de4ec1fb441ef422cd308ccb378f490ee728f8dc89b7f0cac4056c72e5474960

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95c8d93702e7063e7db9555969545540N.exe
Size

304KB
MD5

95c8d93702e7063e7db9555969545540
SHA1

31fb6c9b10e2a75634fe6fbd3fbe23eeb85bf569
SHA256

de4ec1fb441ef422cd308ccb378f490ee728f8dc89b7f0cac4056c72e5474960
SHA512

d6b960ce8dbfaa9b3684f2a1e7dfbeb5f634e13c00131b9263880612215441abebd42a1c94766ec83307a1009bcc423f70942be9978cde80fa40b08510f9a9fa
SSDEEP

3072:fHUm8QyMWSVCqwT1h+popOOfaPOx5P+m/pNdhZ1QYUdqz:fQqwJh+6pAkGm/pH1gdq

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2240	95c8d93702e7063e7db9555969545540N.exe
864	WindowsService.exe
2996	WindowsService.exe
2652	WindowsService.exe

Loads dropped DLL 6 IoCs

pid	Process
2716	95c8d93702e7063e7db9555969545540N.exe
2240	95c8d93702e7063e7db9555969545540N.exe
2240	95c8d93702e7063e7db9555969545540N.exe
2240	95c8d93702e7063e7db9555969545540N.exe
2240	95c8d93702e7063e7db9555969545540N.exe
2240	95c8d93702e7063e7db9555969545540N.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2716-0-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/files/0x0008000000016d65-175.dat	upx
behavioral1/memory/2716-177-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2240-194-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2716-192-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/files/0x0009000000016d5e-219.dat	upx
behavioral1/memory/864-238-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/864-445-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2996-449-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2240-448-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2996-454-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 2240	2716	95c8d93702e7063e7db9555969545540N.exe	31
PID 864 set thread context of 2996	864	WindowsService.exe	36
PID 864 set thread context of 2652	864	WindowsService.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe
Token: SeDebugPrivilege	2996	WindowsService.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2716	95c8d93702e7063e7db9555969545540N.exe
2240	95c8d93702e7063e7db9555969545540N.exe
864	WindowsService.exe
2996	WindowsService.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2240	2716	95c8d93702e7063e7db9555969545540N.exe	31
PID 2716 wrote to memory of 2240	2716	95c8d93702e7063e7db9555969545540N.exe	31
PID 2716 wrote to memory of 2240	2716	95c8d93702e7063e7db9555969545540N.exe	31
PID 2716 wrote to memory of 2240	2716	95c8d93702e7063e7db9555969545540N.exe	31
PID 2716 wrote to memory of 2240	2716	95c8d93702e7063e7db9555969545540N.exe	31
PID 2716 wrote to memory of 2240	2716	95c8d93702e7063e7db9555969545540N.exe	31
PID 2716 wrote to memory of 2240	2716	95c8d93702e7063e7db9555969545540N.exe	31
PID 2716 wrote to memory of 2240	2716	95c8d93702e7063e7db9555969545540N.exe	31
PID 2240 wrote to memory of 2100	2240	95c8d93702e7063e7db9555969545540N.exe	32
PID 2240 wrote to memory of 2100	2240	95c8d93702e7063e7db9555969545540N.exe	32
PID 2240 wrote to memory of 2100	2240	95c8d93702e7063e7db9555969545540N.exe	32
PID 2240 wrote to memory of 2100	2240	95c8d93702e7063e7db9555969545540N.exe	32
PID 2100 wrote to memory of 2168	2100	cmd.exe	34
PID 2100 wrote to memory of 2168	2100	cmd.exe	34
PID 2100 wrote to memory of 2168	2100	cmd.exe	34
PID 2100 wrote to memory of 2168	2100	cmd.exe	34
PID 2240 wrote to memory of 864	2240	95c8d93702e7063e7db9555969545540N.exe	35
PID 2240 wrote to memory of 864	2240	95c8d93702e7063e7db9555969545540N.exe	35
PID 2240 wrote to memory of 864	2240	95c8d93702e7063e7db9555969545540N.exe	35
PID 2240 wrote to memory of 864	2240	95c8d93702e7063e7db9555969545540N.exe	35
PID 864 wrote to memory of 2996	864	WindowsService.exe	36
PID 864 wrote to memory of 2996	864	WindowsService.exe	36
PID 864 wrote to memory of 2996	864	WindowsService.exe	36
PID 864 wrote to memory of 2996	864	WindowsService.exe	36
PID 864 wrote to memory of 2996	864	WindowsService.exe	36
PID 864 wrote to memory of 2996	864	WindowsService.exe	36
PID 864 wrote to memory of 2996	864	WindowsService.exe	36
PID 864 wrote to memory of 2996	864	WindowsService.exe	36
PID 864 wrote to memory of 2652	864	WindowsService.exe	37
PID 864 wrote to memory of 2652	864	WindowsService.exe	37
PID 864 wrote to memory of 2652	864	WindowsService.exe	37
PID 864 wrote to memory of 2652	864	WindowsService.exe	37
PID 864 wrote to memory of 2652	864	WindowsService.exe	37
PID 864 wrote to memory of 2652	864	WindowsService.exe	37
PID 864 wrote to memory of 2652	864	WindowsService.exe	37
PID 864 wrote to memory of 2652	864	WindowsService.exe	37
PID 864 wrote to memory of 2652	864	WindowsService.exe	37
PID 864 wrote to memory of 2652	864	WindowsService.exe	37
PID 864 wrote to memory of 2652	864	WindowsService.exe	37
PID 864 wrote to memory of 2652	864	WindowsService.exe	37
PID 864 wrote to memory of 2652	864	WindowsService.exe	37

C:\Users\Admin\AppData\Local\Temp\95c8d93702e7063e7db9555969545540N.exe
"C:\Users\Admin\AppData\Local\Temp\95c8d93702e7063e7db9555969545540N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\95c8d93702e7063e7db9555969545540N.exe
  "C:\Users\Admin\AppData\Local\Temp\95c8d93702e7063e7db9555969545540N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\AITVQ.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
      4⤵
      Adds Run key to start application
      PID:2168
- - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
    "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
      "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2996
  - - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
      "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
      4⤵
      Executes dropped EXE
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AITVQ.bat

Filesize
157B

MD5
f6a90c20834f271a907a4e2bc28184c2

SHA1
36c9d1602b74f622346fbb22693597d7889df48d

SHA256
73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

SHA512
39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

Download Submit
\Users\Admin\AppData\Local\Temp\95c8d93702e7063e7db9555969545540N.exe

Filesize
304KB

MD5
95c8d93702e7063e7db9555969545540

SHA1
31fb6c9b10e2a75634fe6fbd3fbe23eeb85bf569

SHA256
de4ec1fb441ef422cd308ccb378f490ee728f8dc89b7f0cac4056c72e5474960

SHA512
d6b960ce8dbfaa9b3684f2a1e7dfbeb5f634e13c00131b9263880612215441abebd42a1c94766ec83307a1009bcc423f70942be9978cde80fa40b08510f9a9fa

Download Submit
\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

Filesize
304KB

MD5
2612ae0612cfbd59bf30dae2ca299e2b

SHA1
e41f95a3667771b1fad290e3e1aa75221cfa4580

SHA256
e9295155d8bf18449d3cec0ae3d861aa1f238834e2a871064caf05f84cec91ca

SHA512
ce6dbf71ed14d25a8771e1a4fda839483cc8d9a2af31c9461eab39caa0571fbbd1125711feb959e3b2b31b655a245957b7673bb815f8cbe2ef0f29680351dbf0

Download Submit
memory/864-445-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/864-238-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2240-194-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2240-236-0x0000000003400000-0x000000000344C000-memory.dmp

Filesize
304KB

Download
memory/2240-448-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2240-233-0x0000000003400000-0x000000000344C000-memory.dmp

Filesize
304KB

Download
memory/2240-234-0x0000000003400000-0x000000000344C000-memory.dmp

Filesize
304KB

Download
memory/2240-235-0x0000000003400000-0x000000000344C000-memory.dmp

Filesize
304KB

Download
memory/2716-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2716-177-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2716-192-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2716-193-0x0000000002930000-0x000000000297C000-memory.dmp

Filesize
304KB

Download
memory/2716-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2716-176-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download
memory/2996-449-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2996-454-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads