95b45baa28467be3ca303f48f696990d3491aa9d24ee888d221d5170f7bf5a23

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Injector.exe
Size

461KB
MD5

74e9c2da84432615f4562f724c8b792a
SHA1

f10ba74f0a8bdb74335a94ee377979a6b6204c84
SHA256

95b45baa28467be3ca303f48f696990d3491aa9d24ee888d221d5170f7bf5a23
SHA512

12990370f2ae48b2a3e6ad624704b3feffb7c71e44f08037e84f8ce1e75b0faf8a46facd90c4aa5ee576c063dbbbe1e39e8ad36fcd783741dc2f84fa52c39d33
SSDEEP

12288:wu/osQMgL96w0SVvV6fcaubLH31O2lxvdJGtKcctrJnSvLhTt:wur9gkEPGcHHX1OSr/cYtns

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2468	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.exe	Injector.exe

Executes dropped EXE 1 IoCs

pid	Process
2848	regedit.exe

Loads dropped DLL 1 IoCs

pid	Process
852	cmd.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3028-0-0x0000000000A70000-0x0000000000B6A000-memory.dmp	upx
behavioral1/memory/3028-3-0x0000000000A70000-0x0000000000B6A000-memory.dmp	upx
behavioral1/files/0x000c000000012683-5.dat	upx
behavioral1/memory/2848-7-0x0000000000150000-0x000000000024A000-memory.dmp	upx
behavioral1/memory/852-36-0x0000000002050000-0x000000000214A000-memory.dmp	upx
behavioral1/memory/2848-37-0x0000000000150000-0x000000000024A000-memory.dmp	upx
behavioral1/memory/2848-38-0x0000000000150000-0x000000000024A000-memory.dmp	upx
behavioral1/memory/2848-39-0x0000000000150000-0x000000000024A000-memory.dmp	upx
behavioral1/memory/2848-40-0x0000000000150000-0x000000000024A000-memory.dmp	upx
behavioral1/memory/2848-41-0x0000000000150000-0x000000000024A000-memory.dmp	upx
behavioral1/memory/2848-42-0x0000000000150000-0x000000000024A000-memory.dmp	upx
behavioral1/memory/2848-43-0x0000000000150000-0x000000000024A000-memory.dmp	upx
behavioral1/memory/2848-44-0x0000000000150000-0x000000000024A000-memory.dmp	upx
behavioral1/memory/2848-45-0x0000000000150000-0x000000000024A000-memory.dmp	upx
behavioral1/memory/2848-46-0x0000000000150000-0x000000000024A000-memory.dmp	upx
behavioral1/memory/2848-47-0x0000000000150000-0x000000000024A000-memory.dmp	upx
behavioral1/memory/2848-48-0x0000000000150000-0x000000000024A000-memory.dmp	upx
behavioral1/memory/2848-49-0x0000000000150000-0x000000000024A000-memory.dmp	upx
behavioral1/memory/2848-50-0x0000000000150000-0x000000000024A000-memory.dmp	upx
behavioral1/memory/2848-51-0x0000000000150000-0x000000000024A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\regedit = "\"C:\\Users\\Admin\\AppData\\Roaming\\regedit.exe\""	Injector.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\regedit = "\"C:\\Users\\Admin\\AppData\\Roaming\\regedit.exe\""	Injector.exe

AutoIT Executable 16 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/3028-3-0x0000000000A70000-0x0000000000B6A000-memory.dmp	autoit_exe
behavioral1/memory/2848-37-0x0000000000150000-0x000000000024A000-memory.dmp	autoit_exe
behavioral1/memory/2848-38-0x0000000000150000-0x000000000024A000-memory.dmp	autoit_exe
behavioral1/memory/2848-39-0x0000000000150000-0x000000000024A000-memory.dmp	autoit_exe
behavioral1/memory/2848-40-0x0000000000150000-0x000000000024A000-memory.dmp	autoit_exe
behavioral1/memory/2848-41-0x0000000000150000-0x000000000024A000-memory.dmp	autoit_exe
behavioral1/memory/2848-42-0x0000000000150000-0x000000000024A000-memory.dmp	autoit_exe
behavioral1/memory/2848-43-0x0000000000150000-0x000000000024A000-memory.dmp	autoit_exe
behavioral1/memory/2848-44-0x0000000000150000-0x000000000024A000-memory.dmp	autoit_exe
behavioral1/memory/2848-45-0x0000000000150000-0x000000000024A000-memory.dmp	autoit_exe
behavioral1/memory/2848-46-0x0000000000150000-0x000000000024A000-memory.dmp	autoit_exe
behavioral1/memory/2848-47-0x0000000000150000-0x000000000024A000-memory.dmp	autoit_exe
behavioral1/memory/2848-48-0x0000000000150000-0x000000000024A000-memory.dmp	autoit_exe
behavioral1/memory/2848-49-0x0000000000150000-0x000000000024A000-memory.dmp	autoit_exe
behavioral1/memory/2848-50-0x0000000000150000-0x000000000024A000-memory.dmp	autoit_exe
behavioral1/memory/2848-51-0x0000000000150000-0x000000000024A000-memory.dmp	autoit_exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2836	timeout.exe

Runs regedit.exe 1 IoCs

pid	Process
2848	regedit.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2908	powershell.exe
2632	powershell.exe
588	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2468	3028	Injector.exe	28
PID 3028 wrote to memory of 2468	3028	Injector.exe	28
PID 3028 wrote to memory of 2468	3028	Injector.exe	28
PID 3028 wrote to memory of 2468	3028	Injector.exe	28
PID 3028 wrote to memory of 852	3028	Injector.exe	30
PID 3028 wrote to memory of 852	3028	Injector.exe	30
PID 3028 wrote to memory of 852	3028	Injector.exe	30
PID 3028 wrote to memory of 852	3028	Injector.exe	30
PID 2468 wrote to memory of 2836	2468	cmd.exe	32
PID 2468 wrote to memory of 2836	2468	cmd.exe	32
PID 2468 wrote to memory of 2836	2468	cmd.exe	32
PID 2468 wrote to memory of 2836	2468	cmd.exe	32
PID 852 wrote to memory of 2848	852	cmd.exe	33
PID 852 wrote to memory of 2848	852	cmd.exe	33
PID 852 wrote to memory of 2848	852	cmd.exe	33
PID 852 wrote to memory of 2848	852	cmd.exe	33
PID 2848 wrote to memory of 2764	2848	regedit.exe	34
PID 2848 wrote to memory of 2764	2848	regedit.exe	34
PID 2848 wrote to memory of 2764	2848	regedit.exe	34
PID 2848 wrote to memory of 2764	2848	regedit.exe	34
PID 2764 wrote to memory of 2908	2764	cmd.exe	36
PID 2764 wrote to memory of 2908	2764	cmd.exe	36
PID 2764 wrote to memory of 2908	2764	cmd.exe	36
PID 2764 wrote to memory of 2908	2764	cmd.exe	36
PID 2764 wrote to memory of 2632	2764	cmd.exe	37
PID 2764 wrote to memory of 2632	2764	cmd.exe	37
PID 2764 wrote to memory of 2632	2764	cmd.exe	37
PID 2764 wrote to memory of 2632	2764	cmd.exe	37
PID 2764 wrote to memory of 588	2764	cmd.exe	38
PID 2764 wrote to memory of 588	2764	cmd.exe	38
PID 2764 wrote to memory of 588	2764	cmd.exe	38
PID 2764 wrote to memory of 588	2764	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\Injector.exe
"C:\Users\Admin\AppData\Local\Temp\Injector.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c timeout 1 & del /F "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Roaming\regedit.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Roaming\regedit.exe
    C:\Users\Admin\AppData\Roaming\regedit.exe
    3⤵
    - Executes dropped EXE
    - Runs regedit.exe
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\79C2.tmp.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionExtension "@AppDataDir\regedit.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath ΓÇ£C:\Users\AdminΓÇ¥
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\79C2.tmp.bat

Filesize
226B

MD5
fc2b98850fc0567fbe78cd14800b3f5e

SHA1
f8aa83d04ec8d7a64235d37e2be816ac9d78bc9b

SHA256
9d1a37cc58a2234ed3ded8b862979f95f2c2526283bc97c25fa92c2cc3e74762

SHA512
00d563ecb25d31a45403c4c2bc6f2803d13d494aa070644f6daa844b8600697cc34e79492136e5061518b34b10a3b998a99e0a3036e78b9d86d28e95ee4c69aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
44981d1a97aafc43d165fdf28e0f9c79

SHA1
25a688d53017937538db850208e863fa5f58d830

SHA256
cadabb4c5d74c6d71970e36fb6b5552725b443894b9a74ff2dc871ad7d6b41ca

SHA512
17d8af3a52006c4149ba6f76dff51effb882ebba4c0e0a1cca7a50aa726c6713e1eccd337c326624a2d762d591effda2e5ada6db58465f56f9df7283eec3a125

Download Submit
C:\Users\Admin\AppData\Roaming\regedit.exe

Filesize
461KB

MD5
74e9c2da84432615f4562f724c8b792a

SHA1
f10ba74f0a8bdb74335a94ee377979a6b6204c84

SHA256
95b45baa28467be3ca303f48f696990d3491aa9d24ee888d221d5170f7bf5a23

SHA512
12990370f2ae48b2a3e6ad624704b3feffb7c71e44f08037e84f8ce1e75b0faf8a46facd90c4aa5ee576c063dbbbe1e39e8ad36fcd783741dc2f84fa52c39d33

Download Submit
memory/588-33-0x0000000073A30000-0x0000000073FDB000-memory.dmp

Filesize
5.7MB

Download
memory/588-34-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download
memory/588-32-0x0000000073A30000-0x0000000073FDB000-memory.dmp

Filesize
5.7MB

Download
memory/588-35-0x0000000073A30000-0x0000000073FDB000-memory.dmp

Filesize
5.7MB

Download
memory/852-36-0x0000000002050000-0x000000000214A000-memory.dmp

Filesize
1000KB

Download
memory/2632-24-0x0000000073A40000-0x0000000073FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-25-0x0000000073A40000-0x0000000073FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-22-0x0000000073A40000-0x0000000073FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-23-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2848-43-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2848-40-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2848-51-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2848-50-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2848-49-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2848-48-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2848-7-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2848-47-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2848-37-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2848-38-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2848-39-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2848-46-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2848-41-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2848-42-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2848-45-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2848-44-0x0000000000150000-0x000000000024A000-memory.dmp

Filesize
1000KB

Download
memory/2908-16-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-12-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-13-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-15-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/2908-14-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/3028-0-0x0000000000A70000-0x0000000000B6A000-memory.dmp

Filesize
1000KB

Download
memory/3028-3-0x0000000000A70000-0x0000000000B6A000-memory.dmp

Filesize
1000KB

Download