7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe
Size

701KB
MD5

837a0e0956d0ce9f8887360c6a3e172a
SHA1

09c853ec49d173f2fc7d2eee329666a84fb389c9
SHA256

7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248
SHA512

945fa409ed2a437182ede819f1c86402e60ce0ae1f79536ee3b03eee49973f4c4cd01e7f9a42ded600ed65bdb3c609901d8b3a70167e9b64aafb19f22824754a
SSDEEP

12288:CGHCnaomAEg3uPdkgRZhxi6SMyF7AlOPSN6TsLjjONDDkP+6M0nwb:CGHCm8uPdJvhwlLF7Al9esfeDDZ6XA

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1028	Untiy.exe
2752	Miko.exe
1240	Process not Found

Loads dropped DLL 6 IoCs

pid	Process
1712	7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe
1712	7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe
1712	7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe
1712	7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe
1712	7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe
1240	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\systeamst = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Untiy.exe"	Untiy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	Untiy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1028	Untiy.exe
1028	Untiy.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1028	1712	7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe	28
PID 1712 wrote to memory of 1028	1712	7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe	28
PID 1712 wrote to memory of 1028	1712	7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe	28
PID 1712 wrote to memory of 1028	1712	7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe	28
PID 1712 wrote to memory of 2752	1712	7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe	29
PID 1712 wrote to memory of 2752	1712	7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe	29
PID 1712 wrote to memory of 2752	1712	7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe	29
PID 1712 wrote to memory of 2752	1712	7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe	29

C:\Users\Admin\AppData\Local\Temp\7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe
"C:\Users\Admin\AppData\Local\Temp\7101f3ab6b78d5a1f726cfb7bc0a1bd591322697369fd02bf5ca7b77fabd3248.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\Untiy.exe
  "C:\Users\Admin\AppData\Local\Temp\Untiy.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1028
- C:\Users\Admin\AppData\Local\Temp\Miko.exe
  "C:\Users\Admin\AppData\Local\Temp\Miko.exe"
  2⤵
  - Executes dropped EXE
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Miko.exe

Filesize
117KB

MD5
71f11cbfbf59b0327c907864afd3c070

SHA1
c378cb295363aefccab49f2f7e1a30bb03900f9e

SHA256
4144fe2343dfcdf03072cb29815a06d305b105e2a3356fbc0839410a4af8b5e0

SHA512
6e0c7b8e3ebc5b36836a7dda515ae897ffb6e6af70487630d813462b08386120002c99b55104384b91e009c31eb151276aa8f9f2f8a7ec3ddf5ccc0a4b074942

Download Submit
\Users\Admin\AppData\Local\Temp\Untiy.exe

Filesize
888KB

MD5
aaa144e47c26ea1ba2de6fcb5e8a3931

SHA1
d63cdf85ba59659b02ae9d83414eef29f38698a9

SHA256
d0e1233a8f2f3b992c4226397d79fcc5052f03668a272516b39fd93a954679ad

SHA512
31d6344f4b65620c6a6cc6ba2d1ef5e5b51461d90f0d65614ae60ba2c1cf1608add8456e21460f53d39bd47d4c0ecd4749669e195fb29b211a0c3b516b4ed6b4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads