21a1f66ab396a431656671bb9c14964d688e96dcb7d9963

Download Submit
C:\Windows\IME\de-DE\svcwwba.ini

Filesize
119B

MD5
0786681bf812d86b2e1dbad60b21cbb5

SHA1
89654f4b2631ebcb403c04f1e531e79347fb082d

SHA256
c4227ee453c189bd762604e97f454366d3691cb006ed9ad29d52684ff7cf123e

SHA512
32b3eb4740985d111ab928d9f806f850e75dbd9bafe81526738b065283d7f765a892e74313d3da0e24a781e0a759280cac9044ec4e0a2f9f5f73c6a7b86cc2a0

Download Submit
C:\Windows\IME\scripts.ini

Filesize
44B

MD5
f1ccc9de1b67d00d55abfea224e65b88

SHA1
403e72f73cf9fec96c9410c6e2a4a0d81e1088e4

SHA256
4895be9dd90dbca6ce8ebe08bb8f4445926e8dc8cf6629fb722e63f6b047216b

SHA512
d871c841a0342342ec5969e1389a964516a31531abc38574f5c46e254886bd4867aa71758ad325b7738b47faf34dfd8f684e06770eb8948e69a04d144d18dc41

Download Submit
C:\Windows\IME\svcwwba.dat

Filesize
82KB

MD5
01095fdb3f2f05a33c95430e9062b7ca

SHA1
d060455f7b409a0c41138ceda8731060a197b6e9

SHA256
6b826d90b6ba53d371b467fd87c60b12d4fb88a9c0a66a0075bb5f2cf9c7e598

SHA512
570f0a431161312f1e9f90385a7d20e8045400c07298df4548d932c33ae6aaf5f013da42632fcaa1760df51bc7a7ab11f30b13cfa16008850d0e129a71f67a27

Download Submit
C:\Windows\IME\svcwwba.exe

Filesize
83KB

MD5
addad536f9a82f2dc943f8784dc847be

SHA1
69f46ef5c6605a27e63c441d774ddc95d7d069cf

SHA256
07bd6d5ae171dfc80906f214efd84ad479c5e73a03e9a6b1db81abb59997ca9e

SHA512
39faec0685606c71f24418dfcfbebd22f15345f73a091b2fa4cf19fc8d1296f354d929a5e1839dcefcba0e1af91c31048c83d66bccb448e602ceb25c93643882

Download Submit
C:\Windows\IME\svcwwba.exe

Filesize
57KB

MD5
4bd086610e8aa6f64bb10b80e9dc9ee2

SHA1
60f9a0925b7a5a5394091f60094248746cbbc8ff

SHA256
57554377176a7431769a417643252af35214f7747d6f14d6add4ac83b2d429a1

SHA512
ddb58cbf567005b325e0c4c1b7909e0dbad9b896e5a0172c2c36c1dff1e1bb288ad4380668319e4f70ad7d7f459af00226dc1dfd4bae1c095892272e0f883800

Download Submit
C:\Windows\ime\svcwwba.dat

Filesize
308KB

MD5
ca2d34963229aa581e00cee0d87661de

SHA1
9cfafcefe6aaffac3c3c9207e7316c291edd1f1c

SHA256
84d8dde3da2e96b1b9d2c542539179148e00bf941738ccb66cb3d98e07089018

SHA512
9bd355caedcb88aa81a0b95dadd93891d6b6bc5731b461a5dfdc4ac1086e487f0fd2d64112998dad0483469b9f37a36f20395eeb73d86ab2d4fb6af1a02a04e3

Download Submit
C:\Windows\ime\svcwwba.exe

Filesize
45KB

MD5
ed4913e47c9b9a4be02de9c72816e5a8

SHA1
d01af86b0e8f2cfe9f738f62bbb1cdb4efae44ea

SHA256
d8ccd9b1db13525a6b6e280e3bac4343ca495309ef9e73164c3c9de768b5ebe8

SHA512
827b5c230db6b33456891b44a5b2bcadf49b5aaf86613181ed6f4e65edd671b754cee81c275f7ee5fb9bad4a6c1c597e4aea149b0f5a3fb5d49ae31aad295e87

Download Submit
\Windows\IME\svcwwba.dat

Filesize
173KB

MD5
77a8f1d7864f184169fed9b0e809e4c4

SHA1
4024b87e72a04237ae18df3a4ae7890ac28f8373

SHA256
457f830bd3f7368647032875422bf7c20189b591ce6a73689177805955aa012d

SHA512
4ed97831f45ad15319306b9e7abfaa1ac5f6530f12570624df9e5a31f8796776012d99ce55762963c224fd2c16c406389d348ec8e7967ff3f58d5d7aa745e478

Download Submit
\Windows\IME\svcwwba.exe

Filesize
527KB

MD5
e1abc1bf9a8e015f0576d7c90e6c213a

SHA1
299d9a43bc4376a497b5639baee6d788e434fb07

SHA256
9a54d8e805f7875401c7ac3eb594685fae323142784ee4acc597c83d80dd82cd

SHA512
bb080d3cf96fab1294bb8ff7e6e37d803acecee1247f071e398bd16549c8de6ae4f3153a23bb2d1f7106e154bd9c1e4150a4eb778f5f098ec5a432364ed349c0

Download Submit
\Windows\IME\svcwwba.exe

Filesize
22KB

MD5
c9ace50aeda95daa30753a47cdad0e09

SHA1
42228b125fbaaa0716cbc2f02e0886976f798f01

SHA256
38fcf1b9901de97ea575ae9341960e6a7fdf9ae5ba974db1d733ba850995f973

SHA512
dba879e78c5ae0188792c44b08882c859e0b76b0c434bcdc784f0988a092dda6525d6b1992eec55386fcf07bfd473dfccd81caf10a07b0de728bca980c7e01a4

Download Submit
memory/2108-58-0x0000000000400000-0x0000000001954000-memory.dmp

Filesize
21.3MB

Download
memory/2108-5-0x0000000000400000-0x0000000001954000-memory.dmp

Filesize
21.3MB

Download
memory/2272-62-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2272-117-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2272-119-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3008-70-0x0000000073F80000-0x0000000074099000-memory.dmp

Filesize
1.1MB

Download
memory/3008-120-0x0000000073F80000-0x0000000074099000-memory.dmp

Filesize
1.1MB

Download