3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 20:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe
Size

233KB
MD5

e29719d3adf28eed2d8ba410872ac962
SHA1

ed6247a21e2e00557e133c1289aca24df2b881d8
SHA256

3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be
SHA512

f419a104c3b010c6691a528d140b690d4d727de7d68dc9823e651a9028c8cee9c4894b91eaf61f9a34ab1e7957a6eb556f91719143b25412fd7f3aa6441b2d95
SSDEEP

6144:xD2JWK2zuqUzN15TMdN/5djkxUEKm/tJajKw:xD2JFYoZmF7kUm/Cj

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
236	PkgMcont.exe
2304	~FAD3.tmp
2732	Disputou.exe

Loads dropped DLL 3 IoCs

pid	Process
1908	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe
1908	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe
236	PkgMcont.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontnced = "C:\\Users\\Admin\\AppData\\Roaming\\Netppubw\\PkgMcont.exe"	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Disputou.exe	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
236	PkgMcont.exe
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	236	PkgMcont.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 236	1908	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe	31
PID 1908 wrote to memory of 236	1908	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe	31
PID 1908 wrote to memory of 236	1908	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe	31
PID 1908 wrote to memory of 236	1908	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe	31
PID 236 wrote to memory of 2304	236	PkgMcont.exe	32
PID 236 wrote to memory of 2304	236	PkgMcont.exe	32
PID 236 wrote to memory of 2304	236	PkgMcont.exe	32
PID 236 wrote to memory of 2304	236	PkgMcont.exe	32
PID 2304 wrote to memory of 1360	2304	~FAD3.tmp	21
PID 1908 wrote to memory of 2532	1908	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe	34
PID 1908 wrote to memory of 2532	1908	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe	34
PID 1908 wrote to memory of 2532	1908	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe	34
PID 1908 wrote to memory of 2532	1908	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe	34
PID 2532 wrote to memory of 2644	2532	cmd.exe	36
PID 2532 wrote to memory of 2644	2532	cmd.exe	36
PID 2532 wrote to memory of 2644	2532	cmd.exe	36
PID 2532 wrote to memory of 2644	2532	cmd.exe	36

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2644	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1360
- C:\Users\Admin\AppData\Local\Temp\3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe
  "C:\Users\Admin\AppData\Local\Temp\3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Roaming\Netppubw\PkgMcont.exe
    "C:\Users\Admin\AppData\Roaming\Netppubw"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:236
  - - C:\Users\Admin\AppData\Local\Temp\~FAD3.tmp
      1360 239112 236 1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    /C 259456073.cmd
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe"
      4⤵
      Views/modifies file attributes
      PID:2644

C:\Windows\SysWOW64\Disputou.exe
C:\Windows\SysWOW64\Disputou.exe -s
1⤵
- Executes dropped EXE
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259456073.cmd

Filesize
291B

MD5
6b620a106e65ad01793b41c094db3f7a

SHA1
d8338fed27f9a1367fd2952db385a319c2c72c09

SHA256
b17777b942fd9a860d7c2bb774369390cf39ecc8841b5642d307bdaf151c23d1

SHA512
ac84b9b550e58380d9041b6d860d9628a5da43ce71a37f04b988aee63df9fdf36d6d824685b5b862541f2b34efcc5720392da2e49a7f846b84d2e8afced4da73

Download Submit
\Users\Admin\AppData\Local\Temp\~FAD3.tmp

Filesize
8KB

MD5
86dc243576cf5c7445451af37631eea9

SHA1
99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

SHA256
25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

SHA512
c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

Download Submit
\Users\Admin\AppData\Roaming\Netppubw\PkgMcont.exe

Filesize
233KB

MD5
7625144b71d411fcab7213f6ba33050d

SHA1
5755665f69d7e7ffa366cd525e092230c751df1d

SHA256
db4b22345f935119493237fb2f9df9d7c2f7176fa60584b957a3d01e82014e36

SHA512
e0f102a4658052a76de82396588c86f8baf995d3f4e9c53bcba3a840dea2d11efa21a837f795c603fd921c74416e5606c839e8614ced975cd98ad590b80fc5ab

Download Submit
memory/236-16-0x0000000000290000-0x0000000000295000-memory.dmp

Filesize
20KB

Download
memory/236-14-0x0000000000240000-0x0000000000283000-memory.dmp

Filesize
268KB

Download
memory/1360-17-0x00000000025A0000-0x00000000025EA000-memory.dmp

Filesize
296KB

Download
memory/1360-18-0x00000000025A0000-0x00000000025EA000-memory.dmp

Filesize
296KB

Download
memory/1360-27-0x0000000002760000-0x000000000276D000-memory.dmp

Filesize
52KB

Download
memory/1360-26-0x0000000002600000-0x0000000002606000-memory.dmp

Filesize
24KB

Download
memory/1360-25-0x00000000025A0000-0x00000000025EA000-memory.dmp

Filesize
296KB

Download
memory/1908-0-0x0000000000120000-0x0000000000163000-memory.dmp

Filesize
268KB

Download
memory/2732-31-0x0000000000210000-0x0000000000253000-memory.dmp

Filesize
268KB

Download