7da433ee6a99f239ef8ef5502a82a91ec1269789393a2e6082d2847bff8d7eb0 | Triage

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 03:39 UTC

Sharing

Report Analysis Logs

General

Target

4ab607520534abe3b33138f97239a5e0N.exe
Size

59KB
MD5

4ab607520534abe3b33138f97239a5e0
SHA1

a4e10c79be645129d086086514cbc394817fec73
SHA256

7da433ee6a99f239ef8ef5502a82a91ec1269789393a2e6082d2847bff8d7eb0
SHA512

14559ca81e476fb259d23136f78a541ab71aeba5f5d2e691c25ff583ae8af56c670b374b30fd10a26b2ea90917e1f524b9893a1f51d5279a17a19d4560fca45a
SSDEEP

1536:3+ZgwRdiE8cO4p1xRjfTvSq5r3ZiIZ4nouy8uh1aQb:OeodiUO4p13b9HiIeoutuh1aQb

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2092	AhnSvc.exe

Loads dropped DLL 2 IoCs

pid	Process
756	4ab607520534abe3b33138f97239a5e0N.exe
756	4ab607520534abe3b33138f97239a5e0N.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/756-0-0x0000000000EF0000-0x0000000000F17000-memory.dmp	upx
behavioral1/files/0x00070000000186de-9.dat	upx
behavioral1/memory/2092-10-0x0000000000030000-0x0000000000057000-memory.dmp	upx
behavioral1/memory/756-11-0x0000000000EF0000-0x0000000000F17000-memory.dmp	upx
behavioral1/memory/2092-12-0x0000000000030000-0x0000000000057000-memory.dmp	upx
behavioral1/memory/756-19-0x0000000000EF0000-0x0000000000F17000-memory.dmp	upx
behavioral1/memory/2092-20-0x0000000000030000-0x0000000000057000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AhnUpadate = "\"C:\\ProgramData\\AhnLab\\AhnSvc.exe\" /run"	4ab607520534abe3b33138f97239a5e0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	4ab607520534abe3b33138f97239a5e0N.exe
Token: SeDebugPrivilege	2092	AhnSvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2092	756	4ab607520534abe3b33138f97239a5e0N.exe	30
PID 756 wrote to memory of 2092	756	4ab607520534abe3b33138f97239a5e0N.exe	30
PID 756 wrote to memory of 2092	756	4ab607520534abe3b33138f97239a5e0N.exe	30
PID 756 wrote to memory of 2092	756	4ab607520534abe3b33138f97239a5e0N.exe	30
PID 756 wrote to memory of 2608	756	4ab607520534abe3b33138f97239a5e0N.exe	32
PID 756 wrote to memory of 2608	756	4ab607520534abe3b33138f97239a5e0N.exe	32
PID 756 wrote to memory of 2608	756	4ab607520534abe3b33138f97239a5e0N.exe	32
PID 756 wrote to memory of 2608	756	4ab607520534abe3b33138f97239a5e0N.exe	32

C:\Users\Admin\AppData\Local\Temp\4ab607520534abe3b33138f97239a5e0N.exe
"C:\Users\Admin\AppData\Local\Temp\4ab607520534abe3b33138f97239a5e0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\ProgramData\AhnLab\AhnSvc.exe
  "C:\ProgramData\AhnLab\AhnSvc.exe" /run
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\4ab607520534abe3b33138f97239a5e0N.exe" >> NUL
  2⤵
  - Deletes itself
  PID:2608

Network

DNS

www.icoway.net

AhnSvc.exe

Remote address:

8.8.8.8:53

Request

www.icoway.net

IN A

Response
DNS

www.kimc10scom

AhnSvc.exe

Remote address:

8.8.8.8:53

Request

www.kimc10scom

IN A

Response

No results found

8.8.8.8:53

www.icoway.net

dns

AhnSvc.exe

60 B
133 B
1
1

DNS Request

www.icoway.net
8.8.8.8:53

www.kimc10scom

dns

AhnSvc.exe

60 B
135 B
1
1

DNS Request

www.kimc10scom

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AhnLab\AhnSvc.exe

Filesize
59KB

MD5
54ed14cee7a603543cd1a1ecbed8afa5

SHA1
c1c128230aab6bf35d0d7d284b88f62e71f4953c

SHA256
6730a1e88c41fad0ac683823d9e5f8a253a8364de07c2ba5efdb442eb0d30128

SHA512
ca3ab55b8b730627e53827b0df4f00cf5b49fea72dd1e6fb98e66c570cfc8e98c1c05198279cba822c911b296535ec45a0e403c1eb5e1667c2e7b88eafa58efc

Download Submit
memory/756-0-0x0000000000EF0000-0x0000000000F17000-memory.dmp

Filesize
156KB

Download
memory/756-8-0x0000000000160000-0x0000000000187000-memory.dmp

Filesize
156KB

Download
memory/756-11-0x0000000000EF0000-0x0000000000F17000-memory.dmp

Filesize
156KB

Download
memory/756-15-0x0000000000160000-0x0000000000187000-memory.dmp

Filesize
156KB

Download
memory/756-16-0x0000000000160000-0x0000000000187000-memory.dmp

Filesize
156KB

Download
memory/756-19-0x0000000000EF0000-0x0000000000F17000-memory.dmp

Filesize
156KB

Download
memory/2092-10-0x0000000000030000-0x0000000000057000-memory.dmp

Filesize
156KB

Download
memory/2092-12-0x0000000000030000-0x0000000000057000-memory.dmp

Filesize
156KB

Download
memory/2092-20-0x0000000000030000-0x0000000000057000-memory.dmp

Filesize
156KB

Download