f911a357abf083c321d7240e1070b470c9d2a64c1503700dbec45980c88c0aa4

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows Program.exe
Size

356KB
MD5

470c1aaa600dfd81af4cfb23bee7490c
SHA1

17cc0969b22f293b9bab656da3c9e4e4f6a3dbd0
SHA256

438c6c0291603bd92a66731abcf32e478dc19093c1c0f3c75ee5117192913809
SHA512

9a9927ce72abab495474fcc153dc65fcbe15f46cd08e03e892f05b1ad2025d80301b40cf922fee9bbfb4cc2aeffe867a772bc381c1694289e13cf1fde591fbee
SSDEEP

6144:nuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLT/yXiJxKM0Z:u6Wq4aaE6KwyF5L0Y2D1PqLB6Z

Score

7^/10

persistence upx

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

Windows Program.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DNLEWE.lnk Windows Program.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DNLEWE.lnk	Windows Program.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral18/memory/556-0-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral18/memory/556-15-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral18/memory/556-16-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral18/memory/556-17-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral18/memory/556-18-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral18/memory/556-19-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral18/memory/556-21-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral18/memory/556-22-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral18/memory/556-23-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral18/memory/556-24-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral18/memory/556-25-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral18/memory/556-26-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral18/memory/556-27-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral18/memory/556-28-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral18/memory/556-29-0x0000000000400000-0x00000000004CA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Windows Program.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DNLEWE = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Windows Program.exe\""	Windows Program.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ipapi.co
2 ipapi.co

flow	ioc
1	ipapi.co
2	ipapi.co

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral18/memory/556-15-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral18/memory/556-16-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral18/memory/556-17-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral18/memory/556-18-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral18/memory/556-19-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral18/memory/556-21-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral18/memory/556-22-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral18/memory/556-23-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral18/memory/556-24-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral18/memory/556-25-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral18/memory/556-26-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral18/memory/556-27-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral18/memory/556-28-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral18/memory/556-29-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Windows Program.exe

pid	process
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe
556	Windows Program.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Windows Program.exe

pid process

556 Windows Program.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Windows Program.exe

description	pid	process	target process
PID 556 wrote to memory of 2232	556	Windows Program.exe	WSCript.exe
PID 556 wrote to memory of 2232	556	Windows Program.exe	WSCript.exe
PID 556 wrote to memory of 2232	556	Windows Program.exe	WSCript.exe

C:\Users\Admin\AppData\Local\Temp\Windows Program.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Program.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\WSCript.exe
WSCript C:\Users\Admin\AppData\Local\Temp\DNLEWE.vbs
2⤵
PID:2232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DNLEWE.vbs
Filesize
850B

MD5
59ccb6ffd3155d4e1e16509c1d2b424b

SHA1
c4b3aaa2e1f972aa6f1ae4a1543452d93bf1491c

SHA256
ba844c991f9fc79f240573cf20e975ac60ae70adc4f45298059e53474df49d1c

SHA512
8b1f99c486b756305dc3480182e2b6a37454e156050da9a3e2ff21ce131e7a34a3ebe740f7f07ed17e79e79a5ddf4213e509d009391d69c317b643b5f183b053

Download Submit
memory/556-22-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/556-23-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/556-16-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/556-17-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/556-18-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/556-19-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/556-15-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/556-0-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/556-21-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/556-24-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/556-25-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/556-26-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/556-27-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/556-28-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/556-29-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download