90c7f6fdf17ea53fc93d505af6e8b33f935b8ca191fbb396dd9a20346c36a33d

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mdesk.exe
Size

19KB
MD5

67a035cfbd88e0019a9ab29f3e9d1dff
SHA1

1c9146153ec2fee14f0a7241bf10a76d3091f75a
SHA256

d996d3b77f5914a543f09e7afc33c915444fcd4405987ca040d46d8f5ad5a03c
SHA512

642197998a13de4c1a2707f5473a19704e7b76646c4c12fbad4e763613bd63c0b771c63d4d30e90a1fa75a8b9e50310b02a08c119e11f0c50bd0fb9946fa6184
SSDEEP

384:G6tapNYBGgBhswX5vR2u5y35+QKDk4ZWGu:G6kpNWBVV1co

Score

5^/10

discovery upx

Malware Config

Signatures

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2348-0-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral3/memory/3036-3-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral3/memory/1872-2-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral3/memory/2348-8-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral3/memory/2440-9-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral3/memory/1672-10-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral3/memory/1872-13-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral3/memory/3036-14-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral3/memory/2348-19-0x0000000000400000-0x0000000000414000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2348	mdesk.exe
1872	mdesk.exe
2440	mdesk.exe
1672	mdesk.exe
3036	mdesk.exe
2440	mdesk.exe
1872	mdesk.exe
1672	mdesk.exe
3036	mdesk.exe
2440	mdesk.exe
1872	mdesk.exe
1672	mdesk.exe
3036	mdesk.exe
1872	mdesk.exe
2440	mdesk.exe
1672	mdesk.exe
3036	mdesk.exe
2440	mdesk.exe
1872	mdesk.exe
1672	mdesk.exe
3036	mdesk.exe
1872	mdesk.exe
2440	mdesk.exe
1672	mdesk.exe
3036	mdesk.exe
1672	mdesk.exe
2440	mdesk.exe
2440	mdesk.exe
1872	mdesk.exe
1872	mdesk.exe
1672	mdesk.exe
3036	mdesk.exe
3036	mdesk.exe
1672	mdesk.exe
1672	mdesk.exe
1872	mdesk.exe
1872	mdesk.exe
2440	mdesk.exe
2440	mdesk.exe
3036	mdesk.exe
3036	mdesk.exe
2440	mdesk.exe
2440	mdesk.exe
1872	mdesk.exe
1672	mdesk.exe
1672	mdesk.exe
1872	mdesk.exe
3036	mdesk.exe
3036	mdesk.exe
2440	mdesk.exe
2440	mdesk.exe
1672	mdesk.exe
1672	mdesk.exe
1872	mdesk.exe
1872	mdesk.exe
3036	mdesk.exe
3036	mdesk.exe
2440	mdesk.exe
1672	mdesk.exe
1872	mdesk.exe
1872	mdesk.exe
1672	mdesk.exe
2440	mdesk.exe
3036	mdesk.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2348	mdesk.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1944	2348	mdesk.exe	30
PID 2348 wrote to memory of 1944	2348	mdesk.exe	30
PID 2348 wrote to memory of 1944	2348	mdesk.exe	30
PID 2348 wrote to memory of 1944	2348	mdesk.exe	30
PID 2348 wrote to memory of 2440	2348	mdesk.exe	31
PID 2348 wrote to memory of 2440	2348	mdesk.exe	31
PID 2348 wrote to memory of 2440	2348	mdesk.exe	31
PID 2348 wrote to memory of 2440	2348	mdesk.exe	31
PID 2348 wrote to memory of 1660	2348	mdesk.exe	32
PID 2348 wrote to memory of 1660	2348	mdesk.exe	32
PID 2348 wrote to memory of 1660	2348	mdesk.exe	32
PID 2348 wrote to memory of 1660	2348	mdesk.exe	32
PID 2348 wrote to memory of 1672	2348	mdesk.exe	33
PID 2348 wrote to memory of 1672	2348	mdesk.exe	33
PID 2348 wrote to memory of 1672	2348	mdesk.exe	33
PID 2348 wrote to memory of 1672	2348	mdesk.exe	33
PID 2348 wrote to memory of 1268	2348	mdesk.exe	34
PID 2348 wrote to memory of 1268	2348	mdesk.exe	34
PID 2348 wrote to memory of 1268	2348	mdesk.exe	34
PID 2348 wrote to memory of 1268	2348	mdesk.exe	34
PID 2348 wrote to memory of 1872	2348	mdesk.exe	35
PID 2348 wrote to memory of 1872	2348	mdesk.exe	35
