8cdf678bed1558ca64a6788519e28f727a5ee75b808051530c1a2f0d9c974301

Resubmissions

10/10/2024, 16:44

241010-t82a7s1dmq 7

10/10/2024, 16:43

241010-t8bqjs1djp 5

10/10/2024, 16:30

241010-tz1nbazhmp 5

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mpclient.exe
Size

186KB
MD5

6bd4d7f68924301051c22e8a951aecba
SHA1

2ae2a6b863616b61ccb550fc1a145ae025896de1
SHA256

9afd12eede0db98a35aba52f53041efa4a2f2a03673672c7ac530830b7152392
SHA512

ebf97dcc36413e9c05da1df9d296bd5226f2c5acc86f8592755f10454328ffa90dc9805825ede64f350fade5de9cef73d050aad569b733f914da6aa92740f708
SSDEEP

3072:crWzrkggF1yGunZZwFrUhxDR1cAoPF+sq:uCzgF1enfwFrUk

Score

5^/10

upx

Malware Config

Signatures

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2772 set thread context of 2808	2772	mpclient.exe	31
PID 876 set thread context of 2408	876	svchost.exe	35
PID 2408 set thread context of 2860	2408	svchost.exe	36

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2772-18-0x0000000180000000-0x0000000180066000-memory.dmp	upx
behavioral3/memory/2808-17-0x0000000180000000-0x0000000180066000-memory.dmp	upx
behavioral3/memory/2808-16-0x0000000180000000-0x0000000180066000-memory.dmp	upx
behavioral3/memory/2772-1-0x0000000180000000-0x0000000180066000-memory.dmp	upx
behavioral3/memory/2408-63-0x0000000180000000-0x0000000180066000-memory.dmp	upx
behavioral3/memory/876-46-0x0000000180000000-0x0000000180066000-memory.dmp	upx
behavioral3/memory/876-62-0x0000000180000000-0x0000000180066000-memory.dmp	upx
behavioral3/memory/2408-68-0x0000000180000000-0x0000000180066000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2772	mpclient.exe
2808	svchost.exe
2808	svchost.exe
2672	mpclient.exe
876	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2860	dllhost.exe
2860	dllhost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2808	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	svchost.exe
Token: SeTcbPrivilege	2808	svchost.exe
Token: SeAuditPrivilege	876	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe
Token: SeSecurityPrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	876	svchost.exe
Token: SeLoadDriverPrivilege	876	svchost.exe
Token: SeSystemtimePrivilege	876	svchost.exe
Token: SeBackupPrivilege	876	svchost.exe
Token: SeRestorePrivilege	876	svchost.exe
Token: SeShutdownPrivilege	876	svchost.exe
Token: SeSystemEnvironmentPrivilege	876	svchost.exe
Token: SeUndockPrivilege	876	svchost.exe
Token: SeManageVolumePrivilege	876	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe
Token: SeSecurityPrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	876	svchost.exe
Token: SeLoadDriverPrivilege	876	svchost.exe
Token: SeSystemtimePrivilege	876	svchost.exe
Token: SeBackupPrivilege	876	svchost.exe
Token: SeRestorePrivilege	876	svchost.exe
Token: SeShutdownPrivilege	876	svchost.exe
Token: SeSystemEnvironmentPrivilege	876	svchost.exe
Token: SeUndockPrivilege	876	svchost.exe
Token: SeManageVolumePrivilege	876	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe
Token: SeSecurityPrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	876	svchost.exe
Token: SeLoadDriverPrivilege	876	svchost.exe
Token: SeSystemtimePrivilege	876	svchost.exe
Token: SeBackupPrivilege	876	svchost.exe
Token: SeRestorePrivilege	876	svchost.exe
Token: SeShutdownPrivilege	876	svchost.exe
Token: SeSystemEnvironmentPrivilege	876	svchost.exe
Token: SeUndockPrivilege	876	svchost.exe
Token: SeManageVolumePrivilege	876	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe
Token: SeSecurityPrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	876	svchost.exe
Token: SeLoadDriverPrivilege	876	svchost.exe
Token: SeSystemtimePrivilege	876	svchost.exe
Token: SeBackupPrivilege	876	svchost.exe
Token: SeRestorePrivilege	876	svchost.exe
Token: SeShutdownPrivilege	876	svchost.exe
Token: SeSystemEnvironmentPrivilege	876	svchost.exe
Token: SeUndockPrivilege	876	svchost.exe
Token: SeManageVolumePrivilege	876	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe
Token: SeSecurityPrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	876	svchost.exe
Token: SeLoadDriverPrivilege	876	svchost.exe
Token: SeSystemtimePrivilege	876	svchost.exe
Token: SeBackupPrivilege	876	svchost.exe
Token: SeRestorePrivilege	876	svchost.exe
Token: SeShutdownPrivilege	876	svchost.exe
Token: SeSystemEnvironmentPrivilege	876	svchost.exe
Token: SeUndockPrivilege	876	svchost.exe
Token: SeManageVolumePrivilege	876	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2808	2772	mpclient.exe	31
PID 2772 wrote to memory of 2808	2772	mpclient.exe	31
PID 2772 wrote to memory of 2808	2772	mpclient.exe	31
PID 2772 wrote to memory of 2808	2772	mpclient.exe	31
PID 2772 wrote to memory of 2808	2772	mpclient.exe	31
PID 2772 wrote to memory of 2808	2772	mpclient.exe	31
PID 2564 wrote to memory of 2672	2564	taskeng.exe	33
PID 2564 wrote to memory of 2672	2564	taskeng.exe	33
PID 2564 wrote to memory of 2672	2564	taskeng.exe	33
PID 2672 wrote to memory of 876	2672	mpclient.exe	13
PID 2672 wrote to memory of 876	2672	mpclient.exe	13
PID 2672 wrote to memory of 876	2672	mpclient.exe	13
PID 876 wrote to memory of 2408	876	svchost.exe	35
PID 876 wrote to memory of 2408	876	svchost.exe	35
PID 876 wrote to memory of 2408	876	svchost.exe	35
PID 876 wrote to memory of 2408	876	svchost.exe	35
PID 876 wrote to memory of 2408	876	svchost.exe	35
PID 876 wrote to memory of 2408	876	svchost.exe	35
PID 2408 wrote to memory of 2860	2408	svchost.exe	36
PID 2408 wrote to memory of 2860	2408	svchost.exe	36
PID 2408 wrote to memory of 2860	2408	svchost.exe	36
PID 2408 wrote to memory of 2860	2408	svchost.exe	36
PID 2408 wrote to memory of 2860	2408	svchost.exe	36
PID 2408 wrote to memory of 2860	2408	svchost.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\system32\taskeng.exe
  taskeng.exe {F7C262D6-F24E-49C5-8480-288B74597E89} S-1-5-18:NT AUTHORITY\System:Service:
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\system32\mpclient.exe
    C:\Windows\system32\mpclient.exe -svc
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2672
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2860

