Analysis

  • max time kernel
    117s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    02/02/2024, 22:07

General

  • Target

    ip.exe

  • Size

    220KB

  • MD5

    21811bf69882f5e2f215ad265f5abdae

  • SHA1

    57242717e9dc894fda2375d070d59034f6c1e66c

  • SHA256

    d89e6719b0d7a63d1c7a33ffab748a12f857f9686f1d6e24595e23bd512e6425

  • SHA512

    7c7c116d68689fd48f3a60f6d6de0173c9cb235757cc215ea0f2076f50f5c5a8e93e1001b5676a952ad37a3df82dcb10c7a29394ac6429062babfecee21f17c5

  • SSDEEP

    3072:zzwpCq0R1KID7qVLKSV0outMN5JTZQu4epojdkYv55RCezn/T81B+ySRdL:zzwpCLR1KMqLKSmoSyLTbP85RCezbwm

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ip.exe
    "C:\Users\Admin\AppData\Local\Temp\ip.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies system certificate store
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Windows\system32\MSINET.OCX"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:2812
    • C:\Users\Admin\AppData\Local\Temp\Update.exe
      C:\Users\Admin\AppData\Local\Temp\Update.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Program Files (x86)\Common Files\System\flash10.dll"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:2776

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Common Files\System\flash10.dll

          Filesize

          111KB

          MD5

          0cfeace58c8dcd1f25563eb06abde248

          SHA1

          2ce3b78c1f7aa56f04f4d0703f6a92a413f6c852

          SHA256

          405bc36e331f6a828a527ce71d3f195e472e551e109a1a9c258426fe03f719d9

          SHA512

          9d1188dced20be101f1a480f40904575d8704c55b73d898232b4f761fadf0b6542a3c98976467a2de279587013b1b6bd6fe6820f806a2b2e3d7cea293f377e06

        • C:\Windows\SysWOW64\MSINET.OCX

          Filesize

          129KB

          MD5

          90a39346e9b67f132ef133725c487ff6

          SHA1

          9cd22933f628465c863bed7895d99395acaa5d2a

          SHA256

          e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2

          SHA512

          0337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf

        • \Users\Admin\AppData\Local\Temp\Update.exe

          Filesize

          49KB

          MD5

          2242ed5625415d45e82a0c52504ce648

          SHA1

          236da61ec0c1a9beba1441024aa07d84e6672f23

          SHA256

          c2df0e1046b8b8757e662abfad36f5554482a530cae7fda6695217a9b87b0bf2

          SHA512

          4cafa5c70a4d50d1f0f0b0380baae17663cf9a84ff921035759ca5f17e6832d6676149162568392b7c2d5500e7c303a45537d4c878ae5334f8b627eb686ec789

        • memory/2848-15-0x0000000000230000-0x0000000000258000-memory.dmp

          Filesize

          160KB

        • memory/2848-21-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/2848-23-0x0000000000230000-0x000000000023D000-memory.dmp

          Filesize

          52KB

        • memory/2856-8-0x00000000003C0000-0x00000000003E8000-memory.dmp

          Filesize

          160KB