dde4eeccb32bf5ea90e808589e5d8aa514f7196399bf59194c1764407d83c03b

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 19:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7ddc1752d1cbf16db0acc8fe41500e5b.exe
Size

118KB
MD5

7ddc1752d1cbf16db0acc8fe41500e5b
SHA1

f5be2688b29456905e763aacff4eee92289af72c
SHA256

dde4eeccb32bf5ea90e808589e5d8aa514f7196399bf59194c1764407d83c03b
SHA512

cda78db94eb8b8c50964e6251d0587f94fb69f0bd8f0dbf8e672113ab09d19dd22195b1dff66eb5130129f26313ed9a00dc6c5a17391a32416418afa199cc08f
SSDEEP

3072:ToaXHP6rRFdsSbR+ZeCDIcGtSr2KNtu4ubxvfaycMihxnv6oY:TtHP6rRFddbBcGYv4NRplmdC9

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wind0ws\Parameters\ServiceDll = "C:\\Program Files\\Windows Media Player\\msge.dll"	7ddc1752d1cbf16db0acc8fe41500e5b.exe

Deletes itself 1 IoCs

pid	Process
4484	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
4484	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player	7ddc1752d1cbf16db0acc8fe41500e5b.exe
File created	C:\Program Files\Windows Media Player\msge.dll	7ddc1752d1cbf16db0acc8fe41500e5b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ThankU.txt	7ddc1752d1cbf16db0acc8fe41500e5b.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
968	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3884	7ddc1752d1cbf16db0acc8fe41500e5b.exe
3884	7ddc1752d1cbf16db0acc8fe41500e5b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4484	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3884	7ddc1752d1cbf16db0acc8fe41500e5b.exe
Token: SeRestorePrivilege	3884	7ddc1752d1cbf16db0acc8fe41500e5b.exe
Token: SeDebugPrivilege	968	taskkill.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3884 wrote to memory of 968	3884	7ddc1752d1cbf16db0acc8fe41500e5b.exe	86
PID 3884 wrote to memory of 968	3884	7ddc1752d1cbf16db0acc8fe41500e5b.exe	86
PID 3884 wrote to memory of 968	3884	7ddc1752d1cbf16db0acc8fe41500e5b.exe	86

C:\Users\Admin\AppData\Local\Temp\7ddc1752d1cbf16db0acc8fe41500e5b.exe
"C:\Users\Admin\AppData\Local\Temp\7ddc1752d1cbf16db0acc8fe41500e5b.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im KSafeTray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\program files\windows media player\msge.dll

Filesize
103KB

MD5
628a61f09e0be28b760549cd6032061e

SHA1
cd59fbb07dd473792e88326d4c87accf009dd359

SHA256
17e8859842298c02055bb9c4cc1954958ed6524071dfa82594b8d21d9765bab3

SHA512
010e707919375a12508e94a2592a84ccb3ff4523ca56448ec87775361fca9a4927a4a2e59d5fca2c487579dd6c7c042895e58403bf95c152599f57c57dfdb4f0

Download Submit
memory/3884-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3884-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4484-5-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download