Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 04:05
Static task
static1
Behavioral task
behavioral1
Sample
e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
Resource
win10v2004-20240508-en
General
-
Target
e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
-
Size
144KB
-
MD5
1712b04615487183ff0753de33fa0ab1
-
SHA1
50fc233560cc0f368931ca5b47b7a689742f6ff2
-
SHA256
e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2
-
SHA512
6009df48809ce21225cf08565184ee6656d2cea59c306317f0c121310630e4b8f904f90c9328458c50885dde3c6d3848112784dcfa6b637a041c99d64a6f9166
-
SSDEEP
3072:l5SVkkgUgXC7AdYzrV+Dljy/32ubwZ/qJ:SUFCkdYzrVolu/J0Z/
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2568-443-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral1/memory/1580-1015-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral1/memory/2568-1033-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral1/memory/1580-1038-0x0000000000400000-0x000000000040B000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
Processes:
WindowsService.exeWindowsService.exeWindowsService.exepid process 2056 WindowsService.exe 1580 WindowsService.exe 3032 WindowsService.exe -
Loads dropped DLL 5 IoCs
Processes:
e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exepid process 2568 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe 2568 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe 2568 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe 2568 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe 2568 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe -
Processes:
resource yara_rule behavioral1/memory/2568-443-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1580-1015-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2568-1033-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1580-1038-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exeWindowsService.exedescription pid process target process PID 2836 set thread context of 2568 2836 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe PID 2056 set thread context of 1580 2056 WindowsService.exe WindowsService.exe PID 2056 set thread context of 3032 2056 WindowsService.exe WindowsService.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WindowsService.exedescription pid process Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe Token: SeDebugPrivilege 1580 WindowsService.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exee8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exeWindowsService.exeWindowsService.exepid process 2836 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe 2568 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe 2056 WindowsService.exe 1580 WindowsService.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exee8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.execmd.exeWindowsService.exedescription pid process target process PID 2836 wrote to memory of 2568 2836 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe PID 2836 wrote to memory of 2568 2836 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe PID 2836 wrote to memory of 2568 2836 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe PID 2836 wrote to memory of 2568 2836 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe PID 2836 wrote to memory of 2568 2836 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe PID 2836 wrote to memory of 2568 2836 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe PID 2836 wrote to memory of 2568 2836 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe PID 2836 wrote to memory of 2568 2836 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe PID 2568 wrote to memory of 2428 2568 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe cmd.exe PID 2568 wrote to memory of 2428 2568 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe cmd.exe PID 2568 wrote to memory of 2428 2568 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe cmd.exe PID 2568 wrote to memory of 2428 2568 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe cmd.exe PID 2428 wrote to memory of 2864 2428 cmd.exe reg.exe PID 2428 wrote to memory of 2864 2428 cmd.exe reg.exe PID 2428 wrote to memory of 2864 2428 cmd.exe reg.exe PID 2428 wrote to memory of 2864 2428 cmd.exe reg.exe PID 2568 wrote to memory of 2056 2568 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe WindowsService.exe PID 2568 wrote to memory of 2056 2568 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe WindowsService.exe PID 2568 wrote to memory of 2056 2568 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe WindowsService.exe PID 2568 wrote to memory of 2056 2568 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe WindowsService.exe PID 2056 wrote to memory of 1580 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 1580 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 1580 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 1580 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 1580 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 1580 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 1580 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 1580 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 3032 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 3032 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 3032 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 3032 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 3032 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 3032 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 3032 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 3032 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 3032 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 3032 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 3032 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 3032 2056 WindowsService.exe WindowsService.exe PID 2056 wrote to memory of 3032 2056 WindowsService.exe WindowsService.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe"C:\Users\Admin\AppData\Local\Temp\e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe"C:\Users\Admin\AppData\Local\Temp\e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DNTLB.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DNTLB.batFilesize
157B
MD5f6a90c20834f271a907a4e2bc28184c2
SHA136c9d1602b74f622346fbb22693597d7889df48d
SHA25673f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd
SHA51239cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804
-
\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exeFilesize
144KB
MD55e4a93d347247cfade9093c9f29d3601
SHA13d1f14773d89c4c1fa1b94d17b22d34399e657c4
SHA256ed1932f7066e654bb43a25bd95cc42a296e879262594722fc2c284045cf44f85
SHA512814baacd28b071ea99691f05a424984f921cc8d0f7852cd42187e0f01afe2ff9330a5a709b901046e3ee09a87fe413424cee4e7bd02144573fb10e77f4ad3870
-
memory/1580-1015-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/1580-1038-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2568-443-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2568-1033-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2836-2-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB