70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783

Analysis

max time kernel
249s
max time network
296s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe
Size

2.9MB
MD5

80958a4b85453f4df82ec131554a5412
SHA1

44cefe96467895934ec9d1c2461036704c971458
SHA256

70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783
SHA512

cab01e1d63b4ff9a8d35c48fddd18b0959068510b1ca0e66997ed2d59a34b8903f23d3b3736180b52130a325eda3665f9babe2dcad91308f16526e8812fee1c8
SSDEEP

49152:jF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPU4eaw1GfNOmdxPXFZ:XroA7PBfDt1yOcqtd

Score

8^/10

execution persistence upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1972	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
2328	FRaqbC8wSA1XvpFVjCRGryWt.exe
1188	IIZS2TRqf69aZbLAX3cf3edn.exe
2820	HM3SOlbpH71yEXUIEAOeIiGX.exe
3044	ix4A2DreBBsQwY6YHkidcDjo.exe
1920	YAPNXRPmcarcR4ZDgC81Tbdk.exe
608	SmLAztxc1o8yfogkJXrRjbDt.exe
1504	mswabnet.exe

Loads dropped DLL 7 IoCs

pid	Process
2660	wab.exe
2660	wab.exe
2660	wab.exe
2660	wab.exe
2660	wab.exe
2660	wab.exe
2660	wab.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015406-34.dat	upx
behavioral1/memory/2328-38-0x000000013FB50000-0x000000013FE20000-memory.dmp	upx
behavioral1/memory/2820-52-0x000000013F5F0000-0x000000013F8C0000-memory.dmp	upx
behavioral1/memory/3044-59-0x000000013F860000-0x000000013FB30000-memory.dmp	upx
behavioral1/memory/1920-66-0x000000013F0C0000-0x000000013F390000-memory.dmp	upx
behavioral1/memory/1920-81-0x000000013F0C0000-0x000000013F390000-memory.dmp	upx
behavioral1/memory/3044-82-0x000000013F860000-0x000000013FB30000-memory.dmp	upx
behavioral1/memory/2328-83-0x000000013FB50000-0x000000013FE20000-memory.dmp	upx
behavioral1/memory/2820-84-0x000000013F5F0000-0x000000013F8C0000-memory.dmp	upx
behavioral1/memory/2660-86-0x00000000037A0000-0x0000000003A70000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Network Agent = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft Network Agent\\mswabnet.exe\""	SmLAztxc1o8yfogkJXrRjbDt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 2660	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs regedit.exe 1 IoCs

pid	Process
2724	regedit.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1972	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	608	SmLAztxc1o8yfogkJXrRjbDt.exe
Token: SeDebugPrivilege	1504	mswabnet.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1972	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	29
PID 3032 wrote to memory of 1972	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	29
PID 3032 wrote to memory of 1972	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	29
PID 3032 wrote to memory of 2724	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	31
PID 3032 wrote to memory of 2724	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	31
PID 3032 wrote to memory of 2724	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	31
PID 3032 wrote to memory of 2724	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	31
PID 3032 wrote to memory of 2724	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	31
PID 3032 wrote to memory of 2724	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	31
PID 3032 wrote to memory of 2724	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	31
PID 3032 wrote to memory of 2724	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	31
PID 3032 wrote to memory of 2660	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	32
PID 3032 wrote to memory of 2660	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	32
PID 3032 wrote to memory of 2660	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	32
PID 3032 wrote to memory of 2660	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	32
PID 3032 wrote to memory of 2660	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	32
PID 3032 wrote to memory of 2660	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	32
PID 3032 wrote to memory of 2660	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	32
PID 3032 wrote to memory of 2660	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	32
PID 3032 wrote to memory of 2660	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	32
PID 3032 wrote to memory of 2660	3032	70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe	32
PID 2660 wrote to memory of 2328	2660	wab.exe	34
PID 2660 wrote to memory of 2328	2660	wab.exe	34
PID 2660 wrote to memory of 2328	2660	wab.exe	34
PID 2660 wrote to memory of 2328	2660	wab.exe	34
PID 2660 wrote to memory of 1188	2660	wab.exe	36
PID 2660 wrote to memory of 1188	2660	wab.exe	36
PID 2660 wrote to memory of 1188	2660	wab.exe	36
PID 2660 wrote to memory of 1188	2660	wab.exe	36
PID 2660 wrote to memory of 2820	2660	wab.exe	37
PID 2660 wrote to memory of 2820	2660	wab.exe	37
PID 2660 wrote to memory of 2820	2660	wab.exe	37
PID 2660 wrote to memory of 2820	2660	wab.exe	37
PID 2660 wrote to memory of 3044	2660	wab.exe	39
PID 2660 wrote to memory of 3044	2660	wab.exe	39
PID 2660 wrote to memory of 3044	2660	wab.exe	39
PID 2660 wrote to memory of 3044	2660	wab.exe	39
PID 2660 wrote to memory of 1920	2660	wab.exe	42
PID 2660 wrote to memory of 1920	2660	wab.exe	42
PID 2660 wrote to memory of 1920	2660	wab.exe	42
PID 2660 wrote to memory of 1920	2660	wab.exe	42
PID 2660 wrote to memory of 608	2660	wab.exe	44
PID 2660 wrote to memory of 608	2660	wab.exe	44
PID 2660 wrote to memory of 608	2660	wab.exe	44
PID 2660 wrote to memory of 608	2660	wab.exe	44
PID 608 wrote to memory of 1504	608	SmLAztxc1o8yfogkJXrRjbDt.exe	45
PID 608 wrote to memory of 1504	608	SmLAztxc1o8yfogkJXrRjbDt.exe	45
PID 608 wrote to memory of 1504	608	SmLAztxc1o8yfogkJXrRjbDt.exe	45

