08d04e7168869300fdd6d77c072d06fdc31ea5037d3ec929b205306809403e4b

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e221652ba4c83a0d97e7b9e787b26a09.exe
Size

443KB
MD5

e221652ba4c83a0d97e7b9e787b26a09
SHA1

bd7439c5f41736933d85c310280b6fea54d93781
SHA256

08d04e7168869300fdd6d77c072d06fdc31ea5037d3ec929b205306809403e4b
SHA512

137fb8c1070c781c8ff5ba02c8079aa73288c7e4a95e84bbcf8a20cbeac744bdde53453f495c863256c3218c6b2d7bc65fda5bad965c579f7ed7e11d2c627051
SSDEEP

12288:dVV6fzF64n5ToGk8DUrvOt91UkHq0y93Z+5J4Qny:TVi/etXqrzHq04+5J4Qny

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2552	jJ01803ImBjM01803.exe

Executes dropped EXE 1 IoCs

pid	Process
2552	jJ01803ImBjM01803.exe

Loads dropped DLL 2 IoCs

pid	Process
2676	e221652ba4c83a0d97e7b9e787b26a09.exe
2676	e221652ba4c83a0d97e7b9e787b26a09.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2676-1-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2676-18-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2552-20-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2552-30-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral1/memory/2552-40-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jJ01803ImBjM01803 = "C:\\ProgramData\\jJ01803ImBjM01803\\jJ01803ImBjM01803.exe"	jJ01803ImBjM01803.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	jJ01803ImBjM01803.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	e221652ba4c83a0d97e7b9e787b26a09.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	e221652ba4c83a0d97e7b9e787b26a09.exe
Token: SeDebugPrivilege	2552	jJ01803ImBjM01803.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2552	jJ01803ImBjM01803.exe
2552	jJ01803ImBjM01803.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2552	2676	e221652ba4c83a0d97e7b9e787b26a09.exe	28
PID 2676 wrote to memory of 2552	2676	e221652ba4c83a0d97e7b9e787b26a09.exe	28
PID 2676 wrote to memory of 2552	2676	e221652ba4c83a0d97e7b9e787b26a09.exe	28
PID 2676 wrote to memory of 2552	2676	e221652ba4c83a0d97e7b9e787b26a09.exe	28

C:\Users\Admin\AppData\Local\Temp\e221652ba4c83a0d97e7b9e787b26a09.exe
"C:\Users\Admin\AppData\Local\Temp\e221652ba4c83a0d97e7b9e787b26a09.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\ProgramData\jJ01803ImBjM01803\jJ01803ImBjM01803.exe
  "C:\ProgramData\jJ01803ImBjM01803\jJ01803ImBjM01803.exe" "C:\Users\Admin\AppData\Local\Temp\e221652ba4c83a0d97e7b9e787b26a09.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jJ01803ImBjM01803\jJ01803ImBjM01803

Filesize
192B

MD5
6f3a40d0d45276043d646029d5474205

SHA1
5ec91b403ebff61a070789d4d762eb2e35c4cd4d

SHA256
b6731ddde926374eba8ab801015c33eb8463654c2daa73bbf6860bb7475abc6c

SHA512
28e5904f30ab56bcf08efd9ec333447f616836d1320b874fc57ac2111c6deaf67b3b39af557f04e12b581f42fa36197cb344e523b074f5f4b2b6da4a755c07e0

Download Submit
\ProgramData\jJ01803ImBjM01803\jJ01803ImBjM01803.exe

Filesize
443KB

MD5
bbcbd495a0c404cb66f90e39033f6803

SHA1
a9ed999529f265877f02abcf8bb03062cb2b2663

SHA256
ff8903d873d295a3c37bbb049bdcf71b873f0eda3cef285b51ebd7276a78491e

SHA512
b720cd548694ef7f834c2a000c9451e0b937ca495d34f1398eeb63952a5b647e4495b4308c1f54fb018d7f0e0ff4c1e9506ecdcf78fa3eaeca5483f83769deda

Download Submit
memory/2552-20-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2552-29-0x0000000000280000-0x0000000000380000-memory.dmp

Filesize
1024KB

Download
memory/2552-30-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2552-32-0x0000000000280000-0x0000000000380000-memory.dmp

Filesize
1024KB

Download
memory/2552-40-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2676-2-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/2676-1-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2676-18-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download