dca07c4f0ceb9bd3dd843585b34a6e56e6b9cb2bcb1f29575a20981651fc6d94

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c12a14ea3f1617b973d4fd35c207b70N.exe
Size

412KB
MD5

9c12a14ea3f1617b973d4fd35c207b70
SHA1

f00c46c6dd252b05fa8058cc57b1f900b788aab8
SHA256

dca07c4f0ceb9bd3dd843585b34a6e56e6b9cb2bcb1f29575a20981651fc6d94
SHA512

cd7eee649af5f3cbc80371829c6f3c6e7e2c1420be221507b71df11254cb539c2ff40461ead4e214c8dddd78f41d1227f529f7b6105863db5d16640b4a200917
SSDEEP

6144:HP5Z08WHPydUjgOo8IRCSV5ITivRuWJy07i41:HPwJHPCUjNo8IdaOASW4

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe fsb.exe"	tmp259489145.exe

Executes dropped EXE 2 IoCs

pid	Process
2176	tmp259489145.exe
1980	tmp259489161.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	9c12a14ea3f1617b973d4fd35c207b70N.exe
2080	9c12a14ea3f1617b973d4fd35c207b70N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2080-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0002000000011c9e-22.dat	upx
behavioral1/memory/2080-19-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fsb.stb	tmp259489145.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp259489145.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp259489145.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7zFM.exe-	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe-	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	tmp259489145.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	tmp259489145.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE-	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe-	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe-	tmp259489145.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe-	tmp259489145.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe-	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe-	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	tmp259489145.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe-	tmp259489145.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe-	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe-	tmp259489145.exe
File created	C:\Program Files (x86)\Google\Update\Install\{8EA3FE23-8E0B-4836-8777-C2D6ED0590DC}\chrome_installer.exe-	tmp259489145.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe-	tmp259489145.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe-	tmp259489145.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	tmp259489145.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	tmp259489145.exe
File created	C:\Program Files\Java\jre7\bin\java.exe-	tmp259489145.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE-	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe-	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe-	tmp259489145.exe
File created	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	tmp259489145.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	tmp259489145.exe
File created	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe-	tmp259489145.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	tmp259489145.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	tmp259489145.exe
File created	C:\Program Files\Java\jre7\bin\jp2launcher.exe	tmp259489145.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe-	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe-	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe-	tmp259489145.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	tmp259489145.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe-	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe-	tmp259489145.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe-	tmp259489145.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE-	tmp259489145.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	tmp259489145.exe
File created	C:\Program Files\7-Zip\7zG.exe-	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	tmp259489145.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe-	tmp259489145.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe-	tmp259489145.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE-	tmp259489145.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	tmp259489145.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe-	tmp259489145.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe-	tmp259489145.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	tmp259489145.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	tmp259489145.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	tmp259489145.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	tmp259489145.exe
File created	C:\Program Files\Java\jre7\bin\klist.exe-	tmp259489145.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe-	tmp259489145.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe-	tmp259489145.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe-	tmp259489145.exe
File created	C:\Program Files (x86)\Google\Update\Install\{8EA3FE23-8E0B-4836-8777-C2D6ED0590DC}\chrome_installer.exe	tmp259489145.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2176	2080	9c12a14ea3f1617b973d4fd35c207b70N.exe	30
PID 2080 wrote to memory of 2176	2080	9c12a14ea3f1617b973d4fd35c207b70N.exe	30
PID 2080 wrote to memory of 2176	2080	9c12a14ea3f1617b973d4fd35c207b70N.exe	30
PID 2080 wrote to memory of 2176	2080	9c12a14ea3f1617b973d4fd35c207b70N.exe	30

C:\Users\Admin\AppData\Local\Temp\9c12a14ea3f1617b973d4fd35c207b70N.exe
"C:\Users\Admin\AppData\Local\Temp\9c12a14ea3f1617b973d4fd35c207b70N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\tmp259489145.exe
  C:\Users\Admin\AppData\Local\Temp\tmp259489145.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\tmp259489161.exe
  C:\Users\Admin\AppData\Local\Temp\tmp259489161.exe
  2⤵
  - Executes dropped EXE
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
606KB

MD5
3fb242f57829da61b78907a3fd4eb659

SHA1
075b6b553ce61073937608287097a788946c5a22

SHA256
505c8ef77da0e91f628dc0c1cdb0df9f69c0d937cdbdf8e5c555a46c267f3c75

SHA512
110d69ca0672bb2317b3b03b49efaa104a824717976fc606f1e47985ab449a994028d607cf8b535a6635a64df454b1225f5fe1ca1de79658b0a1093431fda77b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp259489145.exe

Filesize
51KB

MD5
fbdfc33d468274c9ab948e717b3e685e

SHA1
088be89cbee46d293178e22318bcc38db943416d

SHA256
220dc3842a329caa0a10b1b9be8aa8aea5968dbda687136cf503ad55f4c30734

SHA512
9fc9df3a5abad69281c9b2e695edf79a29885a80c6bfeb2517fb5c87c1caf9a9e412146545d29ecaaee59da0f6fd8aea60b06e582531ee69a49c4d0a98aa324a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp259489161.exe

Filesize
349KB

MD5
21880311b0334127c1291c4571852b9a

SHA1
e48a127e5cb75ed4279a714df6ab8a7e695863e0

SHA256
3443f4c6c18d5cc9f9fe2df8da1d5aa2b022d89b94eb55201fe8ff33db33721e

SHA512
c754b444aa929c46f430a43fbac347de3ea63e4c827922c86509458257a2689fe9cb724053d94281bb95dd4c8146665bbd23fc1ea977eccd5f27cb2d73e89e65

Download Submit
memory/2080-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2080-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2176-1417-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2176-1646-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2176-1647-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2176-1648-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2176-1649-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2176-1651-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2176-1653-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads