7dff7528f412fc66a209d6d88bb9559b51e09f64c9b6944b7e98d6e0414f36c3

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d8e6d2749fb2f610abb2089cac32e7a.exe
Size

172KB
MD5

7d8e6d2749fb2f610abb2089cac32e7a
SHA1

b0ecb2695be0a6329756ec0caea4bd2df90f2f20
SHA256

7dff7528f412fc66a209d6d88bb9559b51e09f64c9b6944b7e98d6e0414f36c3
SHA512

e0fd59403e389c561cb91b9e6975fb88446f05d6978fd6b8ccae61d710310756542b65739bdc1c333c71d8200338b880f7d1f169a47e5fe0119aa6188d94b999
SSDEEP

3072:ku4PdaYs8HTk17MoZAuzZ6NqGy4lx6+m:ku4laYjkaoZAuzZ6wh4r6+m

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2332	msa.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2332-9-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2060-14723-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2332-26012-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2060-33294-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2332-38534-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2332-38537-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2332-38538-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2332-38539-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2332-38541-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2332-38542-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2332-38543-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2332-38544-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2332-38545-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2332-38546-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2332-38547-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2332-38548-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2332-38549-0x0000000000400000-0x0000000000479000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Minisoft = "C:\\Windows\\msa.exe"	msa.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	7d8e6d2749fb2f610abb2089cac32e7a.exe
File created	C:\Windows\msa.exe	7d8e6d2749fb2f610abb2089cac32e7a.exe
File opened for modification	C:\Windows\msa.exe	7d8e6d2749fb2f610abb2089cac32e7a.exe
File created	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	7d8e6d2749fb2f610abb2089cac32e7a.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\International	msa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2060	7d8e6d2749fb2f610abb2089cac32e7a.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe
2332	msa.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2060	7d8e6d2749fb2f610abb2089cac32e7a.exe
2332	msa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2332	2060	7d8e6d2749fb2f610abb2089cac32e7a.exe	28
PID 2060 wrote to memory of 2332	2060	7d8e6d2749fb2f610abb2089cac32e7a.exe	28
PID 2060 wrote to memory of 2332	2060	7d8e6d2749fb2f610abb2089cac32e7a.exe	28
PID 2060 wrote to memory of 2332	2060	7d8e6d2749fb2f610abb2089cac32e7a.exe	28

C:\Users\Admin\AppData\Local\Temp\7d8e6d2749fb2f610abb2089cac32e7a.exe
"C:\Users\Admin\AppData\Local\Temp\7d8e6d2749fb2f610abb2089cac32e7a.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\msa.exe
  C:\Windows\msa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Filesize
344B

MD5
15884a43d66679cd10697a5bb1054975

SHA1
306df9f98b78fe221eab4e7f948c58fab66730bf

SHA256
5a4d8c68790eadb8cfca203cebb10f11e34ffe8ff102643f597a07cca3093996

SHA512
504ec9cbbc7f180e09a847b3ffbb0239a9f7ee0f7ff20ef99e24d19101d8475253db25b3b206f9091ae366d9d6c6290f2388f64a60bb271fde84b0596b4190cb

Download Submit
C:\Windows\msa.exe

Filesize
172KB

MD5
7d8e6d2749fb2f610abb2089cac32e7a

SHA1
b0ecb2695be0a6329756ec0caea4bd2df90f2f20

SHA256
7dff7528f412fc66a209d6d88bb9559b51e09f64c9b6944b7e98d6e0414f36c3

SHA512
e0fd59403e389c561cb91b9e6975fb88446f05d6978fd6b8ccae61d710310756542b65739bdc1c333c71d8200338b880f7d1f169a47e5fe0119aa6188d94b999

Download Submit
memory/2060-33294-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2060-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2060-14723-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-38538-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-38542-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-38534-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-38536-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2332-38537-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-9-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-38539-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-38540-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2332-38541-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-26012-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-38543-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-38544-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-38545-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-38546-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-38547-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-38548-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-38549-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download