532fbc669ddc236b5c173731e9c25bbdb66c12d16cf080cb06a28c96ef7f3607

Analysis

max time kernel
119s
max time network
21s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19fe4df823b0370d08cd8c3ed31f38b0N.exe
Size

13KB
MD5

19fe4df823b0370d08cd8c3ed31f38b0
SHA1

cf687babc25b0f87028c46a166de0df74b5e3c02
SHA256

532fbc669ddc236b5c173731e9c25bbdb66c12d16cf080cb06a28c96ef7f3607
SHA512

4a166d65be73ba89058af88aab1b0b65038048787223e3a0b7150ae172e61001b9e3393c42ec70d4b942169fec34204f9a26919e8060b93179f744192385560e
SSDEEP

192:pjUWFh4fvYGIQnsA6psQ56uFaNJhLkwcud2DH9VwGfctQEAC5Es9Gsj5Efx8X5dr:5KE7pD/aNJawcudoD7U55Es9GsGyj

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2772	trys.exe

Loads dropped DLL 5 IoCs

pid	Process
1140	19fe4df823b0370d08cd8c3ed31f38b0N.exe
1140	19fe4df823b0370d08cd8c3ed31f38b0N.exe
1140	19fe4df823b0370d08cd8c3ed31f38b0N.exe
1140	19fe4df823b0370d08cd8c3ed31f38b0N.exe
1140	19fe4df823b0370d08cd8c3ed31f38b0N.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1140-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0005000000017801-25.dat	upx
behavioral1/memory/1140-27-0x0000000001ED0000-0x0000000001EDB000-memory.dmp	upx
behavioral1/memory/2772-44-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1140-47-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2772-48-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ineter Mc = "C:\\Users\\Admin\\AppData\\Roaming\\trys.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe
Token: SeDebugPrivilege	2772	trys.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1140	19fe4df823b0370d08cd8c3ed31f38b0N.exe
2772	trys.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2884	1140	19fe4df823b0370d08cd8c3ed31f38b0N.exe	30
PID 1140 wrote to memory of 2884	1140	19fe4df823b0370d08cd8c3ed31f38b0N.exe	30
PID 1140 wrote to memory of 2884	1140	19fe4df823b0370d08cd8c3ed31f38b0N.exe	30
PID 1140 wrote to memory of 2884	1140	19fe4df823b0370d08cd8c3ed31f38b0N.exe	30
PID 2884 wrote to memory of 2764	2884	cmd.exe	32
PID 2884 wrote to memory of 2764	2884	cmd.exe	32
PID 2884 wrote to memory of 2764	2884	cmd.exe	32
PID 2884 wrote to memory of 2764	2884	cmd.exe	32
PID 1140 wrote to memory of 2772	1140	19fe4df823b0370d08cd8c3ed31f38b0N.exe	33
PID 1140 wrote to memory of 2772	1140	19fe4df823b0370d08cd8c3ed31f38b0N.exe	33
PID 1140 wrote to memory of 2772	1140	19fe4df823b0370d08cd8c3ed31f38b0N.exe	33
PID 1140 wrote to memory of 2772	1140	19fe4df823b0370d08cd8c3ed31f38b0N.exe	33

C:\Users\Admin\AppData\Local\Temp\19fe4df823b0370d08cd8c3ed31f38b0N.exe
"C:\Users\Admin\AppData\Local\Temp\19fe4df823b0370d08cd8c3ed31f38b0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\APQNW.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Ineter Mc" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\trys.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2764
- C:\Users\Admin\AppData\Roaming\trys.exe
  "C:\Users\Admin\AppData\Roaming\trys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\APQNW.bat

Filesize
135B

MD5
6dbb2090ff90500da05a027765cde190

SHA1
425b833d9d1df8d6df6e5a59f738058808271949

SHA256
71ca0761f7187f2164f62b23d5d9d2dcfd28d9ab9a8dfc14796c3ac06db03881

SHA512
7e4679e04bd5a69c026949a0d2760a630bc02249a04f3bd224dee41d1bf10f0a29e45812a67c583327a63e5401f0ff2aa9a3f4df8233b150943052c97e861ab3

Download Submit
\Users\Admin\AppData\Roaming\trys.exe

Filesize
13KB

MD5
b672c182ce192cd8e26bcd52b2724f91

SHA1
c8efe10545660172d8dfb7df1d9283e66b241391

SHA256
09aea30fc14784c3e520c5bc3644090c61e7089bf780ee377fabff54bcb54a11

SHA512
935e76acbf2e7e866d1546ea879d4c1e15e5db05a75ab77e89de8b8b59422f5ca4d0959d9dfa74cc885fef4c67ad40b15336c9360b3996fe53b4f5f4628bb21d

Download Submit
memory/1140-53-0x0000000001EE0000-0x0000000001EEB000-memory.dmp

Filesize
44KB

Download
memory/1140-27-0x0000000001ED0000-0x0000000001EDB000-memory.dmp

Filesize
44KB

Download
memory/1140-41-0x0000000001EE0000-0x0000000001EEB000-memory.dmp

Filesize
44KB

Download
memory/1140-43-0x0000000001EE0000-0x0000000001EEB000-memory.dmp

Filesize
44KB

Download
memory/1140-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1140-42-0x0000000001EE0000-0x0000000001EEB000-memory.dmp

Filesize
44KB

Download
memory/1140-47-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1140-54-0x0000000001EE0000-0x0000000001EEB000-memory.dmp

Filesize
44KB

Download
memory/1140-51-0x0000000001ED0000-0x0000000001EDB000-memory.dmp

Filesize
44KB

Download
memory/1140-52-0x0000000001EE0000-0x0000000001EEB000-memory.dmp

Filesize
44KB

Download
memory/2772-44-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2772-48-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads