0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe
Size

88KB
MD5

ae8f1df7db72ab5b597d78ab00c4f664
SHA1

2256d81dc7cbd686567cd2304023699934755d41
SHA256

0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453
SHA512

e7181075975ed268a65a8dfb09ee048a055483714518cbd1ed82b3c0715923f376dbc9f63f118625d8bada0c0cb4217919c2410ccfcc7b1703f1f98d0987d103
SSDEEP

1536:ahUDofByDJWbMGcEFLPEPKOJUsy1+VMA:aIofBHbKMP0PvMA

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral1/memory/2396-142-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2396-141-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2396-140-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2396-137-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2396-317-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/1076-337-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
2504	explorer.exe
1076	explorer.exe
2944	explorer.exe
2908	explorer.exe

Loads dropped DLL 7 IoCs

pid	Process
2396	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe
2396	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe
2396	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe
2396	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe
2396	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe
2504	explorer.exe
2504	explorer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2396-135-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2396-142-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2396-141-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2396-140-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2396-137-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2396-317-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1076-337-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Video Driver = "C:\\Users\\Admin\\AppData\\Roaming\\config\\explorer.exe"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2432 set thread context of 2396	2432	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	28
PID 2504 set thread context of 1076	2504	explorer.exe	33
PID 2504 set thread context of 2944	2504	explorer.exe	34
PID 2944 set thread context of 2908	2944	explorer.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe
Token: SeDebugPrivilege	1076	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2432	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe
2396	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe
2504	explorer.exe
1076	explorer.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2396	2432	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	28
PID 2432 wrote to memory of 2396	2432	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	28
PID 2432 wrote to memory of 2396	2432	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	28
PID 2432 wrote to memory of 2396	2432	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	28
PID 2432 wrote to memory of 2396	2432	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	28
PID 2432 wrote to memory of 2396	2432	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	28
PID 2432 wrote to memory of 2396	2432	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	28
PID 2432 wrote to memory of 2396	2432	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	28
PID 2396 wrote to memory of 2248	2396	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	29
PID 2396 wrote to memory of 2248	2396	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	29
PID 2396 wrote to memory of 2248	2396	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	29
PID 2396 wrote to memory of 2248	2396	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	29
PID 2248 wrote to memory of 2704	2248	cmd.exe	31
PID 2248 wrote to memory of 2704	2248	cmd.exe	31
PID 2248 wrote to memory of 2704	2248	cmd.exe	31
PID 2248 wrote to memory of 2704	2248	cmd.exe	31
PID 2396 wrote to memory of 2504	2396	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	32
PID 2396 wrote to memory of 2504	2396	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	32
PID 2396 wrote to memory of 2504	2396	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	32
PID 2396 wrote to memory of 2504	2396	0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe	32
PID 2504 wrote to memory of 1076	2504	explorer.exe	33
PID 2504 wrote to memory of 1076	2504	explorer.exe	33
PID 2504 wrote to memory of 1076	2504	explorer.exe	33
PID 2504 wrote to memory of 1076	2504	explorer.exe	33
PID 2504 wrote to memory of 1076	2504	explorer.exe	33
PID 2504 wrote to memory of 1076	2504	explorer.exe	33
PID 2504 wrote to memory of 1076	2504	explorer.exe	33
PID 2504 wrote to memory of 1076	2504	explorer.exe	33
PID 2504 wrote to memory of 2944	2504	explorer.exe	34
PID 2504 wrote to memory of 2944	2504	explorer.exe	34
PID 2504 wrote to memory of 2944	2504	explorer.exe	34
PID 2504 wrote to memory of 2944	2504	explorer.exe	34
PID 2504 wrote to memory of 2944	2504	explorer.exe	34
PID 2504 wrote to memory of 2944	2504	explorer.exe	34
PID 2504 wrote to memory of 2944	2504	explorer.exe	34
PID 2504 wrote to memory of 2944	2504	explorer.exe	34
PID 2944 wrote to memory of 2908	2944	explorer.exe	35
PID 2944 wrote to memory of 2908	2944	explorer.exe	35
PID 2944 wrote to memory of 2908	2944	explorer.exe	35
PID 2944 wrote to memory of 2908	2944	explorer.exe	35
PID 2944 wrote to memory of 2908	2944	explorer.exe	35
PID 2944 wrote to memory of 2908	2944	explorer.exe	35
PID 2944 wrote to memory of 2908	2944	explorer.exe	35
PID 2944 wrote to memory of 2908	2944	explorer.exe	35

C:\Users\Admin\AppData\Local\Temp\0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe
"C:\Users\Admin\AppData\Local\Temp\0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe
  "C:\Users\Admin\AppData\Local\Temp\0e61a1dd0f40778656a0c365121eff1ee1322f3af79f9789bee205e4e85ff453.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\CWBXL.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Video Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\config\explorer.exe" /f
      4⤵
      Adds Run key to start application
      PID:2704
- - C:\Users\Admin\AppData\Roaming\config\explorer.exe
    "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Users\Admin\AppData\Roaming\config\explorer.exe
      "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1076
  - - C:\Users\Admin\AppData\Roaming\config\explorer.exe
      "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Users\Admin\AppData\Roaming\config\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\config\explorer.exe"
        5⤵
        Executes dropped EXE
        
        PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CWBXL.bat

Filesize
149B

MD5
fc1798b7c7938454220fda837a76f354

SHA1
b232912930b2bc24ff18bf7ecd58f872bbe01ea0

SHA256
7f0a5917b5aca9c5beb153aad0ef95bf0aeafb83768da5b086c3f029ba42d7c8

SHA512
d1abdd45a8e5d33893b9d19424174a07feed145d2e6b4be318ab5fde503f850579a4a101a010f30e16ecde2c7123f45357a8341214655321ee0f0097ca911331

Download Submit
\Users\Admin\AppData\Roaming\config\explorer.exe

Filesize
88KB

MD5
0553284c5cdcb6b619e2fd3a9356231b

SHA1
540ad6d9a2f0a959477ca53aeb28b0207374effe

SHA256
0800b1d0f7809972702c0b789a1155b15e34a527f81312d222085d7fe007f5e4

SHA512
ef0019a10e8d54fd8800a4d53b36a4178829b741ba9fb487fa2fbd31e910b4ecf0a8bccc417299bcaa4d06d87102f552f9111ded95dd6130608c69db3f61c3f5

Download Submit
memory/1076-337-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2396-139-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2396-137-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2396-317-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2396-140-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2396-141-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2396-142-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2396-135-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2396-133-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2432-131-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2432-132-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/2432-82-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2432-83-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2432-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2432-85-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2432-86-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2432-87-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2432-84-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2432-88-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2944-314-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2944-329-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads