eb89704134f653e487cfd6f04473168fbf69e8a11cc4aec1f1fe668c6ff87a30

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 12:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b31462eb373a9b523795cab012fbf580N.exe
Size

161KB
MD5

b31462eb373a9b523795cab012fbf580
SHA1

573683c37cac81a78417d06caa050c64ef479a00
SHA256

eb89704134f653e487cfd6f04473168fbf69e8a11cc4aec1f1fe668c6ff87a30
SHA512

5b2ffffefa2e15c4b97ed82b50c94e4f121aff9b4019d2b7d096f5c67953bbd4be30764e22a6ae28f4deeaa42c6467ec1a371468347ddcb2525829c145146fe0
SSDEEP

3072:s5SVkkgUWib1UC7AdYzrV+Dljy/32ubwZZqJ:TUquCkdYzrVolu/J0ZZ

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2632	WindowsService.exe
1952	WindowsService.exe
824	WindowsService.exe

Loads dropped DLL 5 IoCs

pid	Process
2832	b31462eb373a9b523795cab012fbf580N.exe
2832	b31462eb373a9b523795cab012fbf580N.exe
2832	b31462eb373a9b523795cab012fbf580N.exe
2832	b31462eb373a9b523795cab012fbf580N.exe
2832	b31462eb373a9b523795cab012fbf580N.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1524-0-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1524-129-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1524-160-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1524-445-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2832-446-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0009000000016491-473.dat	upx
behavioral1/memory/2632-492-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1952-1033-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2832-1041-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2632-1038-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1952-1049-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1524 set thread context of 2832	1524	b31462eb373a9b523795cab012fbf580N.exe	30
PID 2632 set thread context of 1952	2632	WindowsService.exe	36
PID 2632 set thread context of 824	2632	WindowsService.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe
Token: SeDebugPrivilege	1952	WindowsService.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1524	b31462eb373a9b523795cab012fbf580N.exe
2832	b31462eb373a9b523795cab012fbf580N.exe
2632	WindowsService.exe
1952	WindowsService.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2832	1524	b31462eb373a9b523795cab012fbf580N.exe	30
PID 1524 wrote to memory of 2832	1524	b31462eb373a9b523795cab012fbf580N.exe	30
PID 1524 wrote to memory of 2832	1524	b31462eb373a9b523795cab012fbf580N.exe	30
PID 1524 wrote to memory of 2832	1524	b31462eb373a9b523795cab012fbf580N.exe	30
PID 1524 wrote to memory of 2832	1524	b31462eb373a9b523795cab012fbf580N.exe	30
PID 1524 wrote to memory of 2832	1524	b31462eb373a9b523795cab012fbf580N.exe	30
PID 1524 wrote to memory of 2832	1524	b31462eb373a9b523795cab012fbf580N.exe	30
PID 1524 wrote to memory of 2832	1524	b31462eb373a9b523795cab012fbf580N.exe	30
PID 2832 wrote to memory of 904	2832	b31462eb373a9b523795cab012fbf580N.exe	32
PID 2832 wrote to memory of 904	2832	b31462eb373a9b523795cab012fbf580N.exe	32
PID 2832 wrote to memory of 904	2832	b31462eb373a9b523795cab012fbf580N.exe	32
PID 2832 wrote to memory of 904	2832	b31462eb373a9b523795cab012fbf580N.exe	32
PID 904 wrote to memory of 2840	904	cmd.exe	34
PID 904 wrote to memory of 2840	904	cmd.exe	34
PID 904 wrote to memory of 2840	904	cmd.exe	34
PID 904 wrote to memory of 2840	904	cmd.exe	34
PID 2832 wrote to memory of 2632	2832	b31462eb373a9b523795cab012fbf580N.exe	35
PID 2832 wrote to memory of 2632	2832	b31462eb373a9b523795cab012fbf580N.exe	35
PID 2832 wrote to memory of 2632	2832	b31462eb373a9b523795cab012fbf580N.exe	35
PID 2832 wrote to memory of 2632	2832	b31462eb373a9b523795cab012fbf580N.exe	35
PID 2632 wrote to memory of 1952	2632	WindowsService.exe	36
PID 2632 wrote to memory of 1952	2632	WindowsService.exe	36
PID 2632 wrote to memory of 1952	2632	WindowsService.exe	36
PID 2632 wrote to memory of 1952	2632	WindowsService.exe	36
PID 2632 wrote to memory of 1952	2632	WindowsService.exe	36
PID 2632 wrote to memory of 1952	2632	WindowsService.exe	36
PID 2632 wrote to memory of 1952	2632	WindowsService.exe	36
PID 2632 wrote to memory of 1952	2632	WindowsService.exe	36
PID 2632 wrote to memory of 824	2632	WindowsService.exe	37
PID 2632 wrote to memory of 824	2632	WindowsService.exe	37
PID 2632 wrote to memory of 824	2632	WindowsService.exe	37
PID 2632 wrote to memory of 824	2632	WindowsService.exe	37
PID 2632 wrote to memory of 824	2632	WindowsService.exe	37
PID 2632 wrote to memory of 824	2632	WindowsService.exe	37
PID 2632 wrote to memory of 824	2632	WindowsService.exe	37
PID 2632 wrote to memory of 824	2632	WindowsService.exe	37
PID 2632 wrote to memory of 824	2632	WindowsService.exe	37
PID 2632 wrote to memory of 824	2632	WindowsService.exe	37
PID 2632 wrote to memory of 824	2632	WindowsService.exe	37
PID 2632 wrote to memory of 824	2632	WindowsService.exe	37
PID 2632 wrote to memory of 824	2632	WindowsService.exe	37

C:\Users\Admin\AppData\Local\Temp\b31462eb373a9b523795cab012fbf580N.exe
"C:\Users\Admin\AppData\Local\Temp\b31462eb373a9b523795cab012fbf580N.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\b31462eb373a9b523795cab012fbf580N.exe
  "C:\Users\Admin\AppData\Local\Temp\b31462eb373a9b523795cab012fbf580N.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\TCNSO.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
      4⤵
      Adds Run key to start application
      PID:2840
- - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
    "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
      "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1952
  - - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
      "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
      4⤵
      Executes dropped EXE
      PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCNSO.bat

Filesize
157B

MD5
f6a90c20834f271a907a4e2bc28184c2

SHA1
36c9d1602b74f622346fbb22693597d7889df48d

SHA256
73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

SHA512
39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

Download Submit
\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

Filesize
161KB

MD5
409fa02a6668177cf5e056099532fccd

SHA1
4bd4ec4c9de7efb45ba59c17eef72e8aca8edf32

SHA256
eb6b638bbc53fff797553cdfe2d8f90e06b6336ae4b94d0c4eb7fa561dce37ce

SHA512
f2b3d003fab43a92197efa222a346ece4d3e561c263e120274c56deb715481b158b1fba83d1e9688ae2d6b77ba5988cfb191baf45f4aa2e7246e772785ff43ec

Download Submit
memory/1524-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-445-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-83-0x0000000000408000-0x0000000000409000-memory.dmp

Filesize
4KB

Download
memory/1524-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1524-129-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1952-1033-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1952-1049-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2632-1038-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2632-492-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2832-488-0x00000000029E0000-0x0000000002A1C000-memory.dmp

Filesize
240KB

Download
memory/2832-489-0x00000000029F0000-0x0000000002A2C000-memory.dmp

Filesize
240KB

Download
memory/2832-490-0x00000000029F0000-0x0000000002A2C000-memory.dmp

Filesize
240KB

Download
memory/2832-1041-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2832-491-0x00000000029F0000-0x0000000002A2C000-memory.dmp

Filesize
240KB

Download
memory/2832-446-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads