c646d31222431f14557700abea27a36daccc5f2d097d963164b392b25939d2b4

Resubmissions

23/01/2024, 10:05

240123-l4tfssaah8 7

23/01/2024, 09:19

240123-laka2ahafl 5

23/01/2024, 09:10

240123-k5b3gahaam 7

23/01/2024, 09:01

240123-ky2pjshfc7 5

Analysis

max time kernel
300s
max time network
298s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23/01/2024, 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MnWk2NzwYZzZNNi.exe
Size

818KB
MD5

c6560e26f17910f67064bfa362d1752b
SHA1

80d7cfaea3eef83ab4185c20a688f75649d78cc7
SHA256

c646d31222431f14557700abea27a36daccc5f2d097d963164b392b25939d2b4
SHA512

3baa602f7242b70501e5f28b3b524057affdf4305ded3b26ba378edc427cfac4d57a66050c43b0bcf1598123aa109e7f16d385ec0bdbb1bc672cd3d91e36ff86
SSDEEP

12288:5hTkm2iNPBJI38aXnoQ83GpAVokdQK4beNYstaGUhn8oD0mTbVArj/aVAPTdQhHK:5hwm1xu8aXnE+Ajdd46DaGUhb0my

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2848	dllhost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 3020	2316	MnWk2NzwYZzZNNi.exe	28
PID 3020 set thread context of 1352	3020	MnWk2NzwYZzZNNi.exe	7
PID 3020 set thread context of 2848	3020	MnWk2NzwYZzZNNi.exe	29
PID 2848 set thread context of 1352	2848	dllhost.exe	7

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3470981204-343661084-3367201002-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	dllhost.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2316	MnWk2NzwYZzZNNi.exe
2316	MnWk2NzwYZzZNNi.exe
3020	MnWk2NzwYZzZNNi.exe
3020	MnWk2NzwYZzZNNi.exe
3020	MnWk2NzwYZzZNNi.exe
3020	MnWk2NzwYZzZNNi.exe
3020	MnWk2NzwYZzZNNi.exe
3020	MnWk2NzwYZzZNNi.exe
3020	MnWk2NzwYZzZNNi.exe
3020	MnWk2NzwYZzZNNi.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1352	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3020	MnWk2NzwYZzZNNi.exe
1352	Explorer.EXE
1352	Explorer.EXE
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe
2848	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	MnWk2NzwYZzZNNi.exe
Token: SeShutdownPrivilege	1352	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1352	Explorer.EXE
1352	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1352	Explorer.EXE
1352	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 3020	2316	MnWk2NzwYZzZNNi.exe	28
PID 2316 wrote to memory of 3020	2316	MnWk2NzwYZzZNNi.exe	28
PID 2316 wrote to memory of 3020	2316	MnWk2NzwYZzZNNi.exe	28
PID 2316 wrote to memory of 3020	2316	MnWk2NzwYZzZNNi.exe	28
PID 2316 wrote to memory of 3020	2316	MnWk2NzwYZzZNNi.exe	28
PID 2316 wrote to memory of 3020	2316	MnWk2NzwYZzZNNi.exe	28
PID 2316 wrote to memory of 3020	2316	MnWk2NzwYZzZNNi.exe	28
PID 1352 wrote to memory of 2848	1352	Explorer.EXE	29
PID 1352 wrote to memory of 2848	1352	Explorer.EXE	29
PID 1352 wrote to memory of 2848	1352	Explorer.EXE	29
PID 1352 wrote to memory of 2848	1352	Explorer.EXE	29
PID 2848 wrote to memory of 2372	2848	dllhost.exe	33
PID 2848 wrote to memory of 2372	2848	dllhost.exe	33
PID 2848 wrote to memory of 2372	2848	dllhost.exe	33
PID 2848 wrote to memory of 2372	2848	dllhost.exe	33
PID 2848 wrote to memory of 2372	2848	dllhost.exe	33

