7efd63d0a01848bbd335e50af51ac21bb7654d6e7373e730b3b81dfb4f31a530

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

473af2b09ea68fa56f19f779a55e2d60N.exe
Size

328KB
MD5

473af2b09ea68fa56f19f779a55e2d60
SHA1

c9a1250443b5fe9d8cc505e7bc975c9c1b565f97
SHA256

7efd63d0a01848bbd335e50af51ac21bb7654d6e7373e730b3b81dfb4f31a530
SHA512

a1de6aa8ebe74fcdab902efe056b3fadbca3033287407e415f9266e425074a2af7c5653cbb5a66849083f929766750c44ee4737561d54add1f1105fff74bafe4
SSDEEP

6144:J2XgY8FFX7Z6A/P352p4gFs/e8PeAZuon2T5T7UcIGMAQTeJ:J2X1cFx/PAp4ks/e6Fn2dEZGjQSJ

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\conhost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\conhost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 4 IoCs

pid	Process
1768	473af2b09ea68fa56f19f779a55e2d60N.exe
556	conhost.exe
1456	conhost.exe
2740	conhost.exe

Loads dropped DLL 6 IoCs

pid	Process
2476	473af2b09ea68fa56f19f779a55e2d60N.exe
1768	473af2b09ea68fa56f19f779a55e2d60N.exe
1768	473af2b09ea68fa56f19f779a55e2d60N.exe
1768	473af2b09ea68fa56f19f779a55e2d60N.exe
1768	473af2b09ea68fa56f19f779a55e2d60N.exe
1768	473af2b09ea68fa56f19f779a55e2d60N.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1768-460-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1768-466-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1768-508-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1456-1054-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2740-1065-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1768-1068-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Console Window Host = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\conhost.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2476 set thread context of 1768	2476	473af2b09ea68fa56f19f779a55e2d60N.exe	31
PID 556 set thread context of 1456	556	conhost.exe	36
PID 556 set thread context of 2740	556	conhost.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2524	reg.exe
2520	reg.exe
2556	reg.exe
2140	reg.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: 1	2740	conhost.exe
Token: SeCreateTokenPrivilege	2740	conhost.exe
Token: SeAssignPrimaryTokenPrivilege	2740	conhost.exe
Token: SeLockMemoryPrivilege	2740	conhost.exe
Token: SeIncreaseQuotaPrivilege	2740	conhost.exe
Token: SeMachineAccountPrivilege	2740	conhost.exe
Token: SeTcbPrivilege	2740	conhost.exe
Token: SeSecurityPrivilege	2740	conhost.exe
Token: SeTakeOwnershipPrivilege	2740	conhost.exe
Token: SeLoadDriverPrivilege	2740	conhost.exe
Token: SeSystemProfilePrivilege	2740	conhost.exe
Token: SeSystemtimePrivilege	2740	conhost.exe
Token: SeProfSingleProcessPrivilege	2740	conhost.exe
Token: SeIncBasePriorityPrivilege	2740	conhost.exe
Token: SeCreatePagefilePrivilege	2740	conhost.exe
Token: SeCreatePermanentPrivilege	2740	conhost.exe
Token: SeBackupPrivilege	2740	conhost.exe
Token: SeRestorePrivilege	2740	conhost.exe
Token: SeShutdownPrivilege	2740	conhost.exe
Token: SeDebugPrivilege	2740	conhost.exe
Token: SeAuditPrivilege	2740	conhost.exe
Token: SeSystemEnvironmentPrivilege	2740	conhost.exe
Token: SeChangeNotifyPrivilege	2740	conhost.exe
Token: SeRemoteShutdownPrivilege	2740	conhost.exe
Token: SeUndockPrivilege	2740	conhost.exe
Token: SeSyncAgentPrivilege	2740	conhost.exe
Token: SeEnableDelegationPrivilege	2740	conhost.exe
Token: SeManageVolumePrivilege	2740	conhost.exe
Token: SeImpersonatePrivilege	2740	conhost.exe
Token: SeCreateGlobalPrivilege	2740	conhost.exe
Token: 31	2740	conhost.exe
Token: 32	2740	conhost.exe
Token: 33	2740	conhost.exe
Token: 34	2740	conhost.exe
Token: 35	2740	conhost.exe
Token: SeDebugPrivilege	1456	conhost.exe
Token: SeDebugPrivilege	1456	conhost.exe
Token: SeDebugPrivilege	1456	conhost.exe
Token: SeDebugPrivilege	1456	conhost.exe
Token: SeDebugPrivilege	1456	conhost.exe
Token: SeDebugPrivilege	1456	conhost.exe
Token: SeDebugPrivilege	1456	conhost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2476	473af2b09ea68fa56f19f779a55e2d60N.exe
1768	473af2b09ea68fa56f19f779a55e2d60N.exe
556	conhost.exe
2740	conhost.exe
2740	conhost.exe
1456	conhost.exe
2740	conhost.exe
2740	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1768	2476	473af2b09ea68fa56f19f779a55e2d60N.exe	31
PID 2476 wrote to memory of 1768	2476	473af2b09ea68fa56f19f779a55e2d60N.exe	31
PID 2476 wrote to memory of 1768	2476	473af2b09ea68fa56f19f779a55e2d60N.exe	31
PID 2476 wrote to memory of 1768	2476	473af2b09ea68fa56f19f779a55e2d60N.exe	31
PID 2476 wrote to memory of 1768	2476	473af2b09ea68fa56f19f779a55e2d60N.exe	31
PID 2476 wrote to memory of 1768	2476	473af2b09ea68fa56f19f779a55e2d60N.exe	31
