fd786c64ff26e1e68e83338586d504375a456e0fd3d565b23520f3fc2e28cdcd

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f6ca059ca1638943cabdff385345c0.exe
Size

176KB
MD5

23f6ca059ca1638943cabdff385345c0
SHA1

796c3812ebbb018cf303482b29b4c5c75740ba48
SHA256

fd786c64ff26e1e68e83338586d504375a456e0fd3d565b23520f3fc2e28cdcd
SHA512

005e8f91a5ff685d70f9e1ff3e973de7e98d9c283c3de42015eac813c513710d13cf5e840fbbdd3c1b9e5fd8639db02246a319e0cea9eaf733acf19f0e23fe3e
SSDEEP

3072:59E4Wgbr57BVFqmx1E9Hqmz674Qbf6xET/nhqCoNWDY1TuDBujfgY1LRQBAhHuYK:r0MJBVlx+Vf274Q2xqhxoNH1Ti5YtuY

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2904	MuiUpubw.exe
2272	~2BE1.tmp
2600	PINGuser.exe

Loads dropped DLL 3 IoCs

pid	Process
2792	23f6ca059ca1638943cabdff385345c0.exe
2792	23f6ca059ca1638943cabdff385345c0.exe
2904	MuiUpubw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\dianskey = "C:\\Users\\Admin\\AppData\\Roaming\\cleatune\\MuiUpubw.exe"	23f6ca059ca1638943cabdff385345c0.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PINGuser.exe	23f6ca059ca1638943cabdff385345c0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	MuiUpubw.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE
2600	PINGuser.exe
1196	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2904	2792	23f6ca059ca1638943cabdff385345c0.exe	28
PID 2792 wrote to memory of 2904	2792	23f6ca059ca1638943cabdff385345c0.exe	28
PID 2792 wrote to memory of 2904	2792	23f6ca059ca1638943cabdff385345c0.exe	28
PID 2792 wrote to memory of 2904	2792	23f6ca059ca1638943cabdff385345c0.exe	28
PID 2904 wrote to memory of 2272	2904	MuiUpubw.exe	29
PID 2904 wrote to memory of 2272	2904	MuiUpubw.exe	29
PID 2904 wrote to memory of 2272	2904	MuiUpubw.exe	29
PID 2904 wrote to memory of 2272	2904	MuiUpubw.exe	29
PID 2272 wrote to memory of 1196	2272	~2BE1.tmp	21
PID 2792 wrote to memory of 2772	2792	23f6ca059ca1638943cabdff385345c0.exe	31
PID 2792 wrote to memory of 2772	2792	23f6ca059ca1638943cabdff385345c0.exe	31
PID 2792 wrote to memory of 2772	2792	23f6ca059ca1638943cabdff385345c0.exe	31
PID 2792 wrote to memory of 2772	2792	23f6ca059ca1638943cabdff385345c0.exe	31
PID 2772 wrote to memory of 2760	2772	cmd.exe	33
PID 2772 wrote to memory of 2760	2772	cmd.exe	33
PID 2772 wrote to memory of 2760	2772	cmd.exe	33
PID 2772 wrote to memory of 2760	2772	cmd.exe	33

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2760	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1196
- C:\Users\Admin\AppData\Local\Temp\23f6ca059ca1638943cabdff385345c0.exe
  "C:\Users\Admin\AppData\Local\Temp\23f6ca059ca1638943cabdff385345c0.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Roaming\cleatune\MuiUpubw.exe
    "C:\Users\Admin\AppData\Roaming\cleatune\MuiUpubw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\~2BE1.tmp
      "C:\Users\Admin\AppData\Local\Temp\~2BE1.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    /C 259402939.cmd
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "23f6ca059ca1638943cabdff385345c0.exe"
      4⤵
      Views/modifies file attributes
      PID:2760

C:\Windows\SysWOW64\PINGuser.exe
C:\Windows\SysWOW64\PINGuser.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259402939.cmd

Filesize
195B

MD5
3003b2a2b871e1cc44b9f05c52d174cc

SHA1
de2ce38f82cf313169975dd53400d0d714dad96b

SHA256
2028f59910e9ced32e991f0479f1ca38d03a1b105c43ebe1d9f229486cb0d7fc

SHA512
cdf8bdba236ada2bf0eac8b155ec1969de8b3160c93096e61c58462b94a42f7ac521cb4bf192857bbfaa38b73aebba502529db7a3928439f2086f4763c811172

Download Submit
C:\Users\Admin\AppData\Local\Temp\~2BE1.tmp

Filesize
6KB

MD5
2ed1e860c14cc8f963fbb1f0a002b6ae

SHA1
0bf1da2573dc95a92e9fe8381697c272c9998ab5

SHA256
b4d98c654230b517b729d2d54f75abb7becbb1d16078d21df1bd02e0dd097ff2

SHA512
b5bb5b91fb4434366316e85b62dab3d29eb928a7085f70f6070363aeba7cfec07c6c538f5992b24ccb4c1a85927028534af6721c3b0a4b04b57757bba947a5dc

Download Submit
C:\Windows\SysWOW64\PINGuser.exe

Filesize
176KB

MD5
23f6ca059ca1638943cabdff385345c0

SHA1
796c3812ebbb018cf303482b29b4c5c75740ba48

SHA256
fd786c64ff26e1e68e83338586d504375a456e0fd3d565b23520f3fc2e28cdcd

SHA512
005e8f91a5ff685d70f9e1ff3e973de7e98d9c283c3de42015eac813c513710d13cf5e840fbbdd3c1b9e5fd8639db02246a319e0cea9eaf733acf19f0e23fe3e

Download Submit
\Users\Admin\AppData\Roaming\cleatune\MuiUpubw.exe

Filesize
176KB

MD5
df117c613ef8d8be4a8611d50d7d34f9

SHA1
b5aca1afc5a632bd649102453765a14b19d8f06d

SHA256
6fff0ee975e3c6d95fe0b55ddf745f87a5e3aecf7c34fe320c0c7d90db090099

SHA512
66dd786166f394c80ba78e83fb40c2bebc0f38946cd67132d9054418526c2a7a6576e11053cf008431a1cb170f0fa54840ec1641a4ad68b8b85b69de1e8cc196

Download Submit
memory/1196-18-0x0000000002560000-0x00000000025A3000-memory.dmp

Filesize
268KB

Download
memory/1196-17-0x0000000002560000-0x00000000025A3000-memory.dmp

Filesize
268KB

Download
memory/1196-16-0x0000000002560000-0x00000000025A3000-memory.dmp

Filesize
268KB

Download
memory/2600-29-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2600-28-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2600-27-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2792-0-0x0000000000070000-0x00000000000B0000-memory.dmp

Filesize
256KB

Download
memory/2904-11-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download