Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20/01/2024, 05:50
Static task
static1
Behavioral task
behavioral1
Sample
69a54a68512b406bb10f4ee129efb0a0.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
69a54a68512b406bb10f4ee129efb0a0.exe
Resource
win10v2004-20231215-en
General
-
Target
69a54a68512b406bb10f4ee129efb0a0.exe
-
Size
1.0MB
-
MD5
69a54a68512b406bb10f4ee129efb0a0
-
SHA1
e9b60b8eae1d28b90f4b8c60e862d8a979640533
-
SHA256
80b29c7ba8d66770d736268a9c1c145cb9e947bbba564953a63818f4b75057df
-
SHA512
0d6a836ba5613aff5f08c5776b345b036e4f95b3db6dbeb03e84e3366d807ad7762d5a4c2919ca14b0d80e061b42bbfc90c055c3b4815f7fa042a80f866beb1b
-
SSDEEP
24576:KlgFu58LljQYSa+Ze0Q7Jw1NCY+masfXfNMsgVIt:igFu5c7gZCVmVfXlMs2It
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2652 ƳƕƏƄȜ.exe 2656 vbc.exe 2764 OWNBall07.5.exe -
Loads dropped DLL 4 IoCs
pid Process 2860 69a54a68512b406bb10f4ee129efb0a0.exe 2860 69a54a68512b406bb10f4ee129efb0a0.exe 2860 69a54a68512b406bb10f4ee129efb0a0.exe 2860 69a54a68512b406bb10f4ee129efb0a0.exe -
resource yara_rule behavioral1/files/0x000d0000000133ba-48.dat upx behavioral1/files/0x000d0000000133ba-53.dat upx behavioral1/memory/2764-52-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/files/0x000d0000000133ba-45.dat upx behavioral1/memory/2764-60-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2764-62-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2764-64-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2764-67-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2764-69-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2764-71-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2764-73-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2764-75-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2764-77-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2764-79-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2764-81-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2764-83-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2764-85-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2764-87-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral1/memory/2764-89-0x0000000000400000-0x00000000004C1000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe" ƳƕƏƄȜ.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2764-52-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2764-60-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2764-62-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2764-64-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2764-67-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2764-69-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2764-71-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2764-73-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2764-75-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2764-77-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2764-79-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2764-81-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2764-83-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2764-85-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2764-87-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral1/memory/2764-89-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2860 set thread context of 2656 2860 69a54a68512b406bb10f4ee129efb0a0.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2764 OWNBall07.5.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2860 69a54a68512b406bb10f4ee129efb0a0.exe Token: SeIncreaseQuotaPrivilege 2656 vbc.exe Token: SeSecurityPrivilege 2656 vbc.exe Token: SeTakeOwnershipPrivilege 2656 vbc.exe Token: SeLoadDriverPrivilege 2656 vbc.exe Token: SeSystemProfilePrivilege 2656 vbc.exe Token: SeSystemtimePrivilege 2656 vbc.exe Token: SeProfSingleProcessPrivilege 2656 vbc.exe Token: SeIncBasePriorityPrivilege 2656 vbc.exe Token: SeCreatePagefilePrivilege 2656 vbc.exe Token: SeBackupPrivilege 2656 vbc.exe Token: SeRestorePrivilege 2656 vbc.exe Token: SeShutdownPrivilege 2656 vbc.exe Token: SeDebugPrivilege 2656 vbc.exe Token: SeSystemEnvironmentPrivilege 2656 vbc.exe Token: SeChangeNotifyPrivilege 2656 vbc.exe Token: SeRemoteShutdownPrivilege 2656 vbc.exe Token: SeUndockPrivilege 2656 vbc.exe Token: SeManageVolumePrivilege 2656 vbc.exe Token: SeImpersonatePrivilege 2656 vbc.exe Token: SeCreateGlobalPrivilege 2656 vbc.exe Token: 33 2656 vbc.exe Token: 34 2656 vbc.exe Token: 35 2656 vbc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe 2764 OWNBall07.5.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2656 vbc.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2972 2860 69a54a68512b406bb10f4ee129efb0a0.exe 29 PID 2860 wrote to memory of 2972 2860 69a54a68512b406bb10f4ee129efb0a0.exe 29 PID 2860 wrote to memory of 2972 2860 69a54a68512b406bb10f4ee129efb0a0.exe 29 PID 2860 wrote to memory of 2972 2860 69a54a68512b406bb10f4ee129efb0a0.exe 29 PID 2972 wrote to memory of 2948 2972 csc.exe 30 PID 2972 wrote to memory of 2948 2972 csc.exe 30 PID 2972 wrote to memory of 2948 2972 csc.exe 30 PID 2972 wrote to memory of 2948 2972 csc.exe 30 PID 2860 wrote to memory of 2652 2860 69a54a68512b406bb10f4ee129efb0a0.exe 33 PID 2860 wrote to memory of 2652 2860 69a54a68512b406bb10f4ee129efb0a0.exe 33 PID 2860 wrote to memory of 2652 2860 69a54a68512b406bb10f4ee129efb0a0.exe 33 PID 2860 wrote to memory of 2652 2860 69a54a68512b406bb10f4ee129efb0a0.exe 33 PID 2860 wrote to memory of 2656 2860 69a54a68512b406bb10f4ee129efb0a0.exe 32 PID 2860 wrote to memory of 2656 2860 69a54a68512b406bb10f4ee129efb0a0.exe 32 PID 2860 wrote to memory of 2656 2860 69a54a68512b406bb10f4ee129efb0a0.exe 32 PID 2860 wrote to memory of 2656 2860 69a54a68512b406bb10f4ee129efb0a0.exe 32 PID 2860 wrote to memory of 2656 2860 69a54a68512b406bb10f4ee129efb0a0.exe 32 PID 2860 wrote to memory of 2656 2860 69a54a68512b406bb10f4ee129efb0a0.exe 32 PID 2860 wrote to memory of 2656 2860 69a54a68512b406bb10f4ee129efb0a0.exe 32 PID 2860 wrote to memory of 2656 2860 69a54a68512b406bb10f4ee129efb0a0.exe 32 PID 2860 wrote to memory of 2656 2860 69a54a68512b406bb10f4ee129efb0a0.exe 32 PID 2860 wrote to memory of 2656 2860 69a54a68512b406bb10f4ee129efb0a0.exe 32 PID 2860 wrote to memory of 2656 2860 69a54a68512b406bb10f4ee129efb0a0.exe 32 PID 2860 wrote to memory of 2656 2860 69a54a68512b406bb10f4ee129efb0a0.exe 32 PID 2860 wrote to memory of 2656 2860 69a54a68512b406bb10f4ee129efb0a0.exe 32 PID 2860 wrote to memory of 2764 2860 69a54a68512b406bb10f4ee129efb0a0.exe 31 PID 2860 wrote to memory of 2764 2860 69a54a68512b406bb10f4ee129efb0a0.exe 31 PID 2860 wrote to memory of 2764 2860 69a54a68512b406bb10f4ee129efb0a0.exe 31 PID 2860 wrote to memory of 2764 2860 69a54a68512b406bb10f4ee129efb0a0.