ee48174864ae0ef8c1e2da6b91b17c2f1df32195f69173adcc3013bf97c76ad5

Analysis

max time kernel
1801s
max time network
1565s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe
Size

127KB
MD5

8ad03e12a10e43d3876f369e9020a8ec
SHA1

f267d02e5ee3d5b164afeb38a98feed14e662272
SHA256

f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150
SHA512

670cfd2d600a1d2f7ea09893d8d89b46ec4acf80438c456bb18a097c335310ea2629493aeda2de7f832d37a19349cd3d4b785c28306bdab85bd9e281d6039d16
SSDEEP

3072:j3B9oal6OPHo2tQJz37JrwkFfzA2pg/w:j3oGLPvQhJckZzA/w

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\host1	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2216	ak7m3o5a3q1r.exe
2940	ak7m3o5a3q1r.exe
2552	ak7m3o5a3q1r.exe
2584	prockill64.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral32/memory/1780-0-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral32/memory/1780-17-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ak7m3o5a3q1r.exe	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe
File created	C:\Windows\prockill64.exe	ak7m3o5a3q1r.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2496	ipconfig.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	ak7m3o5a3q1r.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000f01d0186a07fda01	ak7m3o5a3q1r.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B155BDF8-02F0-451E-9A26-AE317CFD7779} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000508a1686a07fda01	ak7m3o5a3q1r.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ak7m3o5a3q1r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ak7m3o5a3q1r.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ak7m3o5a3q1r.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe
2584	prockill64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe
Token: SeDebugPrivilege	2584	prockill64.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2216	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	29
PID 1780 wrote to memory of 2216	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	29
PID 1780 wrote to memory of 2216	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	29
PID 1780 wrote to memory of 2216	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	29
PID 1780 wrote to memory of 2496	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	30
PID 1780 wrote to memory of 2496	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	30
PID 1780 wrote to memory of 2496	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	30
PID 1780 wrote to memory of 2496	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	30
PID 1780 wrote to memory of 2940	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	31
PID 1780 wrote to memory of 2940	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	31
PID 1780 wrote to memory of 2940	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	31
PID 1780 wrote to memory of 2940	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	31
PID 1780 wrote to memory of 2564	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	33
PID 1780 wrote to memory of 2564	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	33
PID 1780 wrote to memory of 2564	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	33
PID 1780 wrote to memory of 2564	1780	f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe	33
PID 2552 wrote to memory of 2584	2552	ak7m3o5a3q1r.exe	35
PID 2552 wrote to memory of 2584	2552	ak7m3o5a3q1r.exe	35
PID 2552 wrote to memory of 2584	2552	ak7m3o5a3q1r.exe	35
PID 2552 wrote to memory of 2584	2552	ak7m3o5a3q1r.exe	35

C:\Users\Admin\AppData\Local\Temp\f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe
"C:\Users\Admin\AppData\Local\Temp\f3771ca98b3a07606cda74128da5d4292572919418f3045196ea245ef63e9150.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\ak7m3o5a3q1r.exe
  C:\Windows\ak7m3o5a3q1r.exe -install
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:2496
- C:\Windows\ak7m3o5a3q1r.exe
  C:\Windows\ak7m3o5a3q1r.exe -start
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ERASE C:\Users\Admin\AppData\Local\Temp\F3771C~1.EXE>NUL
  2⤵
  - Deletes itself
  PID:2564

C:\Windows\ak7m3o5a3q1r.exe
C:\Windows\ak7m3o5a3q1r.exe -service
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\prockill64.exe
  "C:\Windows\prockill64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ak7m3o5a3q1r.exe

Filesize
237KB

MD5
9ae7910a4f335cee66e3e21c1e7fb167

SHA1
a3827d1f4be56d8dcdeb0dc6620c1062b35b86ec

SHA256
cef454f51d23b804a3d70ac4bbccf97088b74b4fad7add418c2447eb24985a1c

SHA512
d6d95a95672cbe73c664fb4e7331499652f0408050d0a4a257596cd6fa8cfe087492d88a31543f67100af1668c730f2505be2dadeb51b2786475d85f10099faa

Download Submit
C:\Windows\prockill64.exe

Filesize
62KB

MD5
08deb712b4f87bab1a04a51776cb9a72

SHA1
ca6f77bd414e16ce6f276e6f63e3e5e476f2a443

SHA256
5a5f00e9fc9dd6bd93dc7fc53fe611de35a6147c502e304251fbe6f4928129f1

SHA512
6388c0a85ce1c8ad36047eecd38689f1f0d5adcfe0ae9e518ae48de4e67db0a8c79b3305ed9cf94bd73eeeab3b068064a66ff91bcf4eec2d9750c2b531b1bc65

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
ada3a88608bb389b9358b16d0e0d5b68

SHA1
e629d0ac0c9e9d708aade29ae8a887da96f02f0b

SHA256
3157f79f44be4b9d47f6927230f172b0aff1d81ce3720619682509ad09f8872b

SHA512
0d9e730875dd0ffe4e30adeef4702683bfcabceb577db2ce1330fb0bfd438593a31e4fe21a5a3e002d9038e35d47335cd6aa052fb23217b6698e8ab50594f3b4

Download Submit
memory/1780-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1780-17-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download