C:\Users\Admin\AppData\Local\Temp\MnWk2NzwYZzZNNi.exe
"C:\Users\Admin\AppData\Local\Temp\MnWk2NzwYZzZNNi.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\MnWk2NzwYZzZNNi.exe
  "C:\Users\Admin\AppData\Local\Temp\MnWk2NzwYZzZNNi.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3020

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\SysWOW64\dllhost.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\grdh72fx.zip

Filesize
489KB

MD5
910ae9fbda13a82f9410303b653fe0c6

SHA1
3de02829408f5320b01e4209c79cf4a9d45cde86

SHA256
11ba415b7e3b91c4587dc73bec82caf92f62724d0e49782151e7764acca43cb5

SHA512
a7564409603dec6184920aed608024db319e8548b872a022eecd91501c12da2fde5fab5b6ce6772f1ba5724cce9151ce79214bed5cb3b13d39e5e9ea254e51b0

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
932KB

MD5
661fd92d4eaeea3740649af5a484d7c8

SHA1
c93f868890fee1475f8ec9e7607e26f5dce67d54

SHA256
58a478f0560ea22c1bc194263f07cf6f3ecfe47d0c8b534a7bba185f28a1141f

SHA512
1fac03c20139fde41d121e0adbd02d127261ce061509996087fc1c80baf2fe0d0f70fed6b83d38a85cfa2e07d038ff809161c7ecce31ec44ac8b89740d3db15d

Download Submit
memory/1352-31-0x00000000046B0000-0x0000000004789000-memory.dmp

Filesize
868KB

Download
memory/1352-32-0x00000000046B0000-0x0000000004789000-memory.dmp

Filesize
868KB

Download
memory/1352-21-0x0000000008E90000-0x000000000BFC0000-memory.dmp

Filesize
49.2MB

Download
memory/1352-29-0x0000000008E90000-0x000000000BFC0000-memory.dmp

Filesize
49.2MB

Download
memory/1352-20-0x0000000003B50000-0x0000000003C50000-memory.dmp

Filesize
1024KB

Download
memory/1352-81-0x00000000046B0000-0x0000000004789000-memory.dmp

Filesize
868KB

Download
memory/2316-6-0x0000000007630000-0x00000000076B0000-memory.dmp

Filesize
512KB

Download
memory/2316-1-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2316-2-0x00000000072B0000-0x00000000072F0000-memory.dmp

Filesize
256KB

Download
memory/2316-14-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2316-3-0x00000000008D0000-0x00000000008E8000-memory.dmp

Filesize
96KB

Download
memory/2316-5-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/2316-0-0x0000000000990000-0x0000000000A62000-memory.dmp

Filesize
840KB

Download
memory/2316-4-0x0000000000900000-0x0000000000908000-memory.dmp

Filesize
32KB

Download
memory/2848-27-0x0000000000070000-0x00000000000AC000-memory.dmp

Filesize
240KB

Download
memory/2848-28-0x0000000002330000-0x00000000023C9000-memory.dmp

Filesize
612KB

Download
memory/2848-80-0x0000000061E00000-0x0000000061ED3000-memory.dmp

Filesize
844KB

Download
memory/2848-22-0x0000000000070000-0x00000000000AC000-memory.dmp

Filesize
240KB

Download
memory/2848-23-0x0000000000070000-0x00000000000AC000-memory.dmp

Filesize
240KB

Download
memory/2848-78-0x0000000061E00000-0x0000000061ED3000-memory.dmp

Filesize
844KB

Download
memory/2848-30-0x0000000000070000-0x00000000000AC000-memory.dmp

Filesize
240KB

Download
memory/2848-26-0x0000000002020000-0x0000000002323000-memory.dmp

Filesize
3.0MB

Download
memory/3020-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-25-0x00000000001E0000-0x00000000001FA000-memory.dmp

Filesize
104KB

Download
memory/3020-15-0x0000000000A70000-0x0000000000D73000-memory.dmp

Filesize
3.0MB

Download
memory/3020-13-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3020-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-19-0x00000000001E0000-0x00000000001FA000-memory.dmp

Filesize
104KB

Download
memory/3020-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download