9781753c2f66b85a2428cd9294f29475eee42311763fe19e4b311be8d554d7ce

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a25096794212571a06c46e21c4631956.exe
Size

492KB
MD5

a25096794212571a06c46e21c4631956
SHA1

78b50603347805af0507f3d455a6025e075f22ae
SHA256

9781753c2f66b85a2428cd9294f29475eee42311763fe19e4b311be8d554d7ce
SHA512

827b4a0a375fe14edf30306e6464866e1dae9ce3c0f7280d6efc2ae597c9857043224af20cc360a62565d7dacb249603551b4e7a5dddaa3a392246a9d30e3371
SSDEEP

12288:xhFzvJf/d5cCdvBjK/9YmJmg0BXpMFI0RZGUX2wxWBEP1oS:Z9dSCLW/9Jb0XE9kb4WBE

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2812	mK10400ObNpA10400.exe

Executes dropped EXE 1 IoCs

pid	Process
2812	mK10400ObNpA10400.exe

Loads dropped DLL 1 IoCs

pid	Process
2880	a25096794212571a06c46e21c4631956.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2880-0-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/memory/2880-8-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/files/0x0036000000013a3a-12.dat	upx
behavioral1/memory/2812-16-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/memory/2880-17-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/memory/2812-18-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/memory/2812-27-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral1/memory/2812-36-0x0000000000400000-0x00000000004CA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mK10400ObNpA10400 = "C:\\ProgramData\\mK10400ObNpA10400\\mK10400ObNpA10400.exe"	mK10400ObNpA10400.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	mK10400ObNpA10400.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	a25096794212571a06c46e21c4631956.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	a25096794212571a06c46e21c4631956.exe
Token: SeDebugPrivilege	2812	mK10400ObNpA10400.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2812	mK10400ObNpA10400.exe
2812	mK10400ObNpA10400.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2812	2880	a25096794212571a06c46e21c4631956.exe	28
PID 2880 wrote to memory of 2812	2880	a25096794212571a06c46e21c4631956.exe	28
PID 2880 wrote to memory of 2812	2880	a25096794212571a06c46e21c4631956.exe	28
PID 2880 wrote to memory of 2812	2880	a25096794212571a06c46e21c4631956.exe	28

C:\Users\Admin\AppData\Local\Temp\a25096794212571a06c46e21c4631956.exe
"C:\Users\Admin\AppData\Local\Temp\a25096794212571a06c46e21c4631956.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\ProgramData\mK10400ObNpA10400\mK10400ObNpA10400.exe
  "C:\ProgramData\mK10400ObNpA10400\mK10400ObNpA10400.exe" "C:\Users\Admin\AppData\Local\Temp\a25096794212571a06c46e21c4631956.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mK10400ObNpA10400\mK10400ObNpA10400

Filesize
192B

MD5
2e3aadba0b3cff2f0d62624db1dfab00

SHA1
e428b70bb972e8c6b1e769ff25a4c5532ec48448

SHA256
d1d6473a481e3d052295c8bd5dad782e31c1234ed390641d1fd9c6b4a2c9981d

SHA512
6bd294cc5a81f88c0d49148f5a8b63739f9100f9fe52c37dba591784f0d4936802d6e0240c601ad8e4d3db7c13b1dcf719bcd44a00e25846e5530b023580fc1c

Download Submit
\ProgramData\mK10400ObNpA10400\mK10400ObNpA10400.exe

Filesize
492KB

MD5
963518bdeaca948feeeaae89468c24c3

SHA1
e5251732674e444f4d30ba8a9870f72ce3a9b09c

SHA256
0024fabc9898e2c2d3706e4afc1597cba339cf76a5ee486772e8b112d9b0802f

SHA512
f3c33f1d783959d9c4d7e9a92aa03f7cafb4ba4e238156692c5f95f7421090598c88e77ca2669f8671c8f84237d53a50f61fdde38ec950a6170d43759c2669c5

Download Submit
memory/2812-16-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2812-18-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2812-27-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2812-36-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2880-0-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2880-1-0x0000000000330000-0x00000000003D5000-memory.dmp

Filesize
660KB

Download
memory/2880-2-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/2880-8-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2880-17-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download