af34b699b6aa750e58a68516b97b4f8c2f08bd03453a6059f6869847cc63a7bf

Resubmissions

23/02/2024, 15:14

240223-smc6tabh28 7

23/02/2024, 15:12

240223-slfkjscg6w 7

23/02/2024, 15:03

240223-sfh4gsbf66 7

Analysis

max time kernel
1415s
max time network
1445s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
23/02/2024, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Client.exe
Size

396KB
MD5

9b5f12b10b471e0a359bc11e50af28db
SHA1

5e42890b6b4a299cd954bf8dabaf75b38522c0b0
SHA256

af34b699b6aa750e58a68516b97b4f8c2f08bd03453a6059f6869847cc63a7bf
SHA512

1fbf71b9121cb141a617a2e14e466fead22da7cc7c672a8e5f79cab929e10a4f578edba06e8340d40d23f51852b33816a67351b6cecf5a5f72410c1bc0d5b773
SSDEEP

12288:+WSeotlIH682B+64kQHam2dNREz9FdOZMJwGuE4QyZom8exsrPR5TE7D0XuDTT:+WSmpL

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	New Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url	New Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	New Client.exe

Executes dropped EXE 5 IoCs

pid	Process
3660	bf318ff678884634b8f536da0bda7fa1.exe
3944	f1f872d70b3447ba8a328d2c4408a0fc.exe
1832	6da48fedb0ef495daf2eba37117026fe.exe
2680	8ba991efd5c24a7f91b453286fe1865a.exe
920	186766f567e74baea5dd448ab892c178.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .."	New Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .."	New Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
308	TASKKILL.exe
784	TASKKILL.exe
4980	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings	New Client.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4776	New Client.exe
4776	New Client.exe
4776	New Client.exe
4776	New Client.exe
4776	New Client.exe
4776	New Client.exe
4776	New Client.exe
4776	New Client.exe
4776	New Client.exe
4776	New Client.exe
4776	New Client.exe
4776	New Client.exe
4776	New Client.exe
4776	New Client.exe
4776	New Client.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4776	New Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4776	New Client.exe
Token: SeDebugPrivilege	784	TASKKILL.exe
Token: SeDebugPrivilege	308	TASKKILL.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe
Token: SeIncBasePriorityPrivilege	4776	New Client.exe
Token: 33	4776	New Client.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 308	4776	New Client.exe	72
PID 4776 wrote to memory of 308	4776	New Client.exe	72
PID 4776 wrote to memory of 308	4776	New Client.exe	72
PID 4776 wrote to memory of 784	4776	New Client.exe	73
PID 4776 wrote to memory of 784	4776	New Client.exe	73
PID 4776 wrote to memory of 784	4776	New Client.exe	73
PID 4776 wrote to memory of 4980	4776	New Client.exe	77
PID 4776 wrote to memory of 4980	4776	New Client.exe	77
PID 4776 wrote to memory of 4980	4776	New Client.exe	77
PID 4776 wrote to memory of 3660	4776	New Client.exe	80
PID 4776 wrote to memory of 3660	4776	New Client.exe	80
PID 4776 wrote to memory of 3660	4776	New Client.exe	80
PID 4776 wrote to memory of 3944	4776	New Client.exe	81
PID 4776 wrote to memory of 3944	4776	New Client.exe	81
PID 4776 wrote to memory of 3944	4776	New Client.exe	81
PID 4776 wrote to memory of 1832	4776	New Client.exe	82
PID 4776 wrote to memory of 1832	4776	New Client.exe	82
PID 4776 wrote to memory of 1832	4776	New Client.exe	82
PID 4776 wrote to memory of 2680	4776	New Client.exe	83
PID 4776 wrote to memory of 2680	4776	New Client.exe	83
PID 4776 wrote to memory of 2680	4776	New Client.exe	83
PID 4776 wrote to memory of 2872	4776	New Client.exe	84
PID 4776 wrote to memory of 2872	4776	New Client.exe	84
PID 4776 wrote to memory of 2872	4776	New Client.exe	84
PID 4776 wrote to memory of 920	4776	New Client.exe	85
PID 4776 wrote to memory of 920	4776	New Client.exe	85
PID 4776 wrote to memory of 920	4776	New Client.exe	85

C:\Users\Admin\AppData\Local\Temp\New Client.exe
"C:\Users\Admin\AppData\Local\Temp\New Client.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM wscript.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:308
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM cmd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4980
- C:\Users\Admin\AppData\Local\Temp\bf318ff678884634b8f536da0bda7fa1.exe
  "C:\Users\Admin\AppData\Local\Temp\bf318ff678884634b8f536da0bda7fa1.exe"
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Users\Admin\AppData\Local\Temp\f1f872d70b3447ba8a328d2c4408a0fc.exe
  "C:\Users\Admin\AppData\Local\Temp\f1f872d70b3447ba8a328d2c4408a0fc.exe"
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Users\Admin\AppData\Local\Temp\6da48fedb0ef495daf2eba37117026fe.exe
  "C:\Users\Admin\AppData\Local\Temp\6da48fedb0ef495daf2eba37117026fe.exe"
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Users\Admin\AppData\Local\Temp\8ba991efd5c24a7f91b453286fe1865a.exe
  "C:\Users\Admin\AppData\Local\Temp\8ba991efd5c24a7f91b453286fe1865a.exe"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fba33099763c4d48845aec752e195e9d.VBS"
  2⤵
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\186766f567e74baea5dd448ab892c178.exe
  "C:\Users\Admin\AppData\Local\Temp\186766f567e74baea5dd448ab892c178.exe"
  2⤵
  - Executes dropped EXE
  PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\186766f567e74baea5dd448ab892c178.exe

Filesize
37KB

MD5
248f48410f73ec0888d38d6881fbb28c

SHA1
32c05b3bbca73bb0b7f97bd1fc353c4f3f3fcbfd

SHA256
21f42f82ff05917431637de0d561ddd12efd0bef509490b77b9632d137d4093c

SHA512
67e2001b24c7cb765d53b373527b305001552e84e9749094863d2d18427bd666e3bd3c24c60a0761989a40c7c152ea41ea6adcdc74db990af996d8627696f6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf318ff678884634b8f536da0bda7fa1.exe

Filesize
43KB

MD5
b2eca909a91e1946457a0b36eaf90930

SHA1
3200c4e4d0d4ece2b2aadb6939be59b91954bcfa

SHA256
0b6c0af51cde971b3e5f8aa204f8205418ab8c180b79a5ac1c11a6e0676f0f7c

SHA512
607d20e4a46932c7f4d9609ef9451e2303cd79e7c4778fe03f444e7dc800d6de7537fd2648c7c476b9f098588dc447e8c39d8b21cd528d002dfa513a19c6ebbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\fba33099763c4d48845aec752e195e9d.VBS

Filesize
80B

MD5
f1ecba99b94ce1c2a7b9feedb89f35ce

SHA1
7ef85c54500faacf0032b8a24086d102eedeba9f

SHA256
70a1f8f83d9a6a569ff5e18fd94709c820492342453f63efa509e998580054ee

SHA512
1fc85e6da961a89b34672e4736c8782b91922cf830181d4af0ca4324d356b483d750c8f39c3995fe0fc0dfb1afc6b2cf791e895fb21c71e35e4d3500033224fe

Download Submit
memory/920-75-0x0000000000360000-0x0000000000380000-memory.dmp

Filesize
128KB

Download
memory/1832-52-0x0000000070AB0000-0x000000007119E000-memory.dmp

Filesize
6.9MB

Download
memory/1832-68-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/1832-67-0x0000000070AB0000-0x000000007119E000-memory.dmp

Filesize
6.9MB

Download
memory/1832-53-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/2680-74-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/2680-69-0x0000000070AB0000-0x000000007119E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-60-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/2680-59-0x0000000070AB0000-0x000000007119E000-memory.dmp

Filesize
6.9MB

Download
memory/3660-19-0x0000000004C10000-0x0000000004CA2000-memory.dmp

Filesize
584KB

Download
memory/3660-36-0x000000000FC90000-0x000000000FD90000-memory.dmp

Filesize
1024KB

Download
memory/3660-21-0x0000000004D70000-0x0000000004D7A000-memory.dmp

Filesize
40KB

Download
memory/3660-22-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3660-23-0x0000000070AB0000-0x000000007119E000-memory.dmp

Filesize
6.9MB

Download
memory/3660-24-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3660-25-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3660-26-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3660-27-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3660-28-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3660-29-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3660-30-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3660-31-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3660-32-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3660-33-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3660-34-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3660-35-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3660-20-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3660-37-0x000000000FC90000-0x000000000FD90000-memory.dmp

Filesize
1024KB

Download
memory/3660-38-0x000000000FC90000-0x000000000FD90000-memory.dmp

Filesize
1024KB

Download
memory/3660-39-0x000000000FC90000-0x000000000FD90000-memory.dmp

Filesize
1024KB

Download
memory/3660-16-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/3660-17-0x0000000070AB0000-0x000000007119E000-memory.dmp

Filesize
6.9MB

Download
memory/3660-18-0x0000000005030000-0x000000000552E000-memory.dmp

Filesize
5.0MB

Download
memory/3944-46-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/3944-45-0x0000000070AB0000-0x000000007119E000-memory.dmp

Filesize
6.9MB

Download
memory/3944-65-0x0000000070AB0000-0x000000007119E000-memory.dmp

Filesize
6.9MB

Download
memory/3944-66-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/4776-0-0x0000000073920000-0x0000000073ED0000-memory.dmp

Filesize
5.7MB

Download
memory/4776-10-0x00000000026A0000-0x00000000026B0000-memory.dmp

Filesize
64KB

Download
memory/4776-9-0x00000000026A0000-0x00000000026B0000-memory.dmp

Filesize
64KB

Download
memory/4776-8-0x00000000026A0000-0x00000000026B0000-memory.dmp

Filesize
64KB

Download
memory/4776-7-0x0000000073920000-0x0000000073ED0000-memory.dmp

Filesize
5.7MB

Download
memory/4776-3-0x0000000073920000-0x0000000073ED0000-memory.dmp

Filesize
5.7MB

Download
memory/4776-2-0x0000000073920000-0x0000000073ED0000-memory.dmp

Filesize
5.7MB

Download
memory/4776-1-0x00000000026A0000-0x00000000026B0000-memory.dmp

Filesize
64KB

Download