030286c644fbce13cd6ee1db5aafc0523335b2d802d1c83be3c50128461803f9

Analysis

max time kernel
111s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 22:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1a983d327b83dfc2960c3cc5fa9dd740N.exe
Size

657KB
MD5

1a983d327b83dfc2960c3cc5fa9dd740
SHA1

aa41c507d66b0d2fb6423e6d087290355518ad82
SHA256

030286c644fbce13cd6ee1db5aafc0523335b2d802d1c83be3c50128461803f9
SHA512

c2e19a352db85b58c66c15397592d3cb49defca7ac340771ecd6b82c6cbd5b10a8089860327dba2f0717194a49ba6377dee41ba2977ea5eebfe4051cfc4d5e4a
SSDEEP

12288:HP7JHPmS1saOIYscP0G3QhyRxiwUazwHJem7OzwHJe0Ihf+:VeSekYsnG3QUi1gwpemIwpel2

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe fsb.exe"	tmp259442127.exe

Executes dropped EXE 2 IoCs

pid	Process
1572	tmp259442127.exe
2164	tmp259442142.exe

Loads dropped DLL 2 IoCs

pid	Process
2200	1a983d327b83dfc2960c3cc5fa9dd740N.exe
2200	1a983d327b83dfc2960c3cc5fa9dd740N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2200-1-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2200-13-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0002000000011c9d-22.dat	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fsb.stb	tmp259442127.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp259442127.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp259442127.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	tmp259442127.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	tmp259442127.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	tmp259442127.exe
File created	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	tmp259442127.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE-	tmp259442127.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe-	tmp259442127.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	tmp259442127.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe-	tmp259442127.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	tmp259442127.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	tmp259442127.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	tmp259442127.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	tmp259442127.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	tmp259442127.exe
File created	C:\Program Files\Java\jre7\bin\keytool.exe-	tmp259442127.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe	tmp259442127.exe
File created	C:\Program Files\Java\jre7\bin\unpack200.exe-	tmp259442127.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	tmp259442127.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	tmp259442127.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe-	tmp259442127.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	tmp259442127.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe-	tmp259442127.exe
File created	C:\Program Files\Java\jre7\bin\kinit.exe	tmp259442127.exe
File created	C:\Program Files\Microsoft Games\Hearts\Hearts.exe-	tmp259442127.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	tmp259442127.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe-	tmp259442127.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe-	tmp259442127.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe-	tmp259442127.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	tmp259442127.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	tmp259442127.exe
File created	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	tmp259442127.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe-	tmp259442127.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe	tmp259442127.exe
File created	C:\Program Files\Java\jre7\bin\ssvagent.exe	tmp259442127.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe	tmp259442127.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE-	tmp259442127.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe-	tmp259442127.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe-	tmp259442127.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe-	tmp259442127.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	tmp259442127.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	tmp259442127.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	tmp259442127.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe-	tmp259442127.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	tmp259442127.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe-	tmp259442127.exe
File created	C:\Program Files\Java\jre7\bin\servertool.exe-	tmp259442127.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe-	tmp259442127.exe
File created	C:\Program Files\Java\jre7\bin\policytool.exe-	tmp259442127.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe-	tmp259442127.exe
File created	C:\Program Files\Java\jre7\bin\jabswitch.exe-	tmp259442127.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	tmp259442127.exe
File created	C:\Program Files\7-Zip\Uninstall.exe-	tmp259442127.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe-	tmp259442127.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	tmp259442127.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe-	tmp259442127.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	tmp259442127.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	tmp259442127.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe-	tmp259442127.exe
File created	C:\Program Files\Java\jre7\bin\pack200.exe-	tmp259442127.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe-	tmp259442127.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	tmp259442127.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe-	tmp259442127.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe-	tmp259442127.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	tmp259442127.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe-	tmp259442127.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1572	2200	1a983d327b83dfc2960c3cc5fa9dd740N.exe	28
PID 2200 wrote to memory of 1572	2200	1a983d327b83dfc2960c3cc5fa9dd740N.exe	28
PID 2200 wrote to memory of 1572	2200	1a983d327b83dfc2960c3cc5fa9dd740N.exe	28
PID 2200 wrote to memory of 1572	2200	1a983d327b83dfc2960c3cc5fa9dd740N.exe	28

C:\Users\Admin\AppData\Local\Temp\1a983d327b83dfc2960c3cc5fa9dd740N.exe
"C:\Users\Admin\AppData\Local\Temp\1a983d327b83dfc2960c3cc5fa9dd740N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\tmp259442127.exe
  C:\Users\Admin\AppData\Local\Temp\tmp259442127.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:1572
- C:\Users\Admin\AppData\Local\Temp\tmp259442142.exe
  C:\Users\Admin\AppData\Local\Temp\tmp259442142.exe
  2⤵
  - Executes dropped EXE
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
607KB

MD5
fc551551bea53be5a20eadba2933017e

SHA1
da33353898c95eb131525f79f86298ef8009610a

SHA256
c3a4b2848df1d6eac3195e88270aafcb869d496499ac919fd0f1af8320b0c1e5

SHA512
981bebc08a22d0a9556fbb79d645b16d59ced62147ce294bb0b475324080a9f665c8f04d326fa422b1488576b7f150ecb1d477b43f6dedefdb7fef3c7b7fe64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp259442142.exe

Filesize
594KB

MD5
9aff78f93ffd420237710830b3aa5aef

SHA1
40ebc342494ea5cd8ee9e6d4be71ff2411c79dee

SHA256
1f1ec6128132297e0265cc2eb7ff1f32a646e840f7fc6d4924b30cfb1a4cddd2

SHA512
af543cbff7ba3267e8ef1c1083e0c7da8fca34be566da9b7f40fdae8ce5003a26bd0cb50440c8113bec5be491e861e5c464f62251169506e70d41b57c45127d0

Download Submit
\Users\Admin\AppData\Local\Temp\tmp259442127.exe

Filesize
52KB

MD5
0a1d6e79f961e16f4c0a02bb3bc54317

SHA1
555a04c4b4f004441716669aaf75a942c3cb201d

SHA256
b45af0a8193c9a5c232361c8b1caee63407b0c24e7bf22535c2aabb476f6d149

SHA512
1ddaa6a9a4202f489d85109c6bd4ae7654ef6c5b3d8c2125a71bb9541b9c9becf4097a9c236466b053c226b102abb5d7f1611d47de398713ce99bf82b08093b3

Download Submit
memory/1572-1646-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1572-1647-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1572-1650-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1572-1654-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2200-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2200-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads