583023b007db4e7d64b4c52fa0049794698941198977b3f7eeb6b67ef00d9c86

Analysis

max time kernel
150s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 14:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c60f759ab51cd29679d9a5269ea5047c.exe
Size

444KB
MD5

c60f759ab51cd29679d9a5269ea5047c
SHA1

df0d339c51c281e362fbc947fa8e134f46c47cb4
SHA256

583023b007db4e7d64b4c52fa0049794698941198977b3f7eeb6b67ef00d9c86
SHA512

a623a76fb60bd7eb289329c0fbd09c876e09f6a70fd5624c7c745ba81274b0e21ee14691ff6da6479bad2e270515c4659f11d8dcc00c571e7f9ad07096aed49d
SSDEEP

12288:b9RTv7UCh6Ww+LroDN4XHfcaOD9cI/04tDv2e4:b991cp+LW4XaB

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2584	pO42900DlKmN42900.exe

Executes dropped EXE 1 IoCs

pid	Process
2584	pO42900DlKmN42900.exe

Loads dropped DLL 2 IoCs

pid	Process
2344	c60f759ab51cd29679d9a5269ea5047c.exe
2344	c60f759ab51cd29679d9a5269ea5047c.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2344-1-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2344-17-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2584-30-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2584-40-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pO42900DlKmN42900 = "C:\\ProgramData\\pO42900DlKmN42900\\pO42900DlKmN42900.exe"	pO42900DlKmN42900.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Main	pO42900DlKmN42900.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2344	c60f759ab51cd29679d9a5269ea5047c.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	c60f759ab51cd29679d9a5269ea5047c.exe
Token: SeDebugPrivilege	2584	pO42900DlKmN42900.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2584	pO42900DlKmN42900.exe
2584	pO42900DlKmN42900.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2584	2344	c60f759ab51cd29679d9a5269ea5047c.exe	28
PID 2344 wrote to memory of 2584	2344	c60f759ab51cd29679d9a5269ea5047c.exe	28
PID 2344 wrote to memory of 2584	2344	c60f759ab51cd29679d9a5269ea5047c.exe	28
PID 2344 wrote to memory of 2584	2344	c60f759ab51cd29679d9a5269ea5047c.exe	28

C:\Users\Admin\AppData\Local\Temp\c60f759ab51cd29679d9a5269ea5047c.exe
"C:\Users\Admin\AppData\Local\Temp\c60f759ab51cd29679d9a5269ea5047c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\ProgramData\pO42900DlKmN42900\pO42900DlKmN42900.exe
  "C:\ProgramData\pO42900DlKmN42900\pO42900DlKmN42900.exe" "C:\Users\Admin\AppData\Local\Temp\c60f759ab51cd29679d9a5269ea5047c.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pO42900DlKmN42900\pO42900DlKmN42900

Filesize
192B

MD5
10747e6e3565aa163ce690cbcbf841e2

SHA1
483eef63b300c6cc89d7cb1382a337c0444449d0

SHA256
3bfdd8fabbd5423f600d0bc738212390ad3a519d9f6151bd9dee46387a3c8c0e

SHA512
45251bf88330633722755501e3380416680b316534ecf5853dcbeda4c286e905e0fa99dfdb2b4f9d01c14bea414c5d153c17596dbc1e78c4aad31e85612266a5

Download Submit
C:\ProgramData\pO42900DlKmN42900\pO42900DlKmN42900.exe

Filesize
444KB

MD5
43a8c08c0c8da851172d328137a2d99e

SHA1
fbb1e5b19365bb777a8fec76377ddc5b512771aa

SHA256
94e56dcc9b783165251fffe40268bf877e47f4e234974bbd9752ed247707078e

SHA512
317b010cf611b97e5e1f0ea103a8e1209aaf86cbe22c3f064dfb41cb643433f01890dd76c1041be06ea4584018602e77de1a3cd30285e39592132cfb14ce80ba

Download Submit
memory/2344-2-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/2344-1-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2344-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2584-20-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2584-21-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2584-30-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2584-32-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2584-40-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download