8cdf678bed1558ca64a6788519e28f727a5ee75b808051530c1a2f0d9c974301

Resubmissions

10/10/2024, 16:44

241010-t82a7s1dmq 7

10/10/2024, 16:43

241010-t8bqjs1djp 5

10/10/2024, 16:30

241010-tz1nbazhmp 5

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ray.zip
Size

752KB
MD5

8a7a6ac2fedd86f4509a5c93cfdd3edd
SHA1

fa8c2e8e21d12d3fff90a8d76558e679b7192592
SHA256

8cdf678bed1558ca64a6788519e28f727a5ee75b808051530c1a2f0d9c974301
SHA512

95f8e6aa66c412f0d958f36523ed3394d9de30f8e7f0ff79c89405bc073a4c747b6c52e19f57606f7e9523fd5ef3403c4115d8a5dba25cd5137b612d03e9163b
SSDEEP

12288:DDocdeg/IyQKcKjEZm/vOyHbfI01uXtR/Wk2XxyCPVsCI/p3Jb5fwCe6TFdocw5i:DDomexZobvQ/l2Xx5fI/9rvBvXwYhP

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2176	mpclient.exe
960	mpclient.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 2424	2176	mpclient.exe	35
PID 864 set thread context of 2204	864	svchost.exe	39
PID 2204 set thread context of 2016	2204	svchost.exe	40

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2176-13-0x0000000180000000-0x0000000180066000-memory.dmp	upx
behavioral1/memory/2176-12-0x0000000180000000-0x0000000180066000-memory.dmp	upx
behavioral1/memory/2176-9-0x0000000180000000-0x0000000180066000-memory.dmp	upx
behavioral1/memory/2204-63-0x0000000180000000-0x0000000180066000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	mpclient.exe
2424	svchost.exe
2424	svchost.exe
960	mpclient.exe
864	svchost.exe
2204	svchost.exe
2016	dllhost.exe
2016	dllhost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe
2204	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1744	7zFM.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	1744	7zFM.exe
Token: 35	1744	7zFM.exe
Token: SeSecurityPrivilege	1744	7zFM.exe
Token: 33	2516	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2516	AUDIODG.EXE
Token: 33	2516	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2516	AUDIODG.EXE
Token: SeDebugPrivilege	2424	svchost.exe
Token: SeTcbPrivilege	2424	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1744	7zFM.exe
1744	7zFM.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2424	2176	mpclient.exe	35
PID 2176 wrote to memory of 2424	2176	mpclient.exe	35
PID 2176 wrote to memory of 2424	2176	mpclient.exe	35
PID 2176 wrote to memory of 2424	2176	mpclient.exe	35
PID 2176 wrote to memory of 2424	2176	mpclient.exe	35
PID 2176 wrote to memory of 2424	2176	mpclient.exe	35
PID 1332 wrote to memory of 960	1332	taskeng.exe	37
PID 1332 wrote to memory of 960	1332	taskeng.exe	37
PID 1332 wrote to memory of 960	1332	taskeng.exe	37
PID 960 wrote to memory of 864	960	mpclient.exe	13
PID 960 wrote to memory of 864	960	mpclient.exe	13
PID 960 wrote to memory of 864	960	mpclient.exe	13
PID 864 wrote to memory of 2204	864	svchost.exe	39
PID 864 wrote to memory of 2204	864	svchost.exe	39
PID 864 wrote to memory of 2204	864	svchost.exe	39
PID 864 wrote to memory of 2204	864	svchost.exe	39
PID 864 wrote to memory of 2204	864	svchost.exe	39
PID 864 wrote to memory of 2204	864	svchost.exe	39
PID 2204 wrote to memory of 2016	2204	svchost.exe	40
PID 2204 wrote to memory of 2016	2204	svchost.exe	40
PID 2204 wrote to memory of 2016	2204	svchost.exe	40
PID 2204 wrote to memory of 2016	2204	svchost.exe	40
PID 2204 wrote to memory of 2016	2204	svchost.exe	40
PID 2204 wrote to memory of 2016	2204	svchost.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\system32\taskeng.exe
  taskeng.exe {E7A74984-BA50-4E60-A306-31E8C4904854} S-1-5-18:NT AUTHORITY\System:Service:
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\system32\mpclient.exe
    C:\Windows\system32\mpclient.exe -svc
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:960
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2016

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ray.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1744

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2732

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\mpclient.exe
"C:\mpclient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -Install
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MpClient.dll

Filesize
1.4MB

MD5
bc36ad620120c9375365f86c9827da49

SHA1
aa22ff23ed7979fcd50f1d3a376b3dbfa11d5ca9

SHA256
a41871976043cc13331b6f04abbaff2ae0071c672c31fe8f5be6bf3f40ccfbe6

SHA512
b536526c5af0e8b3652b20e374d8f5606a9b6d78e7583bc8bb01a6ada43137247343e44732b96bc344783f3f698f85256ea27e7390b020a6913f77bf5c3fcef2

Download Submit
C:\mpclient.dat

Filesize
189KB

MD5
2f6b717f476ebf41a8bab797ce7cf2ae

SHA1
d01ddbbfef80900477375a79bc7404d1c2057dda

SHA256
bc45451875e6b7168494bd6f8a1921a78307be379dd011c74785b9ef9f2cde46

SHA512
09f9a8a45438107ff57b424d0926449057463f7bba561b96944827dc57531bd48a0bcfb7565cc3c2b3497834eaa8e5e697e85c23866411baa763675e5447a277

Download Submit
C:\mpclient.exe

Filesize
186KB

MD5
6bd4d7f68924301051c22e8a951aecba

SHA1
2ae2a6b863616b61ccb550fc1a145ae025896de1

SHA256
9afd12eede0db98a35aba52f53041efa4a2f2a03673672c7ac530830b7152392

SHA512
ebf97dcc36413e9c05da1df9d296bd5226f2c5acc86f8592755f10454328ffa90dc9805825ede64f350fade5de9cef73d050aad569b733f914da6aa92740f708

Download Submit
memory/864-42-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/960-65-0x000007FEF5FD0000-0x000007FEF6132000-memory.dmp

Filesize
1.4MB

Download
memory/960-36-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/2176-28-0x000007FEF6140000-0x000007FEF62A2000-memory.dmp

Filesize
1.4MB

Download
memory/2176-9-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2176-12-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2176-14-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/2176-13-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2204-62-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/2204-63-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2424-21-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2424-20-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2424-16-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2424-15-0x0000000000070000-0x00000000000A0000-memory.dmp

Filesize
192KB

Download
memory/2424-27-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download