Analysis

  • max time kernel
    143s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29-04-2024 23:10

General

  • Target

    77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe

  • Size

    504KB

  • MD5

    54525a4e92f6be8b4d52ccc12d5b5bf6

  • SHA1

    55c5b6a279f3ca32473b9f833d288093c628bff7

  • SHA256

    77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de

  • SHA512

    4cc5aeee452cdd41c27969e2cce760fad6c27c3a2647edfe86cb3a21bdac996e2092a3d8003ec2682ab5d1106160d11a4a4a49fc2533616fd7f9d189d1e918bf

  • SSDEEP

    12288:tPmTkT0+nXTv1d5Jo/H4a6ZeUOHFVS9Qg:Vmo4IXhd81rS

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 10 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 5 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
    "C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe
      "C:\Users\Admin\AppData\Local\Temp\77d24236be746a586b992110277edc83f902ac544e7268c9c420fcd666ee17de.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
        C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
          "C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1444
          • C:\Windows\SysWOW64\ipconfig.exe
            "C:\Windows\system32\ipconfig.exe"
            5⤵
            • Gathers network information
            • Suspicious use of WriteProcessMemory
            PID:840
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\LHVUKUNM.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1944
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Explorrer /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray" /f
                7⤵
                • Adds Run key to start application
                • Modifies registry key
                PID:1780
        • C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
          "C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"
          4⤵
          • Executes dropped EXE
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          PID:2388
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"
            5⤵
            • Loads dropped DLL
            PID:1756
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"
            5⤵
            • Loads dropped DLL
            • Installs/modifies Browser Helper Object
            • Modifies registry class
            PID:1364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\LHVUKUNM.bat

    Filesize

    153B

    MD5

    02cbdd547ced25f8f7dc814d9169d567

    SHA1

    fc9697d828dcda615f6edd3e49a55b9307dbd311

    SHA256

    ec250cdf89523b18688d45fdc11bc93e46547a574ef59e03426c098f6b887c07

    SHA512

    cec1b6c5d843408e3cb6345a3430d8469a07c09677e1bd4c522c41ee29dbd941236a8dd9963410c69a165f3913c30aa22cfd206e51a59b9ffd160c38e70cfe3f

  • C:\Users\Admin\AppData\Roaming\IE\bho.dll

    Filesize

    87KB

    MD5

    49a92a33d1775b45b3bd45f8bec24585

    SHA1

    ea404af50bbdad5cbc9f95f4068bdc30c9fceff6

    SHA256

    976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5

    SHA512

    7d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f

  • \Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

    Filesize

    504KB

    MD5

    57880d87727c18229702018c680cd02e

    SHA1

    a846eff15ad41eab870b09f149ecb6d7fbf55541

    SHA256

    538204988e058743fd0f1079deffa8610083f087620837f82a6f51c59c7ed1ad

    SHA512

    7ca9890c9522ebe729fb16dccac796ebcf70cc6bf257f804a98c912a87e62813ae3d03ddfa465ba87a79c0dd6933a3c9882f97ebf0a5d61fdab7ca32ef6576c3

  • memory/840-96-0x00000000000C0000-0x00000000000C1000-memory.dmp

    Filesize

    4KB

  • memory/1444-103-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/2388-87-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-219-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-82-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-83-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-84-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-85-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-86-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-70-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-88-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-90-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-89-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-59-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-61-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-63-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-79-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-78-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-66-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-68-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-76-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2388-72-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2512-80-0x0000000000520000-0x0000000000521000-memory.dmp

    Filesize

    4KB

  • memory/2512-95-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

  • memory/2512-81-0x0000000002740000-0x0000000002741000-memory.dmp

    Filesize

    4KB

  • memory/2512-44-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

  • memory/2512-42-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

  • memory/2772-8-0x0000000000520000-0x0000000000521000-memory.dmp

    Filesize

    4KB

  • memory/2772-5-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

  • memory/2772-3-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

  • memory/2772-9-0x0000000000570000-0x0000000000571000-memory.dmp

    Filesize

    4KB

  • memory/2772-10-0x0000000001E00000-0x0000000001E9C000-memory.dmp

    Filesize

    624KB

  • memory/2772-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

  • memory/2772-0-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

  • memory/2772-7-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

  • memory/2772-25-0x0000000000400000-0x000000000049C000-memory.dmp

    Filesize

    624KB

  • memory/2956-13-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/2956-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2956-21-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/2956-15-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/2956-11-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/2956-32-0x0000000002540000-0x00000000025DC000-memory.dmp

    Filesize

    624KB

  • memory/2956-41-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB