Overview

overview

7

Static

static

3

New Client.exe

windows10-1703-x64

New Client.exe

windows7-x64

New Client.exe

windows10-1703-x64

New Client.exe

windows10-2004-x64

New Client.exe

windows11-21h2-x64

Resubmissions

23/02/2024, 15:14 UTC

240223-smc6tabh28 7

23/02/2024, 15:12 UTC

240223-slfkjscg6w 7

23/02/2024, 15:03 UTC

240223-sfh4gsbf66 7

Analysis

  • max time kernel
    478s
  • max time network
    479s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23/02/2024, 15:03 UTC

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    New Client.exe

  • Size

    396KB

  • MD5

    9b5f12b10b471e0a359bc11e50af28db

  • SHA1

    5e42890b6b4a299cd954bf8dabaf75b38522c0b0

  • SHA256

    af34b699b6aa750e58a68516b97b4f8c2f08bd03453a6059f6869847cc63a7bf

  • SHA512

    1fbf71b9121cb141a617a2e14e466fead22da7cc7c672a8e5f79cab929e10a4f578edba06e8340d40d23f51852b33816a67351b6cecf5a5f72410c1bc0d5b773

  • SSDEEP

    12288:+WSeotlIH682B+64kQHam2dNREz9FdOZMJwGuE4QyZom8exsrPR5TE7D0XuDTT:+WSmpL

Score
7/10
persistence

Malware Config

Signatures

  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Client.exe
    "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4568
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM wscript.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:204
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM cmd.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:308
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im explorer.exe
      2⤵
      • Kills process with taskkill
      PID:1784
    • C:\Windows\SysWOW64\shutdown.exe
      "C:\Windows\System32\shutdown.exe" /r /t 00
      2⤵
        PID:4504
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0 /state0:0xa3aed055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:504

    Network

    • flag-us
      DNS
      cut-britney.gl.at.ply.gg
      New Client.exe
      Remote address:
      8.8.8.8:53
      Request
      cut-britney.gl.at.ply.gg
      IN A
      Response
      cut-britney.gl.at.ply.gg
      IN A
      147.185.221.16
    • flag-us
      DNS
      0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
      IN PTR
      Response
    • flag-us
      DNS
      16.221.185.147.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      16.221.185.147.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      10.179.89.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.179.89.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.178.17.96.in-addr.arpa
      IN PTR
      Response
      198.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-198deploystaticakamaitechnologiescom
    • 147.185.221.16:38277
      cut-britney.gl.at.ply.gg
      New Client.exe
      12.9kB
       9.1kB
       109
      188
    • 8.8.8.8:53
      cut-britney.gl.at.ply.gg
      dns
      New Client.exe
      70 B
       86 B
       1
      1

      DNS Request

      cut-britney.gl.at.ply.gg

      DNS Response

      147.185.221.16

    • 8.8.8.8:53
      0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
      dns
      118 B
       182 B
       1
      1

      DNS Request

      0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

    • 8.8.8.8:53
      16.221.185.147.in-addr.arpa
      dns
      73 B
       130 B
       1
      1

      DNS Request

      16.221.185.147.in-addr.arpa

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      10.179.89.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      10.179.89.13.in-addr.arpa

    • 8.8.8.8:53
      198.178.17.96.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      198.178.17.96.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4568-0-0x00000000736E0000-0x0000000073C90000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4568-1-0x00000000009A0000-0x00000000009B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4568-2-0x00000000736E0000-0x0000000073C90000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4568-6-0x00000000736E0000-0x0000000073C90000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4568-7-0x00000000009A0000-0x00000000009B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4568-8-0x00000000736E0000-0x0000000073C90000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4568-9-0x00000000009A0000-0x00000000009B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4568-10-0x00000000009A0000-0x00000000009B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4568-11-0x00000000736E0000-0x0000000073C90000-memory.dmp

      Filesize

      5.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.