4ea0ec9908d50e2059896a4542dbdfd8698fb83b5621e7924764cfd8f7e1b6d5

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 07:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a32bdbec4d4f42cd70bbb9b032cdcbab.exe
Size

459KB
MD5

a32bdbec4d4f42cd70bbb9b032cdcbab
SHA1

d8827db91d608efd94944bac3aaab4c74e38f853
SHA256

4ea0ec9908d50e2059896a4542dbdfd8698fb83b5621e7924764cfd8f7e1b6d5
SHA512

deba215dba0ea967d36f1efa3a262f19e77ca818885b476e4902531e9bc2e0cb33dae7adfe731c461f6c8710090cde4b1cec06b1e8f516a932ed7dfe4cf5bf6a
SSDEEP

12288:A9zDXcU93lvjM0Plc4yyfJIq1pgbqMCodiUmuX:A9zDXc6l7M09c4/xKZdZ

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2420	fNf01803cEkFn01803.exe

Executes dropped EXE 1 IoCs

pid	Process
2420	fNf01803cEkFn01803.exe

Loads dropped DLL 2 IoCs

pid	Process
1908	a32bdbec4d4f42cd70bbb9b032cdcbab.exe
1908	a32bdbec4d4f42cd70bbb9b032cdcbab.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2420-40-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/1908-38-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/1908-1-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2420-71-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2420-77-0x0000000000400000-0x00000000004DA000-memory.dmp	upx
behavioral1/memory/2420-91-0x0000000000400000-0x00000000004DA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fNf01803cEkFn01803 = "C:\\ProgramData\\fNf01803cEkFn01803\\fNf01803cEkFn01803.exe"	fNf01803cEkFn01803.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	fNf01803cEkFn01803.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1908	a32bdbec4d4f42cd70bbb9b032cdcbab.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	a32bdbec4d4f42cd70bbb9b032cdcbab.exe
Token: SeDebugPrivilege	2420	fNf01803cEkFn01803.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2420	fNf01803cEkFn01803.exe
2420	fNf01803cEkFn01803.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2420	1908	a32bdbec4d4f42cd70bbb9b032cdcbab.exe	1
PID 1908 wrote to memory of 2420	1908	a32bdbec4d4f42cd70bbb9b032cdcbab.exe	1
PID 1908 wrote to memory of 2420	1908	a32bdbec4d4f42cd70bbb9b032cdcbab.exe	1
PID 1908 wrote to memory of 2420	1908	a32bdbec4d4f42cd70bbb9b032cdcbab.exe	1

C:\ProgramData\fNf01803cEkFn01803\fNf01803cEkFn01803.exe
"C:\ProgramData\fNf01803cEkFn01803\fNf01803cEkFn01803.exe" "C:\Users\Admin\AppData\Local\Temp\a32bdbec4d4f42cd70bbb9b032cdcbab.exe"
1⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Users\Admin\AppData\Local\Temp\a32bdbec4d4f42cd70bbb9b032cdcbab.exe
"C:\Users\Admin\AppData\Local\Temp\a32bdbec4d4f42cd70bbb9b032cdcbab.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fNf01803cEkFn01803\fNf01803cEkFn01803.exe

Filesize
459KB

MD5
a32bdbec4d4f42cd70bbb9b032cdcbab

SHA1
d8827db91d608efd94944bac3aaab4c74e38f853

SHA256
4ea0ec9908d50e2059896a4542dbdfd8698fb83b5621e7924764cfd8f7e1b6d5

SHA512
deba215dba0ea967d36f1efa3a262f19e77ca818885b476e4902531e9bc2e0cb33dae7adfe731c461f6c8710090cde4b1cec06b1e8f516a932ed7dfe4cf5bf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\20240225 0705 259432486.log

Filesize
1011B

MD5
f60e2551714f2a767f38f908541b83c8

SHA1
5e0b7f95c6da4badc88fbe342cde88090361c29c

SHA256
f0eed1007039b3c7c3b59acea270d748b03da68fbf6d534d9d3b449b0e07497b

SHA512
4eaba7e3919cc223627a44a251df4e4c412ec91a9aa33ffae8704c96cd6ba0014a479165ff5cee06280527263b8b23412c040dce4a392336e33a5da2dad0dba8

Download Submit
memory/1908-38-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1908-2-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/1908-1-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2420-41-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2420-40-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2420-71-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2420-73-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2420-77-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2420-91-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download