PID 2476 wrote to memory of 1768	2476	473af2b09ea68fa56f19f779a55e2d60N.exe	31
PID 2476 wrote to memory of 1768	2476	473af2b09ea68fa56f19f779a55e2d60N.exe	31
PID 1768 wrote to memory of 2056	1768	473af2b09ea68fa56f19f779a55e2d60N.exe	32
PID 1768 wrote to memory of 2056	1768	473af2b09ea68fa56f19f779a55e2d60N.exe	32
PID 1768 wrote to memory of 2056	1768	473af2b09ea68fa56f19f779a55e2d60N.exe	32
PID 1768 wrote to memory of 2056	1768	473af2b09ea68fa56f19f779a55e2d60N.exe	32
PID 2056 wrote to memory of 1464	2056	cmd.exe	34
PID 2056 wrote to memory of 1464	2056	cmd.exe	34
PID 2056 wrote to memory of 1464	2056	cmd.exe	34
PID 2056 wrote to memory of 1464	2056	cmd.exe	34
PID 1768 wrote to memory of 556	1768	473af2b09ea68fa56f19f779a55e2d60N.exe	35
PID 1768 wrote to memory of 556	1768	473af2b09ea68fa56f19f779a55e2d60N.exe	35
PID 1768 wrote to memory of 556	1768	473af2b09ea68fa56f19f779a55e2d60N.exe	35
PID 1768 wrote to memory of 556	1768	473af2b09ea68fa56f19f779a55e2d60N.exe	35
PID 556 wrote to memory of 1456	556	conhost.exe	36
PID 556 wrote to memory of 1456	556	conhost.exe	36
PID 556 wrote to memory of 1456	556	conhost.exe	36
PID 556 wrote to memory of 1456	556	conhost.exe	36
PID 556 wrote to memory of 1456	556	conhost.exe	36
PID 556 wrote to memory of 1456	556	conhost.exe	36
PID 556 wrote to memory of 1456	556	conhost.exe	36
PID 556 wrote to memory of 1456	556	conhost.exe	36
PID 556 wrote to memory of 2740	556	conhost.exe	37
PID 556 wrote to memory of 2740	556	conhost.exe	37
PID 556 wrote to memory of 2740	556	conhost.exe	37
PID 556 wrote to memory of 2740	556	conhost.exe	37
PID 556 wrote to memory of 2740	556	conhost.exe	37
PID 556 wrote to memory of 2740	556	conhost.exe	37
PID 556 wrote to memory of 2740	556	conhost.exe	37
PID 556 wrote to memory of 2740	556	conhost.exe	37
PID 2740 wrote to memory of 2892	2740	conhost.exe	38
PID 2740 wrote to memory of 2892	2740	conhost.exe	38
PID 2740 wrote to memory of 2892	2740	conhost.exe	38
PID 2740 wrote to memory of 2892	2740	conhost.exe	38
PID 2740 wrote to memory of 2812	2740	conhost.exe	39
PID 2740 wrote to memory of 2812	2740	conhost.exe	39
PID 2740 wrote to memory of 2812	2740	conhost.exe	39
PID 2740 wrote to memory of 2812	2740	conhost.exe	39
PID 2740 wrote to memory of 2776	2740	conhost.exe	40
PID 2740 wrote to memory of 2776	2740	conhost.exe	40
PID 2740 wrote to memory of 2776	2740	conhost.exe	40
PID 2740 wrote to memory of 2776	2740	conhost.exe	40
PID 2740 wrote to memory of 1084	2740	conhost.exe	41
PID 2740 wrote to memory of 1084	2740	conhost.exe	41
PID 2740 wrote to memory of 1084	2740	conhost.exe	41
PID 2740 wrote to memory of 1084	2740	conhost.exe	41
PID 2776 wrote to memory of 2524	2776	cmd.exe	47
PID 2776 wrote to memory of 2524	2776	cmd.exe	47
PID 2776 wrote to memory of 2524	2776	cmd.exe	47
PID 2776 wrote to memory of 2524	2776	cmd.exe	47
PID 1084 wrote to memory of 2140	1084	cmd.exe	46
PID 1084 wrote to memory of 2140	1084	cmd.exe	46
PID 1084 wrote to memory of 2140	1084	cmd.exe	46
PID 1084 wrote to memory of 2140	1084	cmd.exe	46
PID 2892 wrote to memory of 2520	2892	cmd.exe	48
PID 2892 wrote to memory of 2520	2892	cmd.exe	48
PID 2892 wrote to memory of 2520	2892	cmd.exe	48
PID 2892 wrote to memory of 2520	2892	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\473af2b09ea68fa56f19f779a55e2d60N.exe
"C:\Users\Admin\AppData\Local\Temp\473af2b09ea68fa56f19f779a55e2d60N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\473af2b09ea68fa56f19f779a55e2d60N.exe
  "C:\Users\Admin\AppData\Local\Temp\473af2b09ea68fa56f19f779a55e2d60N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\YMWNI.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Console Window Host" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe" /f
      4⤵
      Adds Run key to start application
      PID:1464
- - C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe
      "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1456
  - - C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe
      "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        
        PID:2812
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Adobe\conhost.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2556
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2524
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1084
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\conhost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\conhost.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YMWNI.bat

Filesize
154B

MD5
0d0a854e96bddf0e7df7f5f024674226

SHA1
f45ca9c7f935422ddfb0550febdfc7a09baf2d98

SHA256
5bab0b5c3ef8a28a7246854074a5a469c602a10ac803d18f2102399597d35907

SHA512
8b6db387b3bb5774c691bcdd4d9f3a147e1556eee89fe1de929464510c01b14495157c14cbb355fc850b79dee500b8be7ae7a0c3b5ea0916d6eb9154f9ae73a8

Download Submit
\Users\Admin\AppData\Local\Temp\473af2b09ea68fa56f19f779a55e2d60N.exe

Filesize
328KB

MD5
473af2b09ea68fa56f19f779a55e2d60

SHA1
c9a1250443b5fe9d8cc505e7bc975c9c1b565f97

SHA256
7efd63d0a01848bbd335e50af51ac21bb7654d6e7373e730b3b81dfb4f31a530

SHA512
a1de6aa8ebe74fcdab902efe056b3fadbca3033287407e415f9266e425074a2af7c5653cbb5a66849083f929766750c44ee4737561d54add1f1105fff74bafe4

Download Submit
\Users\Admin\AppData\Roaming\Adobe\conhost.exe

Filesize
328KB

MD5
37ed5d5ba72458e5e07eccc17d86ff2f

SHA1
c44ec90c20f3908c20aa51e822462d0a760673a2

SHA256
d312dbf58cbc8be5178590a88855fc7c5585a2b44358ba026ae289ddcc4bfa84

SHA512
5265e40b2cc84a33876817a325424711ffd78b41b40e63e4d3f655d051f06acf40b8b38db9e2aaf3b3cf356f9694f015170d7aacf97c4c9cfc24fa543f186e19

Download Submit
memory/1456-1054-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1768-460-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1768-466-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1768-508-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1768-1068-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2476-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2476-105-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2740-1065-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads