728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe
Size

4.3MB
MD5

5685853272e90522266581d3b8d4d225
SHA1

33e9d275fb82ab15d8d0446bc74fa1fc24fb9c2f
SHA256

728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e
SHA512

41de5c68dda25a1bdc9894c21731c3206283b3c423e9e0cc448240b5b5ab7d7f2ec62aca44e8fd420c97c3486eb6078a4d4d52f359ec201d617178d98ff1909e
SSDEEP

98304:hnniDy1yJe254pKK8zpI3dt8c/Q7XgeFwfKkreug5fCWq1Tno6y2+:6y14GIpok1qfjreBftqG6yF

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3024	sg.tmp

Loads dropped DLL 3 IoCs

pid	Process
1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe
1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe
3024	sg.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1456-0-0x0000000000400000-0x00000000005E9000-memory.dmp	upx
behavioral1/memory/1456-319-0x0000000000400000-0x00000000005E9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sg.tmp

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\WindowMetrics	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeBackupPrivilege	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe
Token: SeRestorePrivilege	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe
Token: 33	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe
Token: SeIncBasePriorityPrivilege	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe
Token: SeCreateGlobalPrivilege	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe
Token: 33	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe
Token: SeIncBasePriorityPrivilege	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe
Token: 33	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe
Token: SeIncBasePriorityPrivilege	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe
Token: SeRestorePrivilege	3024	sg.tmp
Token: 35	3024	sg.tmp
Token: SeSecurityPrivilege	3024	sg.tmp
Token: SeSecurityPrivilege	3024	sg.tmp
Token: SeDebugPrivilege	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3024	sg.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1508	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe	29
PID 1456 wrote to memory of 1508	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe	29
PID 1456 wrote to memory of 1508	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe	29
PID 1456 wrote to memory of 1508	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe	29
PID 1456 wrote to memory of 3024	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe	31
PID 1456 wrote to memory of 3024	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe	31
PID 1456 wrote to memory of 3024	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe	31
PID 1456 wrote to memory of 3024	1456	728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe	31

C:\Users\Admin\AppData\Local\Temp\728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe
"C:\Users\Admin\AppData\Local\Temp\728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\system32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:1508
- C:\Users\Admin\AppData\Local\Temp\~4215599351935932147~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\728b0bd4dbe44d49d558dc26ca21334df407eed918f891c37155ad9b6535ad8e.exe" -y -aoa -o"C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2023\DLL\EnCrypt.dll

Filesize
7KB

MD5
82ebc7bc7fc0569292df76b8bc537f91

SHA1
02e188d5cb8871358f7dcf06ff70eca749346333

SHA256
36e9c23dcf045376cf1cf73fbc33e3ef6d1f38c96af25e50e2e2892987e981c8

SHA512
151a1a7391c23a406f2f2d0a7072e050d2f178b4254181b7d93506172dacbe363982f0f4eaf0c348699ec44df0a084f083f3c43f77d15c5a3a2d1789496e8e2b

Download Submit
C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2023\DLL\NGif.dll

Filesize
14KB

MD5
3a189a4fa4ce95849406245399303f81

SHA1
c036ea796f55735a0163cd37dbea4fa32479e8f8

SHA256
8da5f30d2ef32a0b8cbf5f133740e21ce31adef2f69b5cb4b11ddf95e611980e

SHA512
b992ad09a8e2ca993f2b03ad2dd18d6cc68d91439b66b7afa9ccd88b38d9a4f4813bb87e90afb86aa040408e44f0d6970676de254bc2664aa1ae287c64eb2764

Download Submit
C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2023\Img\A.png

Filesize
15KB

MD5
ef1e8cb875831595d10aba66513dee57

SHA1
cc0675e1d1d89e8fc21913ad28b7ea26ca0c7ba7

SHA256
a4599cbca17091cb576bcadbb2323bd7d0bb3ad1d8d92f55c4dfc700be085403

SHA512
100c9231cd8088466ace09c123807db7795f1437047ce0dd639aee690c8b21f1727a2dde77d19cef3df789d645437a376a41d4429b93ad54db485fefc35aea59

Download Submit
C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2023\Img\B.png

Filesize
14KB

MD5
b209529a54c48e19439e316a053bcf17

SHA1
c46ceb94d02915b1018cf98c546b0fe6fa24ebdd

SHA256
d72b6d52b033d163e503b1169c5fcdf19da8326406b2bc262ecbcaa4b9b43a72

SHA512
e87d6578c3a29d3489550925ff9b3bd4b8ac130ff88208cc716cfdb49ad6fa8b4d9999075fb0829be65275ed1b4a0cb01c3240db11ba45a9db6119566eeec133

Download Submit
C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2023\Img\Synchronize.png

Filesize
2KB

MD5
b23f13259bad96bf487f426b0aa8afc6

SHA1
e9ccc7f7265e9dd821ec5c15108e13bef233112a

SHA256
dac812ed41d981da8f97f0a5878efaef9818a0ba8aa1a3d9b2e82edf0ce59d7a

SHA512
4bfec611863cd8ca28e21b021dd738da0312d8726bc1b147c33136742072e27c84310ffd1b033739c14a2f16a8267d5196029772fc78c8df44686731faa09a2a

Download Submit
C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2023\Img\Test.png

Filesize
229KB

MD5
c0247a99353d5d0f92516aaabef92a82

SHA1
5af56d9350ee3499f3b2293be2f738c1140f1014

SHA256
574304de68777e63208e542ae6941986f9546bfa6b5180d2832d03400af4109c

SHA512
fe9d23d52d3095e80ffb089e1e6fa274a8f9d427ec41270a470bac82e1f13ffe44f63cf0234e8b01a0d417b7bb3dfecc368856297f1970066cc7744230d46584

Download Submit
C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2023\Img\began.png

Filesize
2KB

MD5
d4638e6fd91e29928985185a49fbeaa7

SHA1
636d499aee72915a7e8ce8545a9e345cfa20addb

SHA256
8502b9e3114d3f972ca4c88f003cc6c578ff7ad9c944055ce1c391ab04c1318a

SHA512
b1a6e5ea7f78813958d0fbd08fc01a6c48272068b63557210d63fcfac220fcb35dbc912a36a9dc729ccb9804df16f9bebb6df3f124e30b040e34eb65d736eeab

Download Submit
C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2023\Img\pause.png

Filesize
3KB

MD5
691f81d9683d718943d7b05be3a7a55b

SHA1
9c4f10ac645ac824e7a524cc93baf3cd10ddf7ff

SHA256
440c92487172917eff5a448fa441e23f9abb377f73103a871361720d0d5f0613

SHA512
0e4a7f209541bdb9005284bff1d26f3f876bdeefb7e1958e40f482a6089970ea798ef89d8ffe6db0cf4b80fbd4cd92b7755bb3b72b324531db9487f6cf414a1d

Download Submit
C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2023\Img\删除.png

Filesize
3KB

MD5
7766eb10a68dbca106e102b75a9574e5

SHA1
1614eba1039b5146d6de03754fbd72a9338d8012

SHA256
5bc3aea18db7afbf2bb14193c3af9433b929e95976fe4e3d988de334c9856309

SHA512
af6d3dcbd1e31398e455dc657b13fcee1a5e5ba37048ce674d8bac31a35fae52a40fed4c49ee630688531e5257b2ecc4a05ce504192f1bafa69341560cd90ac9

Download Submit
C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2023\Img\刷新.png

Filesize
4KB

MD5
f166b5b5f12e9ff0e15c83fa8a520403

SHA1
3a3b8fb807b1680fb544fe0c0bf101b0feec8b2a

SHA256
4b37b87513e71ecb876eee93f1b2f6289230331f32222533d1aa4b80e342b912

SHA512
fdc3ab9e54cb6e4669e6fa15cbe69a938898ad75370672e5741e56d77368f86069e885f47876262c79dc81a17de1c0adc4bd7f5fae3f23cdc5428d36ddda214f

Download Submit
C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2023\Img\文件夹.png

Filesize
3KB

MD5
e1dd89e3443d1a842d8ab46fe89618b7

SHA1
fc5318dc60f2a02c72ae74ed1488b7a02a11668f

SHA256
fdc191359936e2648fd473b1e337c631b317294637e4734006ab11d66621525e

SHA512
aed8ddcc4acefd0cf62f2fbe50a1b6a375282e85f173f2f837739369f2f5705e6cd68359393381245f8504f68f6ef8fae23e49b433c83fc16663a9f9907edd12

Download Submit
C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2023\Img\添加.png

Filesize
2KB

MD5
a56a98c1c665844dae961b8ea958aff6

SHA1
4bd441c7dc50f039d54b05a66a480457dc0911b8

SHA256
0b8b2e52695e4c5b451ad78701c51c71b12b515c4b27550cbdeedad4f3d89a21

SHA512
04dc9395d1d9c0bf5d3c70570f3a87b340a9cfe69fd989615c2e9dcfe485f6f7b1b92709f280f59f0dcd6803c2391957bb0b2ae6934798a66279e1c6b8fbfae8

Download Submit
C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2023\LabelButton.db

Filesize
12KB

MD5
9f9ead197edaffdcd701b1556aea366e

SHA1
53b6d9c03a17f17bbeb4aea62f195278a0cce922

SHA256
2c89d056b3b42323f49047192bafdc5a55830b4bf9f85d448d58e13ae331fe60

SHA512
e9e440195d24a687203f561b0ee158d96807fb7f1cec0eb59a9a1a507b8b10527ec0f1e8329070ca02c06c19433c8b91e09d37b7b929ea81a6861e400bec8bf8

Download Submit
C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2023\resource.qrc

Filesize
278B

MD5
267f75e5866afbd77d9c25ffb8c6c3d1

SHA1
82f4e2a944bb91cb32e5199df93117901ebef075

SHA256
55257d9fa32b82373aa8193aeb09b4811408e1a88c7242684e92af7116dee1fe

SHA512
014b89b6b6a3dcf5fac68808a1ed19749b7312ce00b0a5fec69f597543add0267915a413d78ca987ec70060aec851c0b0586ba7d79c6bacb2edbd9045f62e95e

Download Submit
C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2023\resource_rc.py

Filesize
313KB

MD5
48622dd94a73c0b21fc2e06fab9d08b4

SHA1
571e7e519300d53968d0ef2f4a6c6e277e685fdb

SHA256
d579bf46ccbc13bea34dbbffc58a16af96e6160fad6e0910bf019371bf4e5d9d

SHA512
4e5bcbde546f7df77553a84eb72f58d5f4042f4a0e75c2676eb86b36a64290c453e8e6b78289183c7f65fcec65b85e6f8a89c2612665bb8a77dd6e90b7431356

Download Submit
C:\ProgramData\Autodesk\ApplicationPlugins\Bips_Library\Contents\2024\Main.py

Filesize
564B

MD5
c28f6db24cc6f7931aea3ee87ec5c3a4

SHA1
c463c45e3d675603931754ee19ec1465e478b971

SHA256
cfc56101758b7dc6b894f517979dbd34bb5caa82bac2eeecf58842e749c7cb40

SHA512
f6eebefa4848ad1f17f6ba681700e4680c14f1b49038cd01df8f604df0e15ba0a960d11666f27e0bb8e8a4c2b815e82547f6aa0cf9af118d416bd5a37deece75

Download Submit
\Users\Admin\AppData\Local\Temp\~4215599351935932147~\7z.dll

Filesize
1.1MB

MD5
4a224bc36119d0a9b3f862edefc9a91a

SHA1
fcd584077825f86a27e7a8575c4cd971ddecd387

SHA256
b339f59e151cdc460d944b59ad92b4f33e6be148b72c23e116fcc47ebabb1575

SHA512
1e27c150976bbcc05f3d118f9bcdd0a5f61e1fdcc5a57387261c87fa2d2c2bf817cd93510c6eff504e10cc099389e8acbe9ceb543c9515edce3249409af22a0e

Download Submit
\Users\Admin\AppData\Local\Temp\~4215599351935932147~\sg.tmp

Filesize
415KB

MD5
5e397bb9f0fe8b98104f1c124435c936

SHA1
08fca294ed1c828ca796930d0457f2d7d2896a31

SHA256
338600eeede3179be5666dd49e4998cf7993db9bc16c5b8ac9cfaffaae260579

SHA512
7ba684daab5cba6993c0b20883db19b0468a56dcc7fde406fbe47256e7e90668911742ad43077e3cbedb190931018b65428d45ebef81cbba092789553fbeb06c

Download Submit
memory/1456-11-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1456-0-0x0000000000400000-0x00000000005E9000-memory.dmp

Filesize
1.9MB

Download
memory/1456-8-0x00000000025C0000-0x00000000026C0000-memory.dmp

Filesize
1024KB

Download
memory/1456-10-0x00000000025C0000-0x00000000026C0000-memory.dmp

Filesize
1024KB

Download
memory/1456-5-0x00000000025C0000-0x00000000026C0000-memory.dmp

Filesize
1024KB

Download
memory/1456-4-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1456-319-0x0000000000400000-0x00000000005E9000-memory.dmp

Filesize
1.9MB

Download