Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe
Resource
win10v2004-20240508-en
General
-
Target
5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe
-
Size
418KB
-
MD5
d59eb8cb36a1fd4b177de0c5a7949feb
-
SHA1
df841a0c247c65a1bfc4b4fe6fea722b84045af2
-
SHA256
5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634
-
SHA512
c279252b2f3ed7ab26d03358d680ce999be792a31d15f45d0961ca3dbb9a06204cdec9a37b5a90ebf1f31c2ed533fd574d5554fc77cd9c391c059ba38a237009
-
SSDEEP
6144:a4kCzDW+q6MEp1JfTOOOW6tEbNM6gUzKuGHxLq+nbon6Xbqzvh4V1Jpnjjjjj:aX+q9WvfaqaHI5GPnbYEAv2Nnjjjjj
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 5 IoCs
resource yara_rule behavioral1/memory/2952-3-0x0000000000400000-0x00000000004F8000-memory.dmp UPX behavioral1/memory/2952-18-0x0000000000400000-0x00000000004F8000-memory.dmp UPX behavioral1/memory/2720-25-0x0000000000400000-0x00000000004F8000-memory.dmp UPX behavioral1/memory/2720-29-0x0000000000400000-0x00000000004F8000-memory.dmp UPX behavioral1/memory/2720-38-0x0000000000400000-0x00000000004F8000-memory.dmp UPX -
Deletes itself 1 IoCs
pid Process 2720 fF01831DfIeL01831.exe -
Executes dropped EXE 1 IoCs
pid Process 2720 fF01831DfIeL01831.exe -
Loads dropped DLL 2 IoCs
pid Process 2952 5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe 2952 5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe -
resource yara_rule behavioral1/memory/2952-3-0x0000000000400000-0x00000000004F8000-memory.dmp upx behavioral1/memory/2952-18-0x0000000000400000-0x00000000004F8000-memory.dmp upx behavioral1/memory/2720-25-0x0000000000400000-0x00000000004F8000-memory.dmp upx behavioral1/memory/2720-29-0x0000000000400000-0x00000000004F8000-memory.dmp upx behavioral1/memory/2720-38-0x0000000000400000-0x00000000004F8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fF01831DfIeL01831 = "C:\\ProgramData\\fF01831DfIeL01831\\fF01831DfIeL01831.exe" fF01831DfIeL01831.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main fF01831DfIeL01831.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2952 5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2952 5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe Token: SeDebugPrivilege 2720 fF01831DfIeL01831.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2720 fF01831DfIeL01831.exe 2720 fF01831DfIeL01831.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2952 wrote to memory of 2720 2952 5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe 28 PID 2952 wrote to memory of 2720 2952 5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe 28 PID 2952 wrote to memory of 2720 2952 5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe 28 PID 2952 wrote to memory of 2720 2952 5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe"C:\Users\Admin\AppData\Local\Temp\5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\ProgramData\fF01831DfIeL01831\fF01831DfIeL01831.exe"C:\ProgramData\fF01831DfIeL01831\fF01831DfIeL01831.exe" "C:\Users\Admin\AppData\Local\Temp\5c8fcc613c5aafd53123746456bc9726f3cd2c74e269f2f41df80aa6a87bf634.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192B
MD57760361d8d486c8c1233bda7ce4ca5cd
SHA17f83a223493d94799398745565f72f6d61051258
SHA25644ef8bfc6e157bc20ba5f33469ef3dbd8837a6770c2c3460b6889801a8d4983b
SHA5126c1320888b42c1214e1d7f9c5d4336b130fc1b856cc97db348cda6ac771f2f2ac939f09efe12f6ea577602d9cee4aae7d98d500bc7506e11c6ed4fb6858f2874
-
Filesize
418KB
MD5cdf7e90a508a1c306ebbdd65f478cf9d
SHA122058a92e46dc1c7820653088c0d92178a88d9ff
SHA256269cf4fd2aa75249e44bec32f938fcf2bdd4df02859547b2acae757f1ec624ca
SHA512078bae1def4fd110e59700e8e1e46951d73d05507f2662ac2dbad87414c51c2d525b15a67f2e98073f95c2bac6364b82dbed0cdd18a171336e55f8950387f63e