Overview

overview

7

Static

static

3

New Client.exe

windows10-1703-x64

New Client.exe

windows7-x64

New Client.exe

windows10-1703-x64

New Client.exe

windows10-2004-x64

New Client.exe

windows11-21h2-x64

Resubmissions

23/02/2024, 15:14 UTC

240223-smc6tabh28 7

23/02/2024, 15:12 UTC

240223-slfkjscg6w 7

23/02/2024, 15:03 UTC

240223-sfh4gsbf66 7

Analysis

  • max time kernel
    484s
  • max time network
    488s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23/02/2024, 15:03 UTC

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    New Client.exe

  • Size

    396KB

  • MD5

    9b5f12b10b471e0a359bc11e50af28db

  • SHA1

    5e42890b6b4a299cd954bf8dabaf75b38522c0b0

  • SHA256

    af34b699b6aa750e58a68516b97b4f8c2f08bd03453a6059f6869847cc63a7bf

  • SHA512

    1fbf71b9121cb141a617a2e14e466fead22da7cc7c672a8e5f79cab929e10a4f578edba06e8340d40d23f51852b33816a67351b6cecf5a5f72410c1bc0d5b773

  • SSDEEP

    12288:+WSeotlIH682B+64kQHam2dNREz9FdOZMJwGuE4QyZom8exsrPR5TE7D0XuDTT:+WSmpL

Score
7/10
persistence

Malware Config

Signatures

  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Client.exe
    "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM wscript.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2676
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM cmd.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3396
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im explorer.exe
      2⤵
      • Kills process with taskkill
      PID:1068
    • C:\Windows\SysWOW64\shutdown.exe
      "C:\Windows\System32\shutdown.exe" /r /t 00
      2⤵
        PID:3032
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa3a1b055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:436

    Network

    • flag-us
      DNS
      cut-britney.gl.at.ply.gg
      New Client.exe
      Remote address:
      8.8.8.8:53
      Request
      cut-britney.gl.at.ply.gg
      IN A
      Response
      cut-britney.gl.at.ply.gg
      IN A
      147.185.221.16
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      New Client.exe
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      nexusrules.officeapps.live.com
      New Client.exe
      Remote address:
      8.8.8.8:53
      Request
      nexusrules.officeapps.live.com
      IN A
      Response
      nexusrules.officeapps.live.com
      IN CNAME
      prod.nexusrules.live.com.akadns.net
      prod.nexusrules.live.com.akadns.net
      IN A
      52.111.229.48
    • flag-us
      DNS
      self.events.data.microsoft.com
      New Client.exe
      Remote address:
      8.8.8.8:53
      Request
      self.events.data.microsoft.com
      IN A
      Response
      self.events.data.microsoft.com
      IN CNAME
      self-events-data.trafficmanager.net
      self-events-data.trafficmanager.net
      IN CNAME
      onedscolprduks03.uksouth.cloudapp.azure.com
      onedscolprduks03.uksouth.cloudapp.azure.com
      IN A
      51.105.71.137
    • flag-us
      DNS
      ctldl.windowsupdate.com
      New Client.exe
      Remote address:
      8.8.8.8:53
      Request
      ctldl.windowsupdate.com
      IN A
      Response
      ctldl.windowsupdate.com
      IN CNAME
      wu-bg-shim.trafficmanager.net
      wu-bg-shim.trafficmanager.net
      IN CNAME
      download.windowsupdate.com.edgesuite.net
      download.windowsupdate.com.edgesuite.net
      IN CNAME
      a767.dspw65.akamai.net
      a767.dspw65.akamai.net
      IN A
      96.17.178.179
      a767.dspw65.akamai.net
      IN A
      96.17.178.175
      a767.dspw65.akamai.net
      IN A
      96.17.178.180
      a767.dspw65.akamai.net
      IN A
      96.17.178.200
      a767.dspw65.akamai.net
      IN A
      96.17.178.205
      a767.dspw65.akamai.net
      IN A
      96.17.178.176
      a767.dspw65.akamai.net
      IN A
      96.17.178.208
      a767.dspw65.akamai.net
      IN A
      96.17.178.173
      a767.dspw65.akamai.net
      IN A
      96.17.178.177
    • flag-us
      DNS
      ctldl.windowsupdate.com
      New Client.exe
      Remote address:
      8.8.8.8:53
      Request
      ctldl.windowsupdate.com
      IN A
      Response
      ctldl.windowsupdate.com
      IN CNAME
      wu-bg-shim.trafficmanager.net
      wu-bg-shim.trafficmanager.net
      IN CNAME
      download.windowsupdate.com.edgesuite.net
      download.windowsupdate.com.edgesuite.net
      IN CNAME
      a767.dspw65.akamai.net
      a767.dspw65.akamai.net
      IN A
      96.17.178.179
      a767.dspw65.akamai.net
      IN A
      96.17.178.200
      a767.dspw65.akamai.net
      IN A
      96.17.178.202
      a767.dspw65.akamai.net
      IN A
      96.17.178.198
      a767.dspw65.akamai.net
      IN A
      96.17.178.208
      a767.dspw65.akamai.net
      IN A
      96.17.178.185
      a767.dspw65.akamai.net
      IN A
      96.17.178.210
      a767.dspw65.akamai.net
      IN A
      96.17.178.173
      a767.dspw65.akamai.net
      IN A
      96.17.178.209
    • flag-us
      DNS
      16.221.185.147.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      16.221.185.147.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      48.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      48.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      137.71.105.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      137.71.105.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      179.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      179.178.17.96.in-addr.arpa
      IN PTR
      Response
      179.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-179deploystaticakamaitechnologiescom
    • 147.185.221.16:38277
      cut-britney.gl.at.ply.gg
      New Client.exe
      7.7kB
       9.2kB
       117
      189
    • 8.8.8.8:53
      cut-britney.gl.at.ply.gg
      dns
      New Client.exe
      426 B
       1.2kB
       6
      6

      DNS Request

      cut-britney.gl.at.ply.gg

      DNS Response

      147.185.221.16

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      nexusrules.officeapps.live.com

      DNS Response

      52.111.229.48

      DNS Request

      self.events.data.microsoft.com

      DNS Response

      51.105.71.137

      DNS Request

      ctldl.windowsupdate.com

      DNS Response

      96.17.178.179
      96.17.178.175
      96.17.178.180
      96.17.178.200
      96.17.178.205
      96.17.178.176
      96.17.178.208
      96.17.178.173
      96.17.178.177

      DNS Request

      ctldl.windowsupdate.com

      DNS Response

      96.17.178.179
      96.17.178.200
      96.17.178.202
      96.17.178.198
      96.17.178.208
      96.17.178.185
      96.17.178.210
      96.17.178.173
      96.17.178.209

    • 8.8.8.8:53
      16.221.185.147.in-addr.arpa
      dns
      289 B
       583 B
       4
      4

      DNS Request

      16.221.185.147.in-addr.arpa

      DNS Request

      48.229.111.52.in-addr.arpa

      DNS Request

      137.71.105.51.in-addr.arpa

      DNS Request

      179.178.17.96.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/5004-0-0x0000000074740000-0x0000000074CF1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5004-1-0x0000000000B00000-0x0000000000B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5004-2-0x0000000074740000-0x0000000074CF1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5004-6-0x0000000000B00000-0x0000000000B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5004-7-0x0000000074740000-0x0000000074CF1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5004-8-0x0000000074740000-0x0000000074CF1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/5004-9-0x0000000000B00000-0x0000000000B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5004-10-0x0000000074740000-0x0000000074CF1000-memory.dmp

      Filesize

      5.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.