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe"C:\Users\Admin\AppData\Local\Temp\69a54a68512b406bb10f4ee129efb0a0.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cmvrcinv.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES668.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC667.tmp"3⤵PID:2948
-
-
-
C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe"C:\Users\Admin\AppData\Local\Temp\OWNBall07.5.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2764
-
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe"C:\Users\Admin\AppData\Local\Temp\ƳƕƏƄȜ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD57b97cc65c5465e94e4c8632e0e1acc48
SHA1eb679fc31f950f379adfcfec039a86daf79a9479
SHA256c98f2af7f1bdf11ac161e2729dd5983198e555f8e81bd7a1bb316892008dcfc0
SHA5127d6e303286561da2395c93b5ede41bb8aeb677a59ee1d5548690a261d33f4e36a586ed1e8bc044cd09c9130572b9ac80a1c69a187fa0deca03a1d2a15b5add43
-
Filesize
20KB
MD58b137430dddea88b60742a906d22ca17
SHA10e58357fbc55f42dbbf635b7223eab78f3a3c3e8
SHA256b6899a5cb99345abb8977df3963f5830db680b927104ad5bb108a0e8488194c5
SHA512c576a362d6a14ce9ed7f008b1cd19ec9df97b449aba34238253778cb5ecc0c2aeb47d3770a0af89a478b3dc41960c811f38021001613eb943d27062374113966
-
Filesize
1KB
MD5919ebf01e4911449d01584fe16df76a3
SHA1abe420dde4785c221c90e3f8b7b21a04174a95bd
SHA256e077d2498caccea69f261efb5105c6c0c799ca6f74c91d97fe5fa3ad0721ffd1
SHA512f84f2a4dfa7c38e3bb3a1a809434d7f38433251570755e93673ad0938d8a02446a0b164f02e178f70829b48cf1fce74aa0526d1ae847b1ec6c0bda69672defb9
-
Filesize
4KB
MD5b7ee9d4be07d48a4b41d99f0ec02dc42
SHA16bc608c1789ef90913f6c27d205700e956418335
SHA256ac111b5c8b62ad65b38a90e734f88be842bba9d3d3ee10d6e6102c9b4c714552
SHA5129a88670bd86297cdf1bfbd54dae7a6e402534886e771834b609a79725812d02e2ce90b8233e8c0fdf54583d0f4d0d4e056d074a9b02b3d82084ac22f7f06b37f
-
Filesize
636B
MD5cabe319c211b0235717de2ce3fa02ce0
SHA1d7e876e7b1a3d957e91bd927756f782704258247
SHA25681cda2f92eaab8bce309a65f24e1e0a5fe753e352f5f3de122c15dbd1fce4c7e
SHA5120f6a8cc6dea5fc33389a2323c0ee43334fd73e91424dcded01d5feb700d3fc112996f9511a914552e942de7c5541d2e011aee3ae1c30b580060af4b8b5421cc6
-
Filesize
1KB
MD5ff633b592af11cb80f35b58901a1ec2d
SHA1fb2e0a6beae8b9cd23102aabed44778e4f5eecf5
SHA256e41802aa34ef5aae074052f7c774792cdedcd2d64cb3fed158a3a1c5554005ef
SHA5123d4a1695af31238236a7211ce4df66b904fac151f9076972fc9e17a7b538abcaed96dc0def4e20b4d2bb9eb14ab50545bb7aa5f971c8cacf1d6243a66cc9b5c4
-
Filesize
263B
MD5195655e66248681e492aa714b0cb5ceb
SHA1be4d9a541220ea942bf2ff6436608faf689d0b57
SHA256897ee5d308aa871eeeb0c8bb78ce7e1c5aab235ff99f2a7a3b8dfa11f9c8f21a
SHA51226ecaed78e953fcd6f43136d3e0468ed1a431a4a800b8efd74355c204f58845b77598dfbf4fbd4201c28ddcbe1d99c4bb7ffefd4109b9b55b8fed2e37391a10e
-
Filesize
320KB
MD540e601c5fb301d9d80341863a9424920
SHA13142dde9db2f6ca5f5c6d09f301baabb52dcb4cd
SHA256e0b88ac46fa199c54e47bea5ae8effb1a2da48bced2217b5fd13955210d9be26
SHA5121e23d116036f58b8a55304d6a3206fca8ebf9c254e1ff63a69ce5b13f0dd34d8c7554b5659477aca8de7f1be7868222e5ac3bcf60f693c0413a590dc741bfa1a
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2