f3849fa30337a0e9640d84d9745b24c8dd074add3d72f339eadb4ddfd653e7f4

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 19:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cc41739db0491748f496c0f9ed9e546c.exe
Size

168KB
MD5

cc41739db0491748f496c0f9ed9e546c
SHA1

6918fe02149037c4e35e8ce9b73a3f293c7061cb
SHA256

f3849fa30337a0e9640d84d9745b24c8dd074add3d72f339eadb4ddfd653e7f4
SHA512

e791797ed58bd2fb99cb8508dc3d513c291f793c10383b2d4e4c6f8ca69a66ed5c36fddf7e4515e61f2fc2a4cf2eab4e523c9db8ce4c7fb7c1995c2bf1b5f4be
SSDEEP

3072:hcc9iKtTlgB4ursHp84bAMr4EaZD+HwUqv755B90GSHkO:JTlgB4GsC4bL4Ea9+HDqTzB4

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\yfprxk.sys	00000000.exe

Sets DLL path for service in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows_update\Parameters\ServiceDll = "%SystemRoot%\\System32\\yfprxk.dll"	00000000.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\Windows_update\Parameters\ServiceDll = "%SystemRoot%\\System32\\yfprxk.dll"	00000000.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\Windows_update\Parameters\ServiceDll = "%SystemRoot%\\System32\\yfprxk.dll"	00000000.exe

Executes dropped EXE 5 IoCs

pid	Process
2324	heido1.exe
2012	Windows_xp.exe
2960	½Æ»s-P~1.EXE
2692	Windows_help.exe
2744	00000000.exe

Loads dropped DLL 7 IoCs

pid	Process
2012	Windows_xp.exe
2012	Windows_xp.exe
2960	½Æ»s-P~1.EXE
2692	Windows_help.exe
2692	Windows_help.exe
2744	00000000.exe
1868	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Windows_xp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Windows_help.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yfprxk.dll	00000000.exe
File created	C:\Windows\SysWOW64\000371c5.ini	00000000.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\heido1.exe	cc41739db0491748f496c0f9ed9e546c.exe
File opened for modification	\??\c:\windows\Windows_xp.exe	heido1.exe
File opened for modification	\??\c:\windows\Windows_help.exe	½Æ»s-P~1.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2380	cc41739db0491748f496c0f9ed9e546c.exe
2324	heido1.exe
2960	½Æ»s-P~1.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2324	2380	cc41739db0491748f496c0f9ed9e546c.exe	28
PID 2380 wrote to memory of 2324	2380	cc41739db0491748f496c0f9ed9e546c.exe	28
PID 2380 wrote to memory of 2324	2380	cc41739db0491748f496c0f9ed9e546c.exe	28
PID 2380 wrote to memory of 2324	2380	cc41739db0491748f496c0f9ed9e546c.exe	28
PID 2324 wrote to memory of 2012	2324	heido1.exe	29
PID 2324 wrote to memory of 2012	2324	heido1.exe	29
PID 2324 wrote to memory of 2012	2324	heido1.exe	29
PID 2324 wrote to memory of 2012	2324	heido1.exe	29
PID 2324 wrote to memory of 2012	2324	heido1.exe	29
PID 2324 wrote to memory of 2012	2324	heido1.exe	29
PID 2324 wrote to memory of 2012	2324	heido1.exe	29
PID 2012 wrote to memory of 2960	2012	Windows_xp.exe	30
PID 2012 wrote to memory of 2960	2012	Windows_xp.exe	30
PID 2012 wrote to memory of 2960	2012	Windows_xp.exe	30
PID 2012 wrote to memory of 2960	2012	Windows_xp.exe	30
PID 2012 wrote to memory of 2960	2012	Windows_xp.exe	30
PID 2012 wrote to memory of 2960	2012	Windows_xp.exe	30
PID 2012 wrote to memory of 2960	2012	Windows_xp.exe	30
PID 2960 wrote to memory of 2692	2960	½Æ»s-P~1.EXE	31
PID 2960 wrote to memory of 2692	2960	½Æ»s-P~1.EXE	31
PID 2960 wrote to memory of 2692	2960	½Æ»s-P~1.EXE	31
PID 2960 wrote to memory of 2692	2960	½Æ»s-P~1.EXE	31
PID 2960 wrote to memory of 2692	2960	½Æ»s-P~1.EXE	31
PID 2960 wrote to memory of 2692	2960	½Æ»s-P~1.EXE	31
PID 2960 wrote to memory of 2692	2960	½Æ»s-P~1.EXE	31
PID 2692 wrote to memory of 2744	2692	Windows_help.exe	32
PID 2692 wrote to memory of 2744	2692	Windows_help.exe	32
PID 2692 wrote to memory of 2744	2692	Windows_help.exe	32
PID 2692 wrote to memory of 2744	2692	Windows_help.exe	32

C:\Users\Admin\AppData\Local\Temp\cc41739db0491748f496c0f9ed9e546c.exe
"C:\Users\Admin\AppData\Local\Temp\cc41739db0491748f496c0f9ed9e546c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- \??\c:\windows\heido1.exe
  c:\windows\heido1.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2324
- - \??\c:\windows\Windows_xp.exe
    c:\windows\Windows_xp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\½Æ»s-P~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\½Æ»s-P~1.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2960
    - - \??\c:\windows\Windows_help.exe
        
        c:\windows\Windows_help.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\00000000.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\00000000.exe
        6⤵
        Drops file in Drivers directory
        Sets DLL path for service in the registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2744

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k Windows_update
1⤵
- Loads dropped DLL
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Windows_help.exe

Filesize
82KB

MD5
4340b6885020e8c0d3f9fde7a7f3ee21

SHA1
f779744a9bef0a3f5aeeff244d117f7958ff9247

SHA256
4de922f25b3ea09d2acd6fc387d3b8834ef97612500d95e3fffa160f2ea9a65a

SHA512
ba2b88031310320ce67668ed9e1bc64fbf67e0ef95aa5573f14fd7f513668324a97d7a55ac83ad2e365f575698240d8823efa36d8b6bc7c68d9242d4ac122ae9

Download Submit
C:\Windows\Windows_xp.exe

Filesize
127KB

MD5
fd64a80db494e823add189edf18b0706

SHA1
c0868af4bab5d31133c2133542278af69cb213f4

SHA256
1571a459fbbb2b8027790725f217a2e4de19d46cbf53a1987aa6e3ad0616f0d1

SHA512
2d6fa9d6a9146823afee48c5f4582f0616371d7ef12959b2dc107e1f516cbe124e8f510e83fa03c29649b1e15e832dbf9a838078b0491d3a54b44256dc9a5b74

Download Submit
C:\Windows\heido1.exe

Filesize
148KB

MD5
e78d99edb60228c98092bff4691d9193

SHA1
0ae44d681620c18957c6d61cbc484720a1f9ba3b

SHA256
6a78136b689cccfbdc091905c3b4a22b2573deb88d240e4215c8ca6efe4bd72b

SHA512
b594ccafb17a6f6a76b31136b08c191afcb656989d756bcf61edb52a38f34a6298cd55e86c148e1a00e250fe66b83fac6c766e7a7b3359e2c3011fc29d1beab1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\½Æ»s-P~1.EXE

Filesize
92KB

MD5
49087fee887ab3f31162e8fbc470ad93

SHA1
587bcd0e864037249fdfb3ea68aab303ad219094

SHA256
bad7d448eae75a38c4910ce14564f7c862aaf249e38dadb7c7247093d16922aa

SHA512
7a2b6c7dfdea6fed0f2b6983f1bff89d6a74d2938eba9c662a16cea0ac2b803f5849925cbad8e09a79843bc4669a853ab7b28d7615f109551c4c1b83e7471a69

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\00000000.exe

Filesize
53KB

MD5
97972c04286908450b8ceeb7b319f7e1

SHA1
a2c36c7d21c7ea87c8ebc0227b6747ef240998cf

SHA256
7ed3ae06ba641df6221ebbe38721c8a05436fbb998e3fdbcfbec509d9f310b98

SHA512
287a3dd7a599dbb9ac6bff757deb6ed087156c134a1a19339397a23da6f5858b41fd31434e059898a63ca5cce301b8588ebb47cd9f828945f0ac139aae029d1f

Download Submit
\Windows\SysWOW64\yfprxk.dll

Filesize
69KB

MD5
860469c3736498642a0fa4f0f19ca28b

SHA1
42d1f90a65f590b81f28d08e1821678912642d38

SHA256
85c11fe5034d49557292e257a07f9156758fe4c80679370cd013179957a03ef8

SHA512
a46d366d56a9fc94da30866e8a40e71d3a4eb5e74e11c0a152c67255b0c85d8258a8b11e4d1f76d7e59dbc95e9e32f5cfd95d9d78ae613fb016177b2e74bf7a0

Download Submit
memory/2012-41-0x0000000001000000-0x0000000001049000-memory.dmp

Filesize
292KB

Download
memory/2692-55-0x0000000001000000-0x0000000001034000-memory.dmp

Filesize
208KB

Download
memory/2960-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads