bd42d3db5c5a13028bcac1958aff1ef3b2c4ba7bb7bb5719f8b521f97dd51a78

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfcb6fc752ebeaf4d53f75aea06299c6.exe
Size

1.9MB
MD5

dfcb6fc752ebeaf4d53f75aea06299c6
SHA1

90cdb5c750f47d4d27dff52ffffae17f6fb9de64
SHA256

bd42d3db5c5a13028bcac1958aff1ef3b2c4ba7bb7bb5719f8b521f97dd51a78
SHA512

339b07f849e58e87ea1796b81cd456d725535c09e2dcb2d52a813eb35b2ca2c1ffb3bde651cef5b4b6f66f534fc01a905005c6e0691da5f885738460c7a28c20
SSDEEP

49152:Yoq37gR46arvwL47Os6Cy3bbBumUiA6FxOvIfstcDn:/rRMrvZHnmUN6FxOv0st8n

Score

8^/10

evasion upx

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
15	2380	mshta.exe
16	1612	cscript.exe
18	2380	mshta.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dfcb6fc752ebeaf4d53f75aea06299c6.exe
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	dfcb6fc752ebeaf4d53f75aea06299c6.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2168-0-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral1/memory/2168-111-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral1/memory/2168-112-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral1/memory/2168-113-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral1/memory/2168-115-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral1/memory/2168-116-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral1/memory/2168-118-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral1/memory/2168-119-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral1/memory/2168-120-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral1/memory/2168-121-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral1/memory/2168-122-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral1/memory/2168-123-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral1/memory/2168-124-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral1/memory/2168-126-0x0000000000400000-0x000000000092E000-memory.dmp	upx
behavioral1/memory/2168-127-0x0000000000400000-0x000000000092E000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\FalconBetaAccount	dfcb6fc752ebeaf4d53f75aea06299c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\FalconBetaAccount\remote_access_client_id = "4895449949"	dfcb6fc752ebeaf4d53f75aea06299c6.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2180	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2168	dfcb6fc752ebeaf4d53f75aea06299c6.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2380	2168	dfcb6fc752ebeaf4d53f75aea06299c6.exe	28
PID 2168 wrote to memory of 2380	2168	dfcb6fc752ebeaf4d53f75aea06299c6.exe	28
PID 2168 wrote to memory of 2380	2168	dfcb6fc752ebeaf4d53f75aea06299c6.exe	28
PID 2168 wrote to memory of 2380	2168	dfcb6fc752ebeaf4d53f75aea06299c6.exe	28
PID 2380 wrote to memory of 2836	2380	mshta.exe	29
PID 2380 wrote to memory of 2836	2380	mshta.exe	29
PID 2380 wrote to memory of 2836	2380	mshta.exe	29
PID 2380 wrote to memory of 2836	2380	mshta.exe	29
PID 2380 wrote to memory of 2180	2380	mshta.exe	31
PID 2380 wrote to memory of 2180	2380	mshta.exe	31
PID 2380 wrote to memory of 2180	2380	mshta.exe	31
PID 2380 wrote to memory of 2180	2380	mshta.exe	31
PID 2380 wrote to memory of 1612	2380	mshta.exe	34
PID 2380 wrote to memory of 1612	2380	mshta.exe	34
PID 2380 wrote to memory of 1612	2380	mshta.exe	34
PID 2380 wrote to memory of 1612	2380	mshta.exe	34

C:\Users\Admin\AppData\Local\Temp\dfcb6fc752ebeaf4d53f75aea06299c6.exe
"C:\Users\Admin\AppData\Local\Temp\dfcb6fc752ebeaf4d53f75aea06299c6.exe"
1⤵
- Identifies Wine through registry keys
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\HYD2109.tmp.1711476945\HTA\index.hta?utorrent" "C:\Users\Admin\AppData\Local\Temp\dfcb6fc752ebeaf4d53f75aea06299c6.exe" /LOG "C:\Users\Admin\AppData\Local\Temp\HYD2109.tmp.1711476945\index.hta.log" /PID "2168" /CID "hCB6jALdcays2lWt" /VERSION "111849444" /BUCKET "0" /SSB "4" /COUNTRY "US" /OS "6.1" /BROWSERS "\"C:\Program Files\Mozilla Firefox\firefox.exe\",\"C:\Program Files\Google\Chrome\Application\chrome.exe\",C:\Program Files\Internet Explorer\iexplore.exe" /ARCHITECTURE "64" /LANG "en" /USERNAME "Admin" /SID "S-1-5-21-1298544033-3225604241-2703760938-1000" /CLIENT "utorrent"
  2⤵
  - Blocklisted process makes network request
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\cscript.exe
    "C:\Windows\System32\cscript.exe" "shell_scripts/check_if_cscript_is_working.js"
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\System32\PING.EXE" 8.8.8.8 -n 2 -w 500
    3⤵
    - Runs ping.exe
    PID:2180
- - C:\Windows\SysWOW64\cscript.exe
    "C:\Windows\System32\cscript.exe" shell_scripts/shell_ping_after_close.js "http://i-50.b-000.XYZ.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjIxNjgiLCJoIjoiaENCNmpBTGRjYXlzMmxXdCIsInYiOiIxMTE4NDk0NDQiLCJiIjo0NTAyOCwiY2wiOiJ1VG9ycmVudCIsIm9zYSI6IjY0Iiwic2xuZyI6ImVuIiwiZGIiOiJJbnRlcm5ldCBFeHBsb3JlciIsImRidiI6IjExLjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjEwNS4wIiwiZXhlTmFtZSI6ImZpcmVmb3gifSx7Im5hbWUiOiJHb29nbGUgQ2hyb21lIiwidmVyc2lvbiI6IjEwNi4wIiwiZXhlTmFtZSI6ImNocm9tZSJ9LHsibmFtZSI6IkludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjExLjAiLCJleGVOYW1lIjoiaWV4cGxvcmUifV0sImlwIjoiODkuMTQ5LjIzLjU5IiwiY24iOiJVbml0ZWQgS2luZ2RvbSIsInBhY2tpZCI6ImRlZmF1bHQifQ=="
    3⤵
    - Blocklisted process makes network request
    PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HYD2109.tmp.1711476945\HTA\i18n\en.json

Filesize
5KB

MD5
4417dbfa9fce94752a5a2dfdc823cb92

SHA1
12d2fd479d85b3f26c28351bbd0e44f06bc60597

SHA256
2381252b689d7ef2a8e1dcea6b7366c0436e70ff29e9b63f3ae34bcc5c60aaf5

SHA512
922c3e44db618cb2a77ad8ae6cceeaaecda3acf47034dcfe620cc5c352bededa6e4c983c74a05a797bcbed4f595d205f21829e3393b8994feb73f8179494a93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD2109.tmp.1711476945\HTA\images\loading.gif

Filesize
5KB

MD5
c910e2a5db424644aead18e1758c5efd

SHA1
fa58fc1a0c17db6c0eb573a0d548e544604114da

SHA256
00c62ed42795f996b5f963c69ce918c2623d72896ebb628dfd9bc800514900ce

SHA512
66d87ba337fc672f3f2fac50e2b32774b3a470b32fe5ba1a0e887bf74465e3db1375eca3cab91367bf88b2c6fbf0301e11d6f64c90dddc0c972fabeaefd37b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD2109.tmp.1711476945\HTA\images\main_icon.png

Filesize
3KB

MD5
e29ae2c3347790175085244651c40d6a

SHA1
0b9a15b6791439b319496950b85ab82dc2e3e5ae

SHA256
639bccb6ed0fce165cc979a2949d211ec8f1570133d644bf042a5400c3454c21

SHA512
53287d741b18275ee35eb4c4392c452e25846748ccaf3954a57f017a6e844b25ec4a39438c6ed7b24128138b8d7239cfacf69112f9803ab9d2ee981ea97a9808

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD2109.tmp.1711476945\HTA\images\main_utorrent.ico

Filesize
104KB

MD5
44d122c9473107fc36412de81418c84a

SHA1
a0072c789a9cd50ba561683c69af8602927cf4a8

SHA256
7c7279daebd88f6a34246603db9c0ecf9bbfa35ef820edd3278e5bc53f9e7680

SHA512
b4294b80edc0566744dd98a5ab3e2ac64a4ce4851192d5610ee13f12dc24947f51b7d5b5629f7bff6004d74e5a2b728913cda1b3386cf878ab7fb365490d8067

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD2109.tmp.1711476945\HTA\index.hta

Filesize
522B

MD5
76903930c0ade2285f1ab1bf54be660d

SHA1
0fdd5990ca58cf6c49985ffd2075baa09cd728ce

SHA256
61acd6e7405fad348433f8de4b12ed97b42caccbcf28fe0e4ba4b4a5d2ea707e

SHA512
c66c7f9f488a0ac58fc1b7c6560edb4bc6df71a3504c2567ac54f4f89aee40a7073865e67e508baf4e055555bbc2f461d5b558a427ab6ac602b9fe0b1f9f8c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD2109.tmp.1711476945\HTA\install.1711476945.zip

Filesize
743KB

MD5
b95e97108189f7babf89539f08186890

SHA1
bf8e669ff37c68d86eafd239bd82684b0bce00a0

SHA256
52bd756b898a3e7dd1c0ec8d3ef76db5f68b9fc5953ca61c493df01eec61ca12

SHA512
cca151213d0062d529d267f31af39236527399b96b019f0c6a68b68bfbcb0bbd7fa747ad24b8d7db9c900e08ed47cfbe79fdd88e1ff97e0ab7eafc5fe228c649

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD2109.tmp.1711476945\HTA\scripts\common.js

Filesize
337KB

MD5
78b4d4390bff0f011ebd271c9bebeec5

SHA1
12f0f137a8173be5791187a583256894d68bea26

SHA256
2f2edf2bd12ae6c6553042c30cb73b967e9066babad5f18f5ff054e708ffd19c

SHA512
a83f8133f26fca263070b278879582268d5bc02a4bad5028f5c80517c069bdc9915b21bcdea31f4f81df04ab891e9b5858109d80e2e4421812af64ae1c12a67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD2109.tmp.1711476945\HTA\scripts\initialize.js

Filesize
1005B

MD5
2a65c76b51a2c15eebeefa662d511af9

SHA1
3c5f93d39fdd573e43c7a451836d425bc1b07a5d

SHA256
31fc706ae4bd5093aecb6a0b7f9d3b686feb284076b1122aaff978779612dc06

SHA512
85b012dca5bbdbdd929de859ae41ed817c7f1e02eae70aaaf687f9ba381f696fa7751e3f2262d48c14f49c9090f106a6bb9652962d38bb7fab93214a2466e8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD2109.tmp.1711476945\HTA\scripts\install.js

Filesize
5KB

MD5
36f8dbcbdeed01079dcd0abdf481ffd7

SHA1
354d8fa00c37255d15a07a8b93f99ec2821ed1a2

SHA256
8d41b55c7626eccd4369418e4d0a1cfc2c7ca56b6424ac7b04e50ebc883837c9

SHA512
3a9ace6ed03f59599739bba74271aac5f4bdd589cbc2727285dd26fe390c8febebd9915c0d72e809e09c47f3d6ec12709acbd99c69796672775f5c0159c4a4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD2109.tmp.1711476945\HTA\shell_scripts\check_if_cscript_is_working.js

Filesize
18B

MD5
401b092610275ba2a62376598bfd9c6b

SHA1
da1173bc19dd51759f06ac21237a1e8af19d96e7

SHA256
d1b9d32702d7d7a184ab4654c204e6d385a9499fde63e0b06bda60f8077a7862

SHA512
4a6b34a572864c8648ae1d3e2fe7b3ae2caada78cac726fafe4fe840afdeac1b53ea161ef27abe82ed6843e61bf853901a2d1bdf2ec255de0c395423d1b2e865

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD2109.tmp.1711476945\HTA\shell_scripts\shell_ping_after_close.js

Filesize
312B

MD5
3ba92505f8af34e948f97360767d4f8a

SHA1
997a36be9f9f5262195b24c8c99c0688086c80ee

SHA256
5e872715109b381c99aa19e2435628640505794e09a1998de7b92c2a5aea38e1

SHA512
b33d3519684e3b54e582e401c7144d4d3783ac44ee73e8d9ce2d92b2e0a091758d330d966ab7db19f7d22fe18335d3e8effc0961ff9d9c4ac147d0ec2c91e626

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD2109.tmp.1711476945\HTA\styles\common.css

Filesize
99KB

MD5
8a94d780401556cceabf35058bbd4b5a

SHA1
19ee91b1629f4ccf0fca1f664405a1eee9dacc5a

SHA256
086a7e44de35a235bc258bf1107e22a7dc27932cb4d7e3ebcd1f368acc000caa

SHA512
b02fdc9b46f6fa8424660f462bb290c60c0635ad5cb9fa1b386a55d85d4368d06ae5611d355f8dc0db76477c2e332b0501e70cbbba77c45aa027e1cac59ca182

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYD2109.tmp.1711476945\index.hta.log

Filesize
57B

MD5
41d3d45ea97981dbc6ff236ae62c55a7

SHA1
2ce19bdbab440d4bf10532b5e6d9e5c0af33b32e

SHA256
23facd3b51fd4ef9d9c20b860d97e1e7f60b4ddaceadd11d2334e11fd4107bb8

SHA512
3788a5ca197a6dbd563c918330dea47b05be0dd5f9d26080167e1a36e1c696625d372b6799c17b7e3e9a86f72d6c2490ff95f2c036f88b92833d81aff30b66b1

Download Submit
memory/2168-118-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2168-0-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2168-127-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2168-111-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2168-112-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2168-113-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2168-126-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2168-115-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2168-116-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2168-124-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2168-119-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2168-120-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2168-121-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2168-122-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2168-123-0x0000000000400000-0x000000000092E000-memory.dmp

Filesize
5.2MB

Download
memory/2380-79-0x0000000006420000-0x000000000694E000-memory.dmp

Filesize
5.2MB

Download
memory/2380-114-0x0000000006420000-0x000000000694E000-memory.dmp

Filesize
5.2MB

Download
memory/2380-78-0x0000000006420000-0x000000000694E000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads