77f63e36ee53302de9b3b79e175a4855d9dddcdd2bc3c14cb1b32b8490a7cde7

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76b8c6d41fce3075cb58aa6deb891dbb.exe
Size

196KB
MD5

76b8c6d41fce3075cb58aa6deb891dbb
SHA1

d13c2d28844d97178c8457a5c13c367e402772e5
SHA256

77f63e36ee53302de9b3b79e175a4855d9dddcdd2bc3c14cb1b32b8490a7cde7
SHA512

1f91997f5cd9d6be81f3e6950233fb7ed8acd55a655e2702745b97a3ed9b510d0890fa5b8a626343a220511841f6c5adf384ebc8936f68134c8e405d299c2a5e
SSDEEP

3072:GVmHcLY0bOV7/S9AJJjWm/73gAZdujVvPdwiWoQmAPSL0RFR0Yu7J:g1bOVLdJh//73TEhPdXAPSGn0B

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2388	Mcupaa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SMH2B46TDP = "C:\\Windows\\Mcupaa.exe"	Mcupaa.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	76b8c6d41fce3075cb58aa6deb891dbb.exe
File opened for modification	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	76b8c6d41fce3075cb58aa6deb891dbb.exe
File created	C:\Windows\Mcupaa.exe	76b8c6d41fce3075cb58aa6deb891dbb.exe
File opened for modification	C:\Windows\Mcupaa.exe	76b8c6d41fce3075cb58aa6deb891dbb.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	Mcupaa.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\International	Mcupaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe
2388	Mcupaa.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2496	76b8c6d41fce3075cb58aa6deb891dbb.exe
2388	Mcupaa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2388	2496	76b8c6d41fce3075cb58aa6deb891dbb.exe	28
PID 2496 wrote to memory of 2388	2496	76b8c6d41fce3075cb58aa6deb891dbb.exe	28
PID 2496 wrote to memory of 2388	2496	76b8c6d41fce3075cb58aa6deb891dbb.exe	28
PID 2496 wrote to memory of 2388	2496	76b8c6d41fce3075cb58aa6deb891dbb.exe	28

C:\Users\Admin\AppData\Local\Temp\76b8c6d41fce3075cb58aa6deb891dbb.exe
"C:\Users\Admin\AppData\Local\Temp\76b8c6d41fce3075cb58aa6deb891dbb.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\Mcupaa.exe
  C:\Windows\Mcupaa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Mcupaa.exe

Filesize
196KB

MD5
76b8c6d41fce3075cb58aa6deb891dbb

SHA1
d13c2d28844d97178c8457a5c13c367e402772e5

SHA256
77f63e36ee53302de9b3b79e175a4855d9dddcdd2bc3c14cb1b32b8490a7cde7

SHA512
1f91997f5cd9d6be81f3e6950233fb7ed8acd55a655e2702745b97a3ed9b510d0890fa5b8a626343a220511841f6c5adf384ebc8936f68134c8e405d299c2a5e

Download Submit
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Filesize
344B

MD5
e1f5ab7b0bf9c87fcfa5dde0198961ef

SHA1
e41f0c2d731ebcdc1b1995f42490c0841fdb1377

SHA256
d3340655c6cddac321822e1ef3d3ab987239536ffdeef1ddd10cd3054ea26fe6

SHA512
939d39f7f1a0d22bb8578acf9e2e9f5b109147c0d802371c34564439946d718e35f687beadd176b01438acbd563327889e6df849f8610745fa498a740679bd9c

Download Submit
memory/2388-45495-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-45488-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-45499-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-45498-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-45485-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-45487-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-45496-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-45490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-45491-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-45492-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-45493-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-45494-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-45497-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2496-45486-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2496-0-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2496-35994-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2496-1-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download