d5685dfee1aa30e1df13e0592deadfb9312863c6063330ec67a1f2f2eda54bc7

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

657fabcb9803eda028948c584d99ac0f.exe
Size

108KB
MD5

657fabcb9803eda028948c584d99ac0f
SHA1

cf9fc9c7d5daca76dff4efaddb307f4e8a9dc6b2
SHA256

d5685dfee1aa30e1df13e0592deadfb9312863c6063330ec67a1f2f2eda54bc7
SHA512

80c3caa243936ace8e8ca975eaef93bbbc765988bf9e4ee2a76b57d17244cd7f9850295647d70528547a398475868dda06b805fc18992ee134727e38427a29bb
SSDEEP

1536:i7Sd58O1HWrblE0jsxMQRQuIZ+aMmt4JL3CUAGD6W5KkMh6vg2P5jyRzsWKOM:i79ltQRclJt4hyp2KJhUDZmwWKf

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
2364	avpsvr.exe
2604	avpcon.exe
2844	avpcon.exe
1816	avpcon.exe
780	avpcon.exe
2952	avpcon.exe
2976	avpcon.exe
2152	avpcon.exe
1512	avpcon.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000015c67-2.dat	upx
behavioral1/memory/2364-3-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2604-9-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0009000000015c46-6.dat	upx
behavioral1/memory/2364-10-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2604-12-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2844-16-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0009000000015c46-14.dat	upx
behavioral1/memory/2364-18-0x0000000000020000-0x0000000000033000-memory.dmp	upx
behavioral1/memory/2364-17-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/1816-21-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2364-22-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/780-25-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2364-27-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2952-29-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2364-30-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2976-34-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2364-35-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2152-39-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2364-40-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/1512-44-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	avpcon.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\avpcon.exe	657fabcb9803eda028948c584d99ac0f.exe
File created	C:\Windows\avpsvr.exe	657fabcb9803eda028948c584d99ac0f.exe
File opened for modification	C:\Windows\webs	avpcon.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	avpcon.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	avpcon.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	avpcon.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	avpcon.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	avpcon.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	avpcon.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	avpcon.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	avpcon.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.xrwz.com"	avpcon.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2364	avpsvr.exe
2604	avpcon.exe
2604	avpcon.exe
2604	avpcon.exe
2604	avpcon.exe
2364	avpsvr.exe
2844	avpcon.exe
2364	avpsvr.exe
1816	avpcon.exe
2364	avpsvr.exe
780	avpcon.exe
2364	avpsvr.exe
2952	avpcon.exe
2364	avpsvr.exe
2976	avpcon.exe
2364	avpsvr.exe
2152	avpcon.exe
2364	avpsvr.exe
1512	avpcon.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2604	2364	avpsvr.exe	29
PID 2364 wrote to memory of 2604	2364	avpsvr.exe	29
PID 2364 wrote to memory of 2604	2364	avpsvr.exe	29
PID 2364 wrote to memory of 2604	2364	avpsvr.exe	29
PID 2364 wrote to memory of 2844	2364	avpsvr.exe	32
PID 2364 wrote to memory of 2844	2364	avpsvr.exe	32
PID 2364 wrote to memory of 2844	2364	avpsvr.exe	32
PID 2364 wrote to memory of 2844	2364	avpsvr.exe	32
PID 2364 wrote to memory of 1816	2364	avpsvr.exe	35
PID 2364 wrote to memory of 1816	2364	avpsvr.exe	35
PID 2364 wrote to memory of 1816	2364	avpsvr.exe	35
PID 2364 wrote to memory of 1816	2364	avpsvr.exe	35
PID 2364 wrote to memory of 780	2364	avpsvr.exe	36
PID 2364 wrote to memory of 780	2364	avpsvr.exe	36
PID 2364 wrote to memory of 780	2364	avpsvr.exe	36
PID 2364 wrote to memory of 780	2364	avpsvr.exe	36
PID 2364 wrote to memory of 2952	2364	avpsvr.exe	37
PID 2364 wrote to memory of 2952	2364	avpsvr.exe	37
PID 2364 wrote to memory of 2952	2364	avpsvr.exe	37
PID 2364 wrote to memory of 2952	2364	avpsvr.exe	37
PID 2364 wrote to memory of 2976	2364	avpsvr.exe	38
PID 2364 wrote to memory of 2976	2364	avpsvr.exe	38
PID 2364 wrote to memory of 2976	2364	avpsvr.exe	38
PID 2364 wrote to memory of 2976	2364	avpsvr.exe	38
PID 2364 wrote to memory of 2152	2364	avpsvr.exe	39
PID 2364 wrote to memory of 2152	2364	avpsvr.exe	39
PID 2364 wrote to memory of 2152	2364	avpsvr.exe	39
PID 2364 wrote to memory of 2152	2364	avpsvr.exe	39
PID 2364 wrote to memory of 1512	2364	avpsvr.exe	40
PID 2364 wrote to memory of 1512	2364	avpsvr.exe	40
PID 2364 wrote to memory of 1512	2364	avpsvr.exe	40
PID 2364 wrote to memory of 1512	2364	avpsvr.exe	40

