5b731e23be406f4b0e0908bccfba25798fa5fff5695191de760fe385a538688b

Analysis

max time kernel
1800s
max time network
1559s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fuck you.exe
Size

370KB
MD5

b8d68920aeadab481011b4f4519a8d39
SHA1

6284d4a622115d6721678e1204e7f4477575e2ae
SHA256

0159d20f5ea1df6d03d6cff8729b7e90e064ceb7caf05b6c0ce220d8bbdf38b2
SHA512

a03a3e6a6426aa472c71b605a57868a40119fa6dd5bbcee8100133b07995fcd7d364c5fc671f6b4e6cac77ebda4f8a1078b91d174946424404370f8358d1db9f
SSDEEP

6144:v0hwqmfHn/RN16uuToftAMs62LCkDnQ0eDQjizMVCiEzlc7R/0AnwWOwbITaxoSa:vwmP/xETSm1DhQeiiEzW/tvVwCoSa

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cE02400JbPbP02400.exe

pid process

2764 cE02400JbPbP02400.exe
Executes dropped EXE 1 IoCs

Processes:

cE02400JbPbP02400.exe

pid process

2764 cE02400JbPbP02400.exe
Loads dropped DLL 1 IoCs

Processes:

fuck you.exe

pid process

1040 fuck you.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral13/memory/1040-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/1040-8-0x0000000000400000-0x00000000004BF000-memory.dmp	upx
\ProgramData\cE02400JbPbP02400\cE02400JbPbP02400.exe	upx
behavioral13/memory/1040-16-0x0000000002AB0000-0x0000000002B7D000-memory.dmp	upx
behavioral13/memory/2764-17-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-19-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-22-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/1040-21-0x0000000000400000-0x00000000004BF000-memory.dmp	upx
behavioral13/memory/1040-20-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-31-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-40-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-70-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-76-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-82-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-90-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-91-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-92-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-93-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-94-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-95-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-96-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-97-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-98-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral13/memory/2764-99-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cE02400JbPbP02400.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cE02400JbPbP02400 = "C:\\ProgramData\\cE02400JbPbP02400\\cE02400JbPbP02400.exe"	cE02400JbPbP02400.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cE02400JbPbP02400.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	cE02400JbPbP02400.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fuck you.execE02400JbPbP02400.exe

pid	process
1040	fuck you.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

cE02400JbPbP02400.exe

pid process

2764 cE02400JbPbP02400.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fuck you.execE02400JbPbP02400.exe

description pid process

Token: SeDebugPrivilege 1040 fuck you.exe
Token: SeDebugPrivilege 2764 cE02400JbPbP02400.exe

description	pid	process
Token: SeDebugPrivilege	1040	fuck you.exe
Token: SeDebugPrivilege	2764	cE02400JbPbP02400.exe

Suspicious use of FindShellTrayWindow 23 IoCs

Processes:

cE02400JbPbP02400.exe

pid	process
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe

Suspicious use of SendNotifyMessage 22 IoCs

Processes:

cE02400JbPbP02400.exe

pid	process
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe
2764	cE02400JbPbP02400.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cE02400JbPbP02400.exe

pid process

2764 cE02400JbPbP02400.exe
2764 cE02400JbPbP02400.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fuck you.exe

description	pid	process	target process
PID 1040 wrote to memory of 2764	1040	fuck you.exe	cE02400JbPbP02400.exe
PID 1040 wrote to memory of 2764	1040	fuck you.exe	cE02400JbPbP02400.exe
PID 1040 wrote to memory of 2764	1040	fuck you.exe	cE02400JbPbP02400.exe
PID 1040 wrote to memory of 2764	1040	fuck you.exe	cE02400JbPbP02400.exe

C:\Users\Admin\AppData\Local\Temp\fuck you.exe
"C:\Users\Admin\AppData\Local\Temp\fuck you.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\ProgramData\cE02400JbPbP02400\cE02400JbPbP02400.exe
"C:\ProgramData\cE02400JbPbP02400\cE02400JbPbP02400.exe" "C:\Users\Admin\AppData\Local\Temp\fuck you.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cE02400JbPbP02400\cE02400JbPbP02400
Filesize
192B

MD5
5db34f99ae8d4f141276596593889629

SHA1
b5cdc0859d99b3f3f9376e8b65ba9c3f72851b70

SHA256
4ff7a522f41ba8d55537a6b0252884bc6ec645ff7d68dfed103efff2e7ac2ada

SHA512
898245249477d69045161ffc00b11b08a267b48152f2b3974baef2082f3dfee5f6e9aecd7112680aee6a97daac687f9e565f452db1b0a61ed3d1744b39586c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tC246.tmp
Filesize
3.5MB

MD5
a37e474789756594bdaf689e3f9c0a87

SHA1
7a2f47142666a30d4995c3b5419f0621e567e347

SHA256
1ee797d0747101c3683336f2ccb145b540583f1a884ef18218651592159e473a

SHA512
437603036ebb17be28b85617903cb2ae3c3ccdf4894323100f28f5127134815c0282ec75f1bba6745af474f8e235da7453252882af69ec52313f6de3f3433375

Download Submit
\ProgramData\cE02400JbPbP02400\cE02400JbPbP02400.exe
Filesize
370KB

MD5
268f7a5fe1a75960c8f738937001f8d2

SHA1
9a98144997f8690757cf4d7d26f7fbe7768f6f90

SHA256
21f985e22da852adc2e19c474cd35332bb0850d6f1bb45a1a028b8d048dd6a9e

SHA512
7c833c72ba8c4acd5a981ff6e6ebdb2d4fe859963e994ca5847b28a2f7a4368f4d808e6d6b248ae3e7bc20dfa9b5445efc145fb36c90e6e8225bb9e8fd37b30b

Download Submit
memory/1040-20-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1040-2-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/1040-1-0x00000000025B0000-0x0000000002655000-memory.dmp

Filesize
660KB

Download
memory/1040-8-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1040-16-0x0000000002AB0000-0x0000000002B7D000-memory.dmp

Filesize
820KB

Download
memory/1040-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1040-21-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2764-70-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-92-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-31-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-40-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-19-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-76-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-82-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-90-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-91-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-22-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-93-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-94-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-95-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-96-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-97-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-98-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-99-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2764-17-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download