93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007

Analysis

max time kernel
146s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe
Size

616KB
MD5

6504ff4a8446fd346a8f64d667bacb72
SHA1

99a7baae89e6853128f65280effdcd71cdf3d60c
SHA256

93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007
SHA512

7fff1c63f0dc43ee15597836bc80a83633b8327e75f2a4c4349f0b163bb8f4ce05c3b831c3be498808928f9a02171374ff15447bee95cafab88c38f3fd4447bb
SSDEEP

12288:lFkxswcXKC2zNWfm2YRm5sm2YRm5hkxswcXKC2zNW:fZX9uWfm2Yysm2YyhZX9uW

Score

9^/10

persistence

Malware Config

Signatures

Detects executables packed with or use KoiVM 1 IoCs

resource	yara_rule
behavioral1/memory/2032-3-0x000000001B420000-0x000000001B4BE000-memory.dmp	INDICATOR_EXE_Packed_KoiVM

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UZDPZ4JX8 = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	PresentationHost.exe
Key created	\Registry\User\S-1-5-21-2297530677-1229052932-2803917579-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	PresentationHost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 2592	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	33
PID 2592 set thread context of 1212	2592	iexplore.exe	21
PID 2592 set thread context of 2464	2592	iexplore.exe	35
PID 2464 set thread context of 1212	2464	PresentationHost.exe	21

Runs regedit.exe 1 IoCs

pid	Process
2564	regedit.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2592	iexplore.exe
2592	iexplore.exe
2592	iexplore.exe
2592	iexplore.exe
2592	iexplore.exe
2592	iexplore.exe
2592	iexplore.exe
2592	iexplore.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe
2464	PresentationHost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2592	iexplore.exe
1212	Explorer.EXE
1212	Explorer.EXE
2464	PresentationHost.exe
2464	PresentationHost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2552	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	28
PID 2032 wrote to memory of 2552	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	28
PID 2032 wrote to memory of 2552	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	28
PID 2032 wrote to memory of 2552	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	28
PID 2032 wrote to memory of 2552	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	28
PID 2032 wrote to memory of 3048	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	29
PID 2032 wrote to memory of 3048	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	29
PID 2032 wrote to memory of 3048	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	29
PID 2032 wrote to memory of 3048	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	29
PID 2032 wrote to memory of 3048	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	29
PID 2032 wrote to memory of 3048	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	29
PID 2032 wrote to memory of 1948	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	30
PID 2032 wrote to memory of 1948	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	30
PID 2032 wrote to memory of 1948	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	30
PID 2032 wrote to memory of 1948	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	30
PID 2032 wrote to memory of 2564	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	31
PID 2032 wrote to memory of 2564	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	31
PID 2032 wrote to memory of 2564	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	31
PID 2032 wrote to memory of 2564	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	31
PID 2032 wrote to memory of 2564	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	31
PID 2032 wrote to memory of 2676	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	32
PID 2032 wrote to memory of 2676	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	32
PID 2032 wrote to memory of 2676	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	32
PID 2032 wrote to memory of 2676	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	32
PID 2032 wrote to memory of 2676	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	32
PID 2032 wrote to memory of 2592	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	33
PID 2032 wrote to memory of 2592	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	33
PID 2032 wrote to memory of 2592	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	33
PID 2032 wrote to memory of 2592	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	33
PID 2032 wrote to memory of 2592	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	33
PID 2032 wrote to memory of 2592	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	33
PID 2032 wrote to memory of 2592	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	33
PID 2032 wrote to memory of 2084	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	34
PID 2032 wrote to memory of 2084	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	34
PID 2032 wrote to memory of 2084	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	34
PID 2032 wrote to memory of 2084	2032	93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe	34
PID 1212 wrote to memory of 2464	1212	Explorer.EXE	35
PID 1212 wrote to memory of 2464	1212	Explorer.EXE	35
PID 1212 wrote to memory of 2464	1212	Explorer.EXE	35
PID 1212 wrote to memory of 2464	1212	Explorer.EXE	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe
  "C:\Users\Admin\AppData\Local\Temp\93128bff4d0a8fb7be1fed9e531cfe390b744829cf79910d7fe4d62103986007.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:2552
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
    3⤵
    PID:3048
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    PID:1948
- - C:\Windows\regedit.exe
    "C:\Windows\regedit.exe"
    3⤵
    - Runs regedit.exe
    PID:2564
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:2676
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2592
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2084
- C:\Windows\SysWOW64\PresentationHost.exe
  "C:\Windows\SysWOW64\PresentationHost.exe"
  2⤵
  - Adds policy Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1212-14-0x0000000003AC0000-0x0000000003BC0000-memory.dmp

Filesize
1024KB

Download
memory/1212-21-0x0000000008FF0000-0x000000000AD6F000-memory.dmp

Filesize
29.5MB

Download
memory/1212-15-0x0000000008FF0000-0x000000000AD6F000-memory.dmp

Filesize
29.5MB

Download
memory/2032-1-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

Filesize
9.9MB

Download
memory/2032-2-0x00000000003B0000-0x0000000000430000-memory.dmp

Filesize
512KB

Download
memory/2032-3-0x000000001B420000-0x000000001B4BE000-memory.dmp

Filesize
632KB

Download
memory/2032-0-0x0000000000F60000-0x0000000000FFE000-memory.dmp

Filesize
632KB

Download
memory/2032-13-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

Filesize
9.9MB

Download
memory/2464-18-0x0000000002510000-0x0000000002813000-memory.dmp

Filesize
3.0MB

Download
memory/2464-16-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download
memory/2464-17-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download
memory/2464-19-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download
memory/2464-20-0x0000000002380000-0x0000000002423000-memory.dmp

Filesize
652KB

Download
memory/2464-22-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download
memory/2552-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2592-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download