b09735521db093df8edb6782d9c34f90fe7d7d2a863494e619e3f944d98ab6bd

Resubmissions

17/05/2024, 11:46

240517-nxrdzafh5v 8

Analysis

max time kernel
453s
max time network
1178s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
17/05/2024, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tul-is-just-better.exe
Size

1.9MB
MD5

e436afca669cb7b61b2b9b6a3de28af6
SHA1

37ecb2e4413b1ca68de901ed8d3503959c77a8e4
SHA256

b09735521db093df8edb6782d9c34f90fe7d7d2a863494e619e3f944d98ab6bd
SHA512

ff3e485af40233b641900ac9f89c39c2c9c47e47c465da5347972137dbd1f977f3340ef3b4db1a1a50f62e19f6e73497545d226453ee88561a697f30569f66ae
SSDEEP

49152:W5TYm4p5ga6xbcF6uZ3kjvGBGtq1G1GSJtrBmO7iR5:YTD2P6xbGNmhJ3t7K

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv"	tul-is-just-better.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1100	tul-is-just-better.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1100	tul-is-just-better.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 3432	1100	tul-is-just-better.exe	78
PID 1100 wrote to memory of 3432	1100	tul-is-just-better.exe	78
PID 1100 wrote to memory of 856	1100	tul-is-just-better.exe	79
PID 1100 wrote to memory of 856	1100	tul-is-just-better.exe	79
PID 856 wrote to memory of 4880	856	cmd.exe	80
PID 856 wrote to memory of 4880	856	cmd.exe	80
PID 856 wrote to memory of 3896	856	cmd.exe	81
PID 856 wrote to memory of 3896	856	cmd.exe	81
PID 856 wrote to memory of 4680	856	cmd.exe	82
PID 856 wrote to memory of 4680	856	cmd.exe	82

C:\Users\Admin\AppData\Local\Temp\tul-is-just-better.exe
"C:\Users\Admin\AppData\Local\Temp\tul-is-just-better.exe"
1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Color 4F
  2⤵
  PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\tul-is-just-better.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\tul-is-just-better.exe" MD5
    3⤵
    PID:4880
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:3896
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads