13af4e4a2ddf76ff36a71112b457e8e5627abf33ef5889d7538def3c0c03fdfb

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f168be9c023341488f6caeb21563c670N.exe
Size

175KB
MD5

f168be9c023341488f6caeb21563c670
SHA1

1b32a4d9018ac122b1d9f2080be9ce06560dac78
SHA256

13af4e4a2ddf76ff36a71112b457e8e5627abf33ef5889d7538def3c0c03fdfb
SHA512

fbd880257aec00e172f4e65a8d5d0d70bb9ae5c81f9ac72f23f120ef31bc0fc339a6335bd4baeada3fe506782a08c0bea0a71db30cb50d1f5e967f9a3167c905
SSDEEP

3072:Xi7o7VHprGPGlyvfB5D6pEdDXONu//847FRtoutZpJP:Xi7o7VJaOUnB51DXOv47FzoSfB

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2108	PFJXY.zz

Loads dropped DLL 4 IoCs

pid	Process
2708	f168be9c023341488f6caeb21563c670N.exe
2708	f168be9c023341488f6caeb21563c670N.exe
2708	f168be9c023341488f6caeb21563c670N.exe
2656	f168be9c023341488f6caeb21563c670N.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2708-14-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-12-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-10-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-8-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-6-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-4-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-3-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-32-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-34-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-30-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-28-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-26-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-24-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-22-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-20-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-16-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-18-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-38-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-37-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2708-36-0x00000000001B0000-0x0000000000206000-memory.dmp	upx
behavioral1/memory/2656-114-0x0000000000380000-0x00000000003D6000-memory.dmp	upx
behavioral1/memory/2656-115-0x0000000000380000-0x00000000003D6000-memory.dmp	upx
behavioral1/memory/2656-117-0x0000000000380000-0x00000000003D6000-memory.dmp	upx
behavioral1/memory/2656-119-0x0000000000380000-0x00000000003D6000-memory.dmp	upx
behavioral1/memory/2656-121-0x0000000000380000-0x00000000003D6000-memory.dmp	upx
behavioral1/memory/2656-123-0x0000000000380000-0x00000000003D6000-memory.dmp	upx
behavioral1/memory/2656-125-0x0000000000380000-0x00000000003D6000-memory.dmp	upx
behavioral1/memory/2656-127-0x0000000000380000-0x00000000003D6000-memory.dmp	upx
behavioral1/memory/2656-131-0x0000000000380000-0x00000000003D6000-memory.dmp	upx
behavioral1/memory/2656-129-0x0000000000380000-0x00000000003D6000-memory.dmp	upx
behavioral1/memory/2656-133-0x0000000000380000-0x00000000003D6000-memory.dmp	upx
behavioral1/memory/2656-135-0x0000000000380000-0x00000000003D6000-memory.dmp	upx
behavioral1/memory/2656-137-0x0000000000380000-0x00000000003D6000-memory.dmp	upx
behavioral1/memory/2656-139-0x0000000000380000-0x00000000003D6000-memory.dmp	upx
behavioral1/memory/2656-141-0x0000000000380000-0x00000000003D6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kernel64.dll	f168be9c023341488f6caeb21563c670N.exe
File opened for modification	C:\Windows\SysWOW64\kernel64.dll	f168be9c023341488f6caeb21563c670N.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Tencent\qq\727B6D6173\PFJXYmain.ini	f168be9c023341488f6caeb21563c670N.exe
File created	C:\Program Files (x86)\Tencent\qq\727B6D6173\KCQ.TIA	PFJXY.zz
File opened for modification	C:\Program Files (x86)\Tencent\qq\727B6D6173\PFJXY.zz	f168be9c023341488f6caeb21563c670N.exe
File created	C:\Program Files (x86)\Tencent\qq\727B6D6173\ok.txt	f168be9c023341488f6caeb21563c670N.exe
File created	C:\Program Files (x86)\Tencent\qq\727B6D6173\PFJXYss1.ini	f168be9c023341488f6caeb21563c670N.exe
File created	C:\Program Files (x86)\Tencent\qq\727B6D6173\PFJXY.zz	f168be9c023341488f6caeb21563c670N.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\727B6D6173\PFJXY.zz	f168be9c023341488f6caeb21563c670N.exe
File created	C:\Program Files (x86)\Tencent\qq\727B6D6173\PFJXYmain.ini	f168be9c023341488f6caeb21563c670N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\web\626E66616661667B.tmp	f168be9c023341488f6caeb21563c670N.exe
File opened for modification	C:\Windows\web\626E66616661667B.tmp	f168be9c023341488f6caeb21563c670N.exe
File created	C:\Windows\web\626E66616661667B.tmp	f168be9c023341488f6caeb21563c670N.exe
File opened for modification	C:\Windows\web\626E66616661667B.tmp	f168be9c023341488f6caeb21563c670N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f168be9c023341488f6caeb21563c670N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f168be9c023341488f6caeb21563c670N.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2708	f168be9c023341488f6caeb21563c670N.exe
2708	f168be9c023341488f6caeb21563c670N.exe
2708	f168be9c023341488f6caeb21563c670N.exe
2656	f168be9c023341488f6caeb21563c670N.exe
2656	f168be9c023341488f6caeb21563c670N.exe
2656	f168be9c023341488f6caeb21563c670N.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	f168be9c023341488f6caeb21563c670N.exe
Token: SeDebugPrivilege	2708	f168be9c023341488f6caeb21563c670N.exe
Token: SeDebugPrivilege	2708	f168be9c023341488f6caeb21563c670N.exe
Token: SeDebugPrivilege	2656	f168be9c023341488f6caeb21563c670N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2108	2708	f168be9c023341488f6caeb21563c670N.exe	31
PID 2708 wrote to memory of 2108	2708	f168be9c023341488f6caeb21563c670N.exe	31
PID 2708 wrote to memory of 2108	2708	f168be9c023341488f6caeb21563c670N.exe	31
PID 2708 wrote to memory of 2108	2708	f168be9c023341488f6caeb21563c670N.exe	31
PID 2708 wrote to memory of 2656	2708	f168be9c023341488f6caeb21563c670N.exe	32
PID 2708 wrote to memory of 2656	2708	f168be9c023341488f6caeb21563c670N.exe	32
PID 2708 wrote to memory of 2656	2708	f168be9c023341488f6caeb21563c670N.exe	32
PID 2708 wrote to memory of 2656	2708	f168be9c023341488f6caeb21563c670N.exe	32

C:\Users\Admin\AppData\Local\Temp\f168be9c023341488f6caeb21563c670N.exe
"C:\Users\Admin\AppData\Local\Temp\f168be9c023341488f6caeb21563c670N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Program Files (x86)\Tencent\qq\727B6D6173\PFJXY.zz
  "C:\Program Files (x86)\Tencent\qq\727B6D6173\PFJXY.zz" -z 423B5D51736E6673606C2147686D64722129793937285D55646F62646F755D70705D363336433745373036325D4A42502F554840
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2108
- C:\Users\Admin\AppData\Local\Temp\f168be9c023341488f6caeb21563c670N.exe
  C:\Users\Admin\AppData\Local\Temp\f168be9c023341488f6caeb21563c670N.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Tencent\qq\727B6D6173\PFJXY.zz

Filesize
175KB

MD5
985f50b3626195b2213229654c04b62c

SHA1
dcd76f050421beb7f07554bedc00e84ea031f3ac

SHA256
ed7d232e1db5850542bc9f72ef52bd17c54909f628e6ea4b660a0d780a56654c

SHA512
a9c6136d3a402507728a931cda6a0634c8b80065df034ee15ddae5ec4ce6b8160c15bc5314b35564797b83b88694a686bdd5aa319c363aa86cd9b228f2fc6377

Download Submit
C:\Program Files (x86)\Tencent\qq\727B6D6173\PFJXYmain.ini

Filesize
1KB

MD5
f527f1cc382565a06de77bfbab213be6

SHA1
e9dd470d06ae59eccb5aecc020a96a877ab841d6

SHA256
6f1448d4216de766a41f29d11ece93ac15c6b597ce7d93120bc2e1a71bc67bda

SHA512
7c8cee035033dfb67cc21e72a1dabe61ac2548d3b995adf544278d85a9f43ff0484b82a3428a41dbd53bd7b17dbac5e9197d2c2e7aedf1e4ba3884f4cb639ac5

Download Submit
C:\Program Files (x86)\Tencent\qq\727B6D6173\PFJXYss1.ini

Filesize
22B

MD5
eb4d00f651645e390943aeb1ce9828a8

SHA1
b38a539150d805ce92cb56563f66c3498273c9bb

SHA256
54e311b27f481b97d4851f2446ef3a5a75687793bb9408733d9ab9aa7024b830

SHA512
4d0c2ae53b7a018f2a77228d279dc096eed52f095a13e3b5cd7ebc1a711a6fa4ed77c90ccc869f610139efd67631860f37920759ab4fda8428c4343428d52fb1

Download Submit
C:\Windows\Web\626E66616661667B.tmp

Filesize
109KB

MD5
7ad6c16975b966367d5741310bb3a062

SHA1
62c0dba41307541f3ae9e8b05c8c76996bb56e36

SHA256
135fb2b87d31aff906c4867cd64e651bfe1e18b6b1f2c552a533f474563762d9

SHA512
1c3e8215107355a7993ec0cf605e0ca8645ab5bf7fc83ae0184f33c1b206fe6c8c23cd80cdcdfaceaf9e37d630955560535b12620b441ae732b1f033bfeba52d

Download Submit
\Windows\SysWOW64\kernel64.dll

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
memory/2108-110-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2108-108-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2656-125-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2656-131-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2656-158-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2656-141-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2656-139-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2656-137-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2656-135-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2656-133-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2656-129-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2656-127-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2656-123-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2656-121-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2656-119-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2656-117-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2656-115-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2656-114-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2656-112-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2708-1-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2708-4-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-106-0x0000000001D20000-0x0000000001D4C000-memory.dmp

Filesize
176KB

Download
memory/2708-10-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-6-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-12-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-18-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-36-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-37-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-38-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-107-0x0000000001D20000-0x0000000001D4C000-memory.dmp

Filesize
176KB

Download
memory/2708-3-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-22-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-16-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-32-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-20-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-8-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-24-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-26-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-28-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-30-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-14-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-34-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/2708-157-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download