2dc4c306da01adebbc2304f3d82d009bc3ca4a097209e4f6dd5400ef4f93cbc8

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ahnrpt.exe
Size

701KB
MD5

c4c1502174650a0ef2072c9373362510
SHA1

16c184e3c40bd02b7ecffa9b6610b0677f68ca6e
SHA256

07255c782af277a6dc97c84f00ace80ab351e2592dc5dc2ee6d7b0c93efff5ca
SHA512

f0dbbcff65cc6652a0f5f516b0b0d2180c00c56e2f8b70983b3c7542e58b88753d8176d666393132177240d3f928145d4e50abe421cc461e8b59dcbc8826c849
SSDEEP

12288:/+nzRzozPG1gPzMV/ZeL5W2woKORykgXc2l411pDgCMSBMtp8Y:/+nzBoz8VANAIykWcw4PpDCJb

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

AhnRpt.exe

pid process

2000 AhnRpt.exe
Loads dropped DLL 2 IoCs

Processes:

ahnrpt.exe

pid process

2876 ahnrpt.exe
2876 ahnrpt.exe

pid	process
2000	AhnRpt.exe

pid	process
2876	ahnrpt.exe
2876	ahnrpt.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsi1BCC.tmp\AhnRpt.exe	upx
behavioral21/memory/2876-10-0x0000000000620000-0x00000000006AD000-memory.dmp	upx
behavioral21/memory/2000-13-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral21/memory/2000-15-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral21/memory/2000-16-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral21/memory/2000-17-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral21/memory/2000-18-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral21/memory/2000-19-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral21/memory/2000-20-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral21/memory/2000-21-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral21/memory/2000-22-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral21/memory/2000-23-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral21/memory/2000-24-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral21/memory/2000-25-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral21/memory/2000-26-0x0000000000400000-0x000000000048D000-memory.dmp	upx
behavioral21/memory/2000-27-0x0000000000400000-0x000000000048D000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery
T1518.001

Processes:

AhnRpt.exe

description ioc process

Key opened \REGISTRY\MACHINE\Software\AhnLab\V3IS80 AhnRpt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Software\AhnLab\V3IS80	AhnRpt.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AhnRpt.exe

description	ioc	process
File opened (read-only)	\??\Q:	AhnRpt.exe
File opened (read-only)	\??\V:	AhnRpt.exe
File opened (read-only)	\??\B:	AhnRpt.exe
File opened (read-only)	\??\I:	AhnRpt.exe
File opened (read-only)	\??\N:	AhnRpt.exe
File opened (read-only)	\??\M:	AhnRpt.exe
File opened (read-only)	\??\O:	AhnRpt.exe
File opened (read-only)	\??\R:	AhnRpt.exe
File opened (read-only)	\??\E:	AhnRpt.exe
File opened (read-only)	\??\G:	AhnRpt.exe
File opened (read-only)	\??\J:	AhnRpt.exe
File opened (read-only)	\??\T:	AhnRpt.exe
File opened (read-only)	\??\Y:	AhnRpt.exe
File opened (read-only)	\??\Z:	AhnRpt.exe
File opened (read-only)	\??\A:	AhnRpt.exe
File opened (read-only)	\??\H:	AhnRpt.exe
File opened (read-only)	\??\P:	AhnRpt.exe
File opened (read-only)	\??\U:	AhnRpt.exe
File opened (read-only)	\??\W:	AhnRpt.exe
File opened (read-only)	\??\X:	AhnRpt.exe
File opened (read-only)	\??\K:	AhnRpt.exe
File opened (read-only)	\??\L:	AhnRpt.exe
File opened (read-only)	\??\S:	AhnRpt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AhnRpt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	AhnRpt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	AhnRpt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AhnRpt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AhnRpt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AhnRpt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	AhnRpt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	AhnRpt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AhnRpt.exe

pid process

2000 AhnRpt.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AhnRpt.exe

description pid process

Token: SeDebugPrivilege 2000 AhnRpt.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AhnRpt.exe

pid process

2000 AhnRpt.exe
2000 AhnRpt.exe

pid	process
2000	AhnRpt.exe

description	pid	process
Token: SeDebugPrivilege	2000	AhnRpt.exe

pid	process
2000	AhnRpt.exe
2000	AhnRpt.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ahnrpt.exe

description	pid	process	target process
PID 2876 wrote to memory of 2000	2876	ahnrpt.exe	AhnRpt.exe
PID 2876 wrote to memory of 2000	2876	ahnrpt.exe	AhnRpt.exe
PID 2876 wrote to memory of 2000	2876	ahnrpt.exe	AhnRpt.exe
PID 2876 wrote to memory of 2000	2876	ahnrpt.exe	AhnRpt.exe

C:\Users\Admin\AppData\Local\Temp\ahnrpt.exe
"C:\Users\Admin\AppData\Local\Temp\ahnrpt.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\nsi1BCC.tmp\AhnRpt.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi1BCC.tmp\AhnRpt.exe"
  2⤵
  - Executes dropped EXE
  - Checks for any installed AV software in registry
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsi1BCC.tmp\AhnRpt.exe

Filesize
191KB

MD5
adc7b1e4255af2811f8d8232c32aa27b

SHA1
4d5b2ab5f7315d2be4d6d3cae14ed248ddb7079f

SHA256
930d5c69beecb82100de8c446a9c0066ac088246e512a4f2dfc054d5ff95937d

SHA512
7590e17750242a40fc6199e1e3df462860081c6f202cbb1122dbe8d186f7eaf35bdeb2f129ad264ab289899d9870da6ef4b6852a13a6915db29c001ca0ed3067

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1BCC.tmp\PackAPI.dll

Filesize
24KB

MD5
0b6dda0671fd4b087a0c81e092b481f2

SHA1
8049ad50b1bf8b138ac0d5261e70074880e41a4e

SHA256
4e3f389ee8e27845a34d316347ed3ca1175881a2c8f01ef97857e86b6db1e7ae

SHA512
0bfec117b65bdb5cd38b3a8a423106dc738a3c0976a48ef42ac9460bda8d259bd8a7ad7f23e3d56baa1ad55d9885797487f815ed1284b643047ba9da5065a2e6

Download Submit
memory/2000-22-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2000-19-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2000-27-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2000-15-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2000-16-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2000-17-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2000-18-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2000-13-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2000-20-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2000-21-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2000-26-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2000-23-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2000-24-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2000-25-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2876-10-0x0000000000620000-0x00000000006AD000-memory.dmp

Filesize
564KB

Download
memory/2876-14-0x0000000000620000-0x00000000006AD000-memory.dmp

Filesize
564KB

Download