C:\Users\Admin\AppData\Local\Temp\70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe
"C:\Users\Admin\AppData\Local\Temp\70afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\regedit.exe
  "C:\Windows\regedit.exe"
  2⤵
  - Runs regedit.exe
  PID:2724
- C:\Program Files (x86)\Windows Mail\wab.exe
  "C:\Program Files (x86)\Windows Mail\wab.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe
    "C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe"
    3⤵
    - Executes dropped EXE
    PID:2328
- - C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe
    "C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe"
    3⤵
    - Executes dropped EXE
    PID:1188
- - C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe
    "C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe"
    3⤵
    - Executes dropped EXE
    PID:2820
- - C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe
    "C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe"
    3⤵
    - Executes dropped EXE
    PID:3044
- - C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe
    "C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe"
    3⤵
    - Executes dropped EXE
    PID:1920
- - C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe
    "C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:608
  - - C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe

Filesize
1.4MB

MD5
fe3f1a17359c69cbdd0572a86e7f1f04

SHA1
f81d2d798a8b92d8313d60d1536fa6b59b0634d2

SHA256
28681dc720f47253cdc952621192d3753c8daf5a2c01803c4ab1560f449d500a

SHA512
d26db6aecc04a1c43cfb97cb96f570d309b7b678453df449be7b97836beb5167ca57463f6a7de2e489ee5e3dbccb10f986247d620e2c434b5d212da01981901e

Download Submit
\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe

Filesize
1.0MB

MD5
18b80be4ccf569476db98955ad019621

SHA1
2c160dc5cd238d9d7f0ca4b4a6419eacb4d6a76b

SHA256
df4be4cd1353fcc4da27d21950f9080647884f8985cac8a5c54cc8f5fd2a843c

SHA512
59565a2a19b8530dd15ac855d361ff7da9e534511787ee296f2e33aad87ebd3141b6e3e0bdd10a34482c0f60bfd644dc5ac11913650998ad6ab84c8f5b2a179f

Download Submit
\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

Filesize
1.1MB

MD5
2053217d23f13b47a2801d33e767b72f

SHA1
cb40b186c36a272ab43d57e8c65b1aefc8d5d439

SHA256
dbaa899681f00b7d5852a0273afedc5e8fc6a81296a82d12c2fd8c6893461c85

SHA512
98327755c07d5a0fbff900e0d51c1602a88ee0b8cb4163fe40a793a4833c2df8ecade1583045585ea9ee4a17a870e354dd91038fb0d16f7c2cf64ef23c036b4f

Download Submit
memory/608-73-0x00000000002D0000-0x0000000000432000-memory.dmp

Filesize
1.4MB

Download
memory/1504-79-0x0000000000A30000-0x0000000000B92000-memory.dmp

Filesize
1.4MB

Download
memory/1920-66-0x000000013F0C0000-0x000000013F390000-memory.dmp

Filesize
2.8MB

Download
memory/1920-81-0x000000013F0C0000-0x000000013F390000-memory.dmp

Filesize
2.8MB

Download
memory/1972-4-0x000007FEF5DCE000-0x000007FEF5DCF000-memory.dmp

Filesize
4KB

Download
memory/1972-9-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/1972-11-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/1972-15-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/1972-8-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/1972-5-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1972-6-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1972-7-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2328-83-0x000000013FB50000-0x000000013FE20000-memory.dmp

Filesize
2.8MB

Download
memory/2328-38-0x000000013FB50000-0x000000013FE20000-memory.dmp

Filesize
2.8MB

Download
memory/2660-16-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2660-65-0x00000000037A0000-0x0000000003A70000-memory.dmp

Filesize
2.8MB

Download
memory/2660-58-0x00000000037A0000-0x0000000003A70000-memory.dmp

Filesize
2.8MB

Download
memory/2660-37-0x00000000037A0000-0x0000000003A70000-memory.dmp

Filesize
2.8MB

Download
memory/2660-12-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2660-14-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2660-85-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2660-86-0x00000000037A0000-0x0000000003A70000-memory.dmp

Filesize
2.8MB

Download
memory/2660-87-0x00000000037A0000-0x0000000003A70000-memory.dmp

Filesize
2.8MB

Download
memory/2820-52-0x000000013F5F0000-0x000000013F8C0000-memory.dmp

Filesize
2.8MB

Download
memory/2820-84-0x000000013F5F0000-0x000000013F8C0000-memory.dmp

Filesize
2.8MB

Download
memory/3044-59-0x000000013F860000-0x000000013FB30000-memory.dmp

Filesize
2.8MB

Download
memory/3044-82-0x000000013F860000-0x000000013FB30000-memory.dmp

Filesize
2.8MB

Download