dde4eeccb32bf5ea90e808589e5d8aa514f7196399bf59194c1764407d83c03b

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ddc1752d1cbf16db0acc8fe41500e5b.exe
Size

118KB
MD5

7ddc1752d1cbf16db0acc8fe41500e5b
SHA1

f5be2688b29456905e763aacff4eee92289af72c
SHA256

dde4eeccb32bf5ea90e808589e5d8aa514f7196399bf59194c1764407d83c03b
SHA512

cda78db94eb8b8c50964e6251d0587f94fb69f0bd8f0dbf8e672113ab09d19dd22195b1dff66eb5130129f26313ed9a00dc6c5a17391a32416418afa199cc08f
SSDEEP

3072:ToaXHP6rRFdsSbR+ZeCDIcGtSr2KNtu4ubxvfaycMihxnv6oY:TtHP6rRFddbBcGYv4NRplmdC9

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wind0ws\Parameters\ServiceDll = "C:\\Program Files\\Windows Media Player\\msge.dll"	7ddc1752d1cbf16db0acc8fe41500e5b.exe

Deletes itself 1 IoCs

pid	Process
2712	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2712	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player	7ddc1752d1cbf16db0acc8fe41500e5b.exe
File created	C:\Program Files\Windows Media Player\msge.dll	7ddc1752d1cbf16db0acc8fe41500e5b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ThankU.txt	7ddc1752d1cbf16db0acc8fe41500e5b.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2868	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2864	7ddc1752d1cbf16db0acc8fe41500e5b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2712	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2864	7ddc1752d1cbf16db0acc8fe41500e5b.exe
Token: SeRestorePrivilege	2864	7ddc1752d1cbf16db0acc8fe41500e5b.exe
Token: SeDebugPrivilege	2868	taskkill.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2868	2864	7ddc1752d1cbf16db0acc8fe41500e5b.exe	28
PID 2864 wrote to memory of 2868	2864	7ddc1752d1cbf16db0acc8fe41500e5b.exe	28
PID 2864 wrote to memory of 2868	2864	7ddc1752d1cbf16db0acc8fe41500e5b.exe	28
PID 2864 wrote to memory of 2868	2864	7ddc1752d1cbf16db0acc8fe41500e5b.exe	28

C:\Users\Admin\AppData\Local\Temp\7ddc1752d1cbf16db0acc8fe41500e5b.exe
"C:\Users\Admin\AppData\Local\Temp\7ddc1752d1cbf16db0acc8fe41500e5b.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im KSafeTray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2868

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Windows Media Player\msge.dll

Filesize
103KB

MD5
59dd7458d580635f514e038418c83947

SHA1
3629523090433f97af81d58f5c76fe8d6e508527

SHA256
2d45058723e140c1c5c3e3aa8d1edb42c84e96cd4ffb96321bd0894e15a462c3

SHA512
809840840f8b26abd9e49c07a0dcf0be6b4239a69af36027ab57f784e25e644dbd590c40e9d4b046f018709677971ecd37a97236266da48967a9598c59738c51

Download Submit
memory/2712-5-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/2864-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2864-2-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download