C:\Users\Admin\AppData\Local\Temp\657fabcb9803eda028948c584d99ac0f.exe
"C:\Users\Admin\AppData\Local\Temp\657fabcb9803eda028948c584d99ac0f.exe"
1⤵
- Drops file in Windows directory
PID:2932

C:\Windows\avpsvr.exe
C:\Windows\avpsvr.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\avpcon.exe
  C:\Windows\avpcon.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  PID:2604
- C:\Windows\avpcon.exe
  C:\Windows\avpcon.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2844
- C:\Windows\avpcon.exe
  C:\Windows\avpcon.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:1816
- C:\Windows\avpcon.exe
  C:\Windows\avpcon.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:780
- C:\Windows\avpcon.exe
  C:\Windows\avpcon.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2952
- C:\Windows\avpcon.exe
  C:\Windows\avpcon.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\Windows\avpcon.exe
  C:\Windows\avpcon.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2152
- C:\Windows\avpcon.exe
  C:\Windows\avpcon.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\avpcon.exe

Filesize
11KB

MD5
e7d9e0256ab7224dbce16f248f269542

SHA1
09f8f6ee641544606b3cb7e20b248b2a4c4c8c62

SHA256
17e4219d542089944618d8dcbaa761a4691e31d32e88f49e8bd9e77572962c9c

SHA512
9a09739f5e2b152840e60b432c6c4e18839e2e6d1ef6947ead104f25cc7c4a87ef007d51562ff8314157a39784893c141a37589b444f8988001f2b822ed88319

Download Submit
C:\Windows\avpcon.exe

Filesize
26KB

MD5
b8e7dc6bf6f11e67f443546b662d69f2

SHA1
47ff6f5266aaa8131569e4ff06046254a971d9da

SHA256
e4c249e2cccbc6be6324babacf026b21b56a0f262fafdf6c5d91656552ced477

SHA512
391fd4fb9e6cec538ce7110541cb9c553af23bc4f21637fff2022b927a5eed3440c08c5f195ae0b78a5aee9aab59c7931e065f8e81c67c92ebc7ee770791f1d9

Download Submit
C:\Windows\avpsvr.exe

Filesize
45KB

MD5
14eb92e040bba588cc160365e48e6313

SHA1
8acb97f3077bd90b30dd9812fceb52218823da71

SHA256
2ac6e7de5963e249726324d2fddf230082b551945ec78d047eaa0705980e764e

SHA512
34b16fb9e4bfd95c905885b6969334f17cc0f103ad7512ea9ed1ec1928369f209d1c656c6f87115ce372f23a9ba058091d81a486a139b87bf3705070885ee309

Download Submit
C:\Windows\webs

Filesize
26B

MD5
ed4383174bd7811aa9a3cb1a4734d91a

SHA1
2d94226f11d1b23d6e7c5cb45e3d1cbd78ca5bd7

SHA256
7b4dcedc38a01a4e7ca43e5bae624bc8e774f43fd6cf639b39077567fd0ee971

SHA512
d5e5a2c36547e3766083d0ed13d08846d943bfb9ee9d5bcd15fcae7f80144ef3e26548cb16e902e963f4c1e855ee516b0b2528013afd6a4d57071e70eda1ab12

Download Submit
memory/780-25-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1512-44-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1816-21-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2152-39-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2364-8-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2364-7-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2364-3-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2364-35-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2364-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2364-36-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2364-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2364-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2364-26-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2364-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2364-41-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2364-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2364-31-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2364-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2364-18-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2604-12-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2604-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2844-16-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2952-29-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2976-34-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download