96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db

Analysis

max time kernel
177s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 00:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe
Size

418KB
MD5

808b6fdff4e0b407ac7861aa106534da
SHA1

343dc7625e52402a120ca42b24b746c3b8455d56
SHA256

96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db
SHA512

a838c6a416ac265c3bc6c203b3302110f18f77ed45dcd3570420ea05651c78f2fe49258be0d9a03ca6bc48a50db83bc1f31672f579c59a5b6cdca307fd7e3752
SSDEEP

12288:Bg0FLDzOGYJJiIeHU3qWosiP08bMDSKN1O3:B3Xy7i63Dofb3

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 8 IoCs

resource	yara_rule
behavioral1/memory/2948-3-0x0000000000400000-0x00000000004C8000-memory.dmp	UPX
behavioral1/memory/2724-21-0x0000000000400000-0x00000000004C8000-memory.dmp	UPX
behavioral1/memory/2948-23-0x0000000000400000-0x00000000004C8000-memory.dmp	UPX
behavioral1/memory/2724-26-0x0000000000400000-0x00000000004C8000-memory.dmp	UPX
behavioral1/memory/3036-31-0x0000000000400000-0x00000000004C8000-memory.dmp	UPX
behavioral1/memory/3036-34-0x0000000000400000-0x00000000004C8000-memory.dmp	UPX
behavioral1/memory/3036-40-0x0000000000400000-0x00000000004C8000-memory.dmp	UPX
behavioral1/memory/3036-44-0x0000000000400000-0x00000000004C8000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
3036	nPo24512kPdKa24512.exe

Executes dropped EXE 2 IoCs

pid	Process
2724	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe

Loads dropped DLL 2 IoCs

pid	Process
2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe
2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2948-3-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2724-21-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2948-23-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2724-26-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/3036-31-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/3036-34-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/3036-40-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/3036-44-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nPo24512kPdKa24512 = "C:\\ProgramData\\nPo24512kPdKa24512\\nPo24512kPdKa24512.exe"	nPo24512kPdKa24512.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	nPo24512kPdKa24512.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe
2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe
2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe
2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe
2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe
2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe
2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe
2724	nPo24512kPdKa24512.exe
2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe
2724	nPo24512kPdKa24512.exe
2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe
2724	nPo24512kPdKa24512.exe
2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe
2724	nPo24512kPdKa24512.exe
2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe
2724	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe
Token: SeDebugPrivilege	2724	nPo24512kPdKa24512.exe
Token: SeDebugPrivilege	3036	nPo24512kPdKa24512.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3036	nPo24512kPdKa24512.exe
3036	nPo24512kPdKa24512.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2724	2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe	29
PID 2948 wrote to memory of 2724	2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe	29
PID 2948 wrote to memory of 2724	2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe	29
PID 2948 wrote to memory of 2724	2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe	29
PID 2948 wrote to memory of 3036	2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe	31
PID 2948 wrote to memory of 3036	2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe	31
PID 2948 wrote to memory of 3036	2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe	31
PID 2948 wrote to memory of 3036	2948	96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe	31

C:\Users\Admin\AppData\Local\Temp\96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe
"C:\Users\Admin\AppData\Local\Temp\96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\ProgramData\nPo24512kPdKa24512\nPo24512kPdKa24512.exe
  "C:\ProgramData\nPo24512kPdKa24512\nPo24512kPdKa24512.exe" BOMBARDAMAXIMUM
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\ProgramData\nPo24512kPdKa24512\nPo24512kPdKa24512.exe
  "C:\ProgramData\nPo24512kPdKa24512\nPo24512kPdKa24512.exe" "C:\Users\Admin\AppData\Local\Temp\96377d0dfe42ec185fd6a60e0997dd8a7b920357e20fd7377433277b2d8453db.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nPo24512kPdKa24512\nPo24512kPdKa24512

Filesize
192B

MD5
6fe89cdf65317ac6d84ea0ccfd02d5b9

SHA1
4b0181f1172601c057fb31cbc1c24e5b303dd61f

SHA256
6eddb19af47dc1178a980410f21384239c8ec70e2bb5520c1ecea6fa754351bf

SHA512
ae406696de232a515ca302daee807e7d511ac679295c8edf9d9f6d6b31206227d21635c3395986d666ae203931a0fad3b5e8f801618ffac5c8a6a767fdf2e153

Download Submit
C:\ProgramData\nPo24512kPdKa24512\nPo24512kPdKa24512

Filesize
192B

MD5
bd9cb996dd61cc1341a536d81eb08e1f

SHA1
f544456cb4bb61cc9871e40cb700d31a4f922604

SHA256
ab8966c98df43510b1c15bb65b26290f215d6d1d2a878f42b7e3c8fba71968a7

SHA512
4eded15643f47749547f7cbc257d4e3d50142dfab26a261ca30be5b5c01bb05cbdbb79c0250fc72db3f2a820b2b90ab17d2294601a92a373a5e9872f9b55323c

Download Submit
\ProgramData\nPo24512kPdKa24512\nPo24512kPdKa24512.exe

Filesize
418KB

MD5
d497fd7cf69304355440d5076ed91d3e

SHA1
39c85253ef361a6cfd78dcfd8e8ba08fcd47c65a

SHA256
462a738c7934fe50d61f96c83ff8b566b64dbd4b32e10129affe227ed6a48e8d

SHA512
a248e632518a67522579f6d58b754d46ac81b9868a5ea8e0dda021d0f5f65536d1386f29fadf3ded3b22d27c8263b5d6d0271d1dc71ea2906b07f444ced6dfc2

Download Submit
memory/2724-21-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2724-26-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2948-0-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2948-3-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2948-23-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3036-31-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3036-34-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3036-40-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3036-44-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download