C:\Users\Admin\AppData\Local\Temp\mpclient.exe
"C:\Users\Admin\AppData\Local\Temp\mpclient.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -Install
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/876-36-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/876-62-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/876-46-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2408-68-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2408-61-0x00000000773E0000-0x0000000077589000-memory.dmp

Filesize
1.7MB

Download
memory/2408-63-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2672-31-0x00000000773E0000-0x0000000077589000-memory.dmp

Filesize
1.7MB

Download
memory/2672-39-0x00000000773E0000-0x0000000077589000-memory.dmp

Filesize
1.7MB

Download
memory/2672-55-0x000007FEF7670000-0x000007FEF77D2000-memory.dmp

Filesize
1.4MB

Download
memory/2672-40-0x00000000773E0000-0x0000000077589000-memory.dmp

Filesize
1.7MB

Download
memory/2772-18-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2772-0-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2772-1-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2772-20-0x00000000773E1000-0x00000000774E2000-memory.dmp

Filesize
1.0MB

Download
memory/2772-6-0x00000000773E0000-0x0000000077589000-memory.dmp

Filesize
1.7MB

Download
memory/2772-21-0x000007FEF77E0000-0x000007FEF7942000-memory.dmp

Filesize
1.4MB

Download
memory/2808-24-0x00000000773E0000-0x0000000077589000-memory.dmp

Filesize
1.7MB

Download
memory/2808-11-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2808-16-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2808-17-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2808-8-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2808-19-0x00000000773E0000-0x0000000077589000-memory.dmp

Filesize
1.7MB

Download
memory/2808-25-0x00000000773E0000-0x0000000077589000-memory.dmp

Filesize
1.7MB

Download
memory/2808-22-0x00000000773E0000-0x0000000077589000-memory.dmp

Filesize
1.7MB

Download
memory/2808-7-0x0000000000070000-0x00000000000A0000-memory.dmp

Filesize
192KB

Download
memory/2808-23-0x00000000773E0000-0x0000000077589000-memory.dmp

Filesize
1.7MB

Download