Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
470822d9688c7dbebfbdf0a27749a520.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
470822d9688c7dbebfbdf0a27749a520.exe
Resource
win10v2004-20240611-en
General
-
Target
470822d9688c7dbebfbdf0a27749a520.exe
-
Size
131KB
-
MD5
470822d9688c7dbebfbdf0a27749a520
-
SHA1
c811f9a8a40b8d854dd9b4247f939d0e0f0970f8
-
SHA256
98cfa4a514a53938fe48a4cd1466acdac9cad38340cffbe755139dd69c6f5860
-
SHA512
094c5099d7382d8bd11ab1f20f3ff36d44ec8d14baa859fd940b9621f8f4b093350922309663e275d2b5da21f24134924a176335a24f6096bdae06ae3265c1fd
-
SSDEEP
3072:aEboFVlGAvwsgbpvYfMTc72L10fPsout6nn:5BzsgbpvnTcyOPsoS6nn
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2648 svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
KVEIF.jpgpid process 1628 KVEIF.jpg -
Loads dropped DLL 4 IoCs
Processes:
470822d9688c7dbebfbdf0a27749a520.exesvchost.exeKVEIF.jpgdllhost.exepid process 1948 470822d9688c7dbebfbdf0a27749a520.exe 2648 svchost.exe 1628 KVEIF.jpg 1560 dllhost.exe -
Processes:
resource yara_rule behavioral1/memory/1948-5-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-11-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-9-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-8-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-4-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-2-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-13-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-20-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-29-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-27-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-31-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-25-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-23-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-17-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-33-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-32-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-15-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/1948-22-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2648-85-0x00000000000F0000-0x0000000000145000-memory.dmp upx behavioral1/memory/2648-89-0x00000000000F0000-0x0000000000145000-memory.dmp upx behavioral1/memory/2648-101-0x00000000000F0000-0x0000000000145000-memory.dmp upx behavioral1/memory/2648-99-0x00000000000F0000-0x0000000000145000-memory.dmp upx behavioral1/memory/2648-97-0x00000000000F0000-0x0000000000145000-memory.dmp upx behavioral1/memory/2648-95-0x00000000000F0000-0x0000000000145000-memory.dmp upx behavioral1/memory/2648-94-0x00000000000F0000-0x0000000000145000-memory.dmp upx behavioral1/memory/2648-91-0x00000000000F0000-0x0000000000145000-memory.dmp upx behavioral1/memory/2648-87-0x00000000000F0000-0x0000000000145000-memory.dmp upx behavioral1/memory/2648-83-0x00000000000F0000-0x0000000000145000-memory.dmp upx behavioral1/memory/2648-81-0x00000000000F0000-0x0000000000145000-memory.dmp upx behavioral1/memory/2648-79-0x00000000000F0000-0x0000000000145000-memory.dmp upx behavioral1/memory/2648-78-0x00000000000F0000-0x0000000000145000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
470822d9688c7dbebfbdf0a27749a520.exedescription ioc process File created C:\Windows\SysWOW64\kernel64.dll 470822d9688c7dbebfbdf0a27749a520.exe File opened for modification C:\Windows\SysWOW64\kernel64.dll 470822d9688c7dbebfbdf0a27749a520.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
470822d9688c7dbebfbdf0a27749a520.exeKVEIF.jpgdescription pid process target process PID 1948 set thread context of 2648 1948 470822d9688c7dbebfbdf0a27749a520.exe svchost.exe PID 1628 set thread context of 1560 1628 KVEIF.jpg dllhost.exe -
Drops file in Program Files directory 24 IoCs
Processes:
svchost.exeKVEIF.jpg470822d9688c7dbebfbdf0a27749a520.exedllhost.exedescription ioc process File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA KVEIF.jpg File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini KVEIF.jpg File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\$$.tmp svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFss1.ini 470822d9688c7dbebfbdf0a27749a520.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg dllhost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini dllhost.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg dllhost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFmain.ini 470822d9688c7dbebfbdf0a27749a520.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFmain.ini 470822d9688c7dbebfbdf0a27749a520.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs1.ini svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\$$.tmp svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\ok.txt 470822d9688c7dbebfbdf0a27749a520.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg 470822d9688c7dbebfbdf0a27749a520.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA 470822d9688c7dbebfbdf0a27749a520.exe File created C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA dllhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs1.ini dllhost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg 470822d9688c7dbebfbdf0a27749a520.exe -
Drops file in Windows directory 2 IoCs
Processes:
470822d9688c7dbebfbdf0a27749a520.exedescription ioc process File created C:\Windows\web\606C646364636479.tmp 470822d9688c7dbebfbdf0a27749a520.exe File opened for modification C:\Windows\web\606C646364636479.tmp 470822d9688c7dbebfbdf0a27749a520.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
KVEIF.jpgpid process 1628 KVEIF.jpg -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
470822d9688c7dbebfbdf0a27749a520.exesvchost.exeKVEIF.jpgdllhost.exepid process 1948 470822d9688c7dbebfbdf0a27749a520.exe 1948 470822d9688c7dbebfbdf0a27749a520.exe 1948 470822d9688c7dbebfbdf0a27749a520.exe 1948 470822d9688c7dbebfbdf0a27749a520.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 1628 KVEIF.jpg 1628 KVEIF.jpg 1628 KVEIF.jpg 2648 svchost.exe 1560 dllhost.exe 1560 dllhost.exe 1560 dllhost.exe 1560 dllhost.exe 1560 dllhost.exe 1560 dllhost.exe 1560 dllhost.exe 2648 svchost.exe 1560 dllhost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 1560 dllhost.exe 2648 svchost.exe 1560 dllhost.exe 1560 dllhost.exe 1560 dllhost.exe 2648 svchost.exe 1560 dllhost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 2648 svchost.exe 1560 dllhost.exe 2648 svchost.exe 1560 dllhost.exe 1560 dllhost.exe 1560 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 2648 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
470822d9688c7dbebfbdf0a27749a520.exesvchost.exeKVEIF.jpgdllhost.exedescription pid process Token: SeDebugPrivilege 1948 470822d9688c7dbebfbdf0a27749a520.exe Token: SeDebugPrivilege 1948 470822d9688c7dbebfbdf0a27749a520.exe Token: SeDebugPrivilege 1948 470822d9688c7dbebfbdf0a27749a520.exe Token: SeDebugPrivilege 1948 470822d9688c7dbebfbdf0a27749a520.exe Token: SeDebugPrivilege 1948 470822d9688c7dbebfbdf0a27749a520.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 1628 KVEIF.jpg Token: SeDebugPrivilege 1628 KVEIF.jpg Token: SeDebugPrivilege 1628 KVEIF.jpg Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 2648 svchost.exe Token: SeDebugPrivilege 1560 dllhost.exe Token: SeDebugPrivilege 1560 dllhost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
470822d9688c7dbebfbdf0a27749a520.execmd.exeKVEIF.jpgdescription pid process target process PID 1948 wrote to memory of 2648 1948 470822d9688c7dbebfbdf0a27749a520.exe svchost.exe PID 1948 wrote to memory of 2648 1948 470822d9688c7dbebfbdf0a27749a520.exe svchost.exe PID 1948 wrote to memory of 2648 1948 470822d9688c7dbebfbdf0a27749a520.exe svchost.exe PID 1948 wrote to memory of 2648 1948 470822d9688c7dbebfbdf0a27749a520.exe svchost.exe PID 1948 wrote to memory of 2648 1948 470822d9688c7dbebfbdf0a27749a520.exe svchost.exe PID 1948 wrote to memory of 2648 1948 470822d9688c7dbebfbdf0a27749a520.exe svchost.exe PID 2892 wrote to memory of 1628 2892 cmd.exe KVEIF.jpg PID 2892 wrote to memory of 1628 2892 cmd.exe KVEIF.jpg PID 2892 wrote to memory of 1628 2892 cmd.exe KVEIF.jpg PID 2892 wrote to memory of 1628 2892 cmd.exe KVEIF.jpg PID 1628 wrote to memory of 1560 1628 KVEIF.jpg dllhost.exe PID 1628 wrote to memory of 1560 1628 KVEIF.jpg dllhost.exe PID 1628 wrote to memory of 1560 1628 KVEIF.jpg dllhost.exe PID 1628 wrote to memory of 1560 1628 KVEIF.jpg dllhost.exe PID 1628 wrote to memory of 1560 1628 KVEIF.jpg dllhost.exe PID 1628 wrote to memory of 1560 1628 KVEIF.jpg dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\470822d9688c7dbebfbdf0a27749a520.exe"C:\Users\Admin\AppData\Local\Temp\470822d9688c7dbebfbdf0a27749a520.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840 02⤵
- Deletes itself
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
C:\Windows\system32\cmd.execmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F5658401⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg"C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F5658402⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\dllhost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840 03⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
131KB
MD5ebcf0bcf60b644befacfc8e40735600c
SHA1d92b107ad66ceabeb4fa3f37691271798488a6a3
SHA256bab0415fbdd7c8be8d09e0b1f7c294d43c64890b72537a67d331fa285eefd94d
SHA512d1b29b7ef96c85991b5702081aaee39efd88248c7f71c1ce3fb5ebf8374ace09669866c78e2047f1d43076547e33631cfcd47771df10ab04d06bb60a1444b037
-
Filesize
108KB
MD5f697e0c5c1d34f00d1700d6d549d4811
SHA1f50a99377a7419185fc269bb4d12954ca42b8589
SHA2561eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16
SHA512d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202
-
Filesize
711B
MD55b85700764c7f8ed2db3d99aba090ff3
SHA189521db8d1abb29e082628efdd23c547fa54ef44
SHA256ade5e3636e8684f5845c18666a04a6b22d7a0f2631ea268a1aec910857c42e24
SHA51200600e12dc1067eba53760eedfc4f408e88053a87462d55f01478887a9b4095138d471cc186684f0c14f4c2559da978e0ef3f78341910ecf1ca8caac9f67a642
-
Filesize
22B
MD5a4ef93de80711124d4b7e080ccf42edb
SHA1f4530f5e6d362781fa6dfa4982d25f3ad15dbf99
SHA2569a09d2a2b23760cbc02ab362728b30783f943d90beebbdbd03c4e8b288492d24
SHA512707c5a1a84a1cd490e3e0109c30b32724a69d27021653265bbd838065458e1eea20b470f145612f9ea5486711c47a59dcb515f9625829e63689a89af75901fa2
-
Filesize
72B
MD57172a23e7e8060e7cd167a832bec182f
SHA1de84498a3da758d808860e1ac7306138f67d089a
SHA25671118122eb60159b03ce3fb8a7884e86c9f916857ffe387c5277681f0d3062f7
SHA512b1b81013b37a3ad46f4dbc9c6c1e28d29c38c5e1ee8c324cf95855a045e41262cc59f5e33c9e0163243a464b98e6d2a12817e2d5a96fdf704bdfff14883dcd39
-
Filesize
131KB
MD58b841eca5ac6ffae0da8bb0a9f3c6275
SHA141f08fdd83524ae6241674c083e15727b35e3236
SHA256d62bdf68167974e608b0a04e28c048cc699bc1da7dd7eb7df8d239ef06c5bdac
SHA5121b04bb5f1edb9a1e237eb7a2bfa1c97ffe91b07bc20326d8b6d5bdcf3d405351b1e917a02467f08ec1adb7b10b30b71a8e576621553c91b3a1e253d3eb515451
-
Filesize
1.1MB
MD59b98d47916ead4f69ef51b56b0c2323c
SHA1290a80b4ded0efc0fd00816f373fcea81a521330
SHA25696e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA51268b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94