115b82cee172aa8e3f830b03f9af5d905751e8df10bba2dc3e54b54bb57bcfb5

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c9d12576bf9af2cca6ca1f1f10dd31f.exe
Size

186KB
MD5

7c9d12576bf9af2cca6ca1f1f10dd31f
SHA1

097caf6e02458f15d108989763bde85a2070203c
SHA256

115b82cee172aa8e3f830b03f9af5d905751e8df10bba2dc3e54b54bb57bcfb5
SHA512

bc4916053804243463abc9fea6200181443c3dfb1c9458e1bde9723db175826807d733f79cbf32865bcf823b5e9bdf393e4f3e837fe7742bb8339951f4f7eb6a
SSDEEP

3072:YjbZjtO5rhRgXrktWBrS36xYCuN8XL/vkY9SDPcChewq0Fr8H9aT9:YjbZpO5ng7ktWlS3AYCFTMY9GPvAo

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

7c9d12576bf9af2cca6ca1f1f10dd31f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe"	7c9d12576bf9af2cca6ca1f1f10dd31f.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2724 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

sniunfi.exe

pid process

2332 sniunfi.exe
Loads dropped DLL 2 IoCs

Processes:

7c9d12576bf9af2cca6ca1f1f10dd31f.exe

pid process

2264 7c9d12576bf9af2cca6ca1f1f10dd31f.exe
2264 7c9d12576bf9af2cca6ca1f1f10dd31f.exe

pid	process
2724	cmd.exe

pid	process
2332	sniunfi.exe

pid	process
2264	7c9d12576bf9af2cca6ca1f1f10dd31f.exe
2264	7c9d12576bf9af2cca6ca1f1f10dd31f.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2264-0-0x0000000000400000-0x000000000047A000-memory.dmp	upx
behavioral1/memory/2264-1-0x0000000000400000-0x000000000047A000-memory.dmp	upx
behavioral1/memory/2264-2-0x0000000000400000-0x000000000047A000-memory.dmp	upx
\Users\Admin\sniunfi.exe	upx
behavioral1/memory/2332-19-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7c9d12576bf9af2cca6ca1f1f10dd31f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig = "C:\\Users\\Admin\\sniunfi.exe \\u"	7c9d12576bf9af2cca6ca1f1f10dd31f.exe

Drops file in System32 directory 3 IoCs

Processes:

7c9d12576bf9af2cca6ca1f1f10dd31f.exesniunfi.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\secupdat.dat	7c9d12576bf9af2cca6ca1f1f10dd31f.exe
File created	C:\Windows\SysWOW64\secupdat.dat	7c9d12576bf9af2cca6ca1f1f10dd31f.exe
File opened for modification	C:\Windows\SysWOW64\secupdat.dat	sniunfi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sniunfi.exe

description pid process target process

PID 2332 set thread context of 3028 2332 sniunfi.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2332 set thread context of 3028	2332	sniunfi.exe	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7c9d12576bf9af2cca6ca1f1f10dd31f.exesniunfi.exe

description	pid	process	target process
PID 2264 wrote to memory of 2332	2264	7c9d12576bf9af2cca6ca1f1f10dd31f.exe	sniunfi.exe
PID 2264 wrote to memory of 2332	2264	7c9d12576bf9af2cca6ca1f1f10dd31f.exe	sniunfi.exe
PID 2264 wrote to memory of 2332	2264	7c9d12576bf9af2cca6ca1f1f10dd31f.exe	sniunfi.exe
PID 2264 wrote to memory of 2332	2264	7c9d12576bf9af2cca6ca1f1f10dd31f.exe	sniunfi.exe
PID 2264 wrote to memory of 2724	2264	7c9d12576bf9af2cca6ca1f1f10dd31f.exe	cmd.exe
PID 2264 wrote to memory of 2724	2264	7c9d12576bf9af2cca6ca1f1f10dd31f.exe	cmd.exe
PID 2264 wrote to memory of 2724	2264	7c9d12576bf9af2cca6ca1f1f10dd31f.exe	cmd.exe
PID 2264 wrote to memory of 2724	2264	7c9d12576bf9af2cca6ca1f1f10dd31f.exe	cmd.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe
PID 2332 wrote to memory of 3028	2332	sniunfi.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\7c9d12576bf9af2cca6ca1f1f10dd31f.exe
"C:\Users\Admin\AppData\Local\Temp\7c9d12576bf9af2cca6ca1f1f10dd31f.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\sniunfi.exe
\u
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1751.bat" "
2⤵
- Deletes itself
PID:2724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1751.bat
Filesize
103B

MD5
07e335a6c3d27311192ea73acd27904c

SHA1
54f236d71561519d6da16b46b1d5d743d885596d

SHA256
a4e05b5cf2f133cb8bf3d321dcc14728542a9ccea9095e221d7ff3f9ca72be33

SHA512
44c308b0e342392c10ccbf2491f4d28678d1fe7522e6931f2177e0f5b98b202135a767f8ac978aab58eb2a30735ff6426b3cb7b4dcedb506f3ce4af7eb2ceee7

Download Submit
C:\Windows\SysWOW64\secupdat.dat
Filesize
70KB

MD5
ef3c813684ec76eb5f9bc146559702c5

SHA1
a680f6bfcfd878e55a1c073502bf56cfc14674b0

SHA256
41cf0bb0a81f9643c00119dfd427aec915a14546d840d4ef9a10580f4376bf0c

SHA512
97acea936a79a043aacbcd9ec9cc64aeb15126cbd292027a9b6255cf6e155c6f46f4acc61d546436382d231346734c0c6ab4c1460ebd0d3115d78a2c96a88d85

Download Submit
\Users\Admin\sniunfi.exe
Filesize
20KB

MD5
2db94b9a49b38f91511dd3690afad931

SHA1
eb0364593936af131fcf5ce02f1e15d08cea9bdf

SHA256
41b4b0ed265fc6d59c5b1df6ab54ee3d07f3deb65f935c9c54529d85d27c5f41

SHA512
acc5a75fe759a30b2d712f855c4c87d9793265e329fd9a36d33b7da15ce40cbb228c3d364d7456e7985a58019a05b0ddb0ff86fc416fd121d013a7ee4f87e26e

Download Submit
memory/2264-0-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2264-1-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2264-2-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2264-3-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2264-18-0x00000000002E0000-0x00000000002FD000-memory.dmp

Filesize
116KB

Download
memory/2264-9-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2264-20-0x00000000002E0000-0x00000000002FD000-memory.dmp

Filesize
116KB

Download
memory/2264-28-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2332-19-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2332-30-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2332-142-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3028-75-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-65-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-55-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-57-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-70-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-91-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-90-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-89-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-88-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-148-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/3028-87-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-86-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-85-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-84-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-83-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-82-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-81-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-80-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-79-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-78-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-77-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-76-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-48-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-74-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-73-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-72-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-71-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-69-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-68-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-67-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-66-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-56-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-64-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-63-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-62-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-61-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-60-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-59-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-58-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-54-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-53-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-52-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-51-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-50-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-49-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-47-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-46-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-45-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-44-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-43-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-42-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-41-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-40-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-39-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-38-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-37-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-36-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-35-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-34-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-33-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/3028-32-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download