PID 2348 wrote to memory of 1872	2348	mdesk.exe	35
PID 2348 wrote to memory of 1872	2348	mdesk.exe	35
PID 2348 wrote to memory of 1920	2348	mdesk.exe	36
PID 2348 wrote to memory of 1920	2348	mdesk.exe	36
PID 2348 wrote to memory of 1920	2348	mdesk.exe	36
PID 2348 wrote to memory of 1920	2348	mdesk.exe	36
PID 2348 wrote to memory of 3036	2348	mdesk.exe	37
PID 2348 wrote to memory of 3036	2348	mdesk.exe	37
PID 2348 wrote to memory of 3036	2348	mdesk.exe	37
PID 2348 wrote to memory of 3036	2348	mdesk.exe	37
PID 2440 wrote to memory of 2024	2440	mdesk.exe	38
PID 2440 wrote to memory of 2024	2440	mdesk.exe	38
PID 2440 wrote to memory of 2024	2440	mdesk.exe	38
PID 2440 wrote to memory of 2024	2440	mdesk.exe	38
PID 1872 wrote to memory of 2976	1872	mdesk.exe	39
PID 1872 wrote to memory of 2976	1872	mdesk.exe	39
PID 1872 wrote to memory of 2976	1872	mdesk.exe	39
PID 1872 wrote to memory of 2976	1872	mdesk.exe	39
PID 1672 wrote to memory of 1244	1672	mdesk.exe	40
PID 1672 wrote to memory of 1244	1672	mdesk.exe	40
PID 1672 wrote to memory of 1244	1672	mdesk.exe	40
PID 1672 wrote to memory of 1244	1672	mdesk.exe	40
PID 3036 wrote to memory of 2712	3036	mdesk.exe	41
PID 3036 wrote to memory of 2712	3036	mdesk.exe	41
PID 3036 wrote to memory of 2712	3036	mdesk.exe	41
PID 3036 wrote to memory of 2712	3036	mdesk.exe	41

C:\Users\Admin\AppData\Local\Temp\mdesk.exe
"C:\Users\Admin\AppData\Local\Temp\mdesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\explorer.exe
  explorer
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\mdesk.exe
  makedesktop desk1 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\ctfmon.exe
    ctfmon.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2024
- C:\Windows\SysWOW64\explorer.exe
  explorer
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1660
- C:\Users\Admin\AppData\Local\Temp\mdesk.exe
  makedesktop desk2 2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\ctfmon.exe
    ctfmon.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1244
- C:\Windows\SysWOW64\explorer.exe
  explorer
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1268
- C:\Users\Admin\AppData\Local\Temp\mdesk.exe
  makedesktop desk3 3
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\ctfmon.exe
    ctfmon.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2976
- C:\Windows\SysWOW64\explorer.exe
  explorer
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\mdesk.exe
  makedesktop desk4 4
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\ctfmon.exe
    ctfmon.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2752

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2644

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1872-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1872-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2348-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2348-1-0x0000000000500000-0x0000000000514000-memory.dmp

Filesize
80KB

Download
memory/2348-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2348-12-0x0000000000500000-0x0000000000514000-memory.dmp

Filesize
80KB

Download
memory/2348-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2440-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2728-4-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/3036-3-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3036-14-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download