e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
Size

144KB
MD5

1712b04615487183ff0753de33fa0ab1
SHA1

50fc233560cc0f368931ca5b47b7a689742f6ff2
SHA256

e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2
SHA512

6009df48809ce21225cf08565184ee6656d2cea59c306317f0c121310630e4b8f904f90c9328458c50885dde3c6d3848112784dcfa6b637a041c99d64a6f9166
SSDEEP

3072:l5SVkkgUgXC7AdYzrV+Dljy/32ubwZ/qJ:SUFCkdYzrVolu/J0Z/

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2568-443-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/1580-1015-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/2568-1033-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/1580-1038-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

WindowsService.exeWindowsService.exeWindowsService.exe

pid process

2056 WindowsService.exe
1580 WindowsService.exe
3032 WindowsService.exe

pid	process
2056	WindowsService.exe
1580	WindowsService.exe
3032	WindowsService.exe

Loads dropped DLL 5 IoCs

Processes:

e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe

pid	process
2568	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
2568	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
2568	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
2568	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
2568	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2568-443-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1580-1015-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2568-1033-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1580-1038-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exeWindowsService.exe

description	pid	process	target process
PID 2836 set thread context of 2568	2836	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
PID 2056 set thread context of 1580	2056	WindowsService.exe	WindowsService.exe
PID 2056 set thread context of 3032	2056	WindowsService.exe	WindowsService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WindowsService.exe

description	pid	process
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe
Token: SeDebugPrivilege	1580	WindowsService.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exee8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exeWindowsService.exeWindowsService.exe

pid process

2836 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
2568 e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
2056 WindowsService.exe
1580 WindowsService.exe

pid	process
2836	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
2568	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
2056	WindowsService.exe
1580	WindowsService.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exee8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.execmd.exeWindowsService.exe

description	pid	process	target process
PID 2836 wrote to memory of 2568	2836	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
PID 2836 wrote to memory of 2568	2836	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
PID 2836 wrote to memory of 2568	2836	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
PID 2836 wrote to memory of 2568	2836	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
PID 2836 wrote to memory of 2568	2836	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
PID 2836 wrote to memory of 2568	2836	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
PID 2836 wrote to memory of 2568	2836	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
PID 2836 wrote to memory of 2568	2836	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
PID 2568 wrote to memory of 2428	2568	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	cmd.exe
PID 2568 wrote to memory of 2428	2568	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	cmd.exe
PID 2568 wrote to memory of 2428	2568	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	cmd.exe
PID 2568 wrote to memory of 2428	2568	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	cmd.exe
PID 2428 wrote to memory of 2864	2428	cmd.exe	reg.exe
PID 2428 wrote to memory of 2864	2428	cmd.exe	reg.exe
PID 2428 wrote to memory of 2864	2428	cmd.exe	reg.exe
PID 2428 wrote to memory of 2864	2428	cmd.exe	reg.exe
PID 2568 wrote to memory of 2056	2568	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	WindowsService.exe
PID 2568 wrote to memory of 2056	2568	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	WindowsService.exe
PID 2568 wrote to memory of 2056	2568	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	WindowsService.exe
PID 2568 wrote to memory of 2056	2568	e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe	WindowsService.exe
PID 2056 wrote to memory of 1580	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 1580	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 1580	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 1580	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 1580	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 1580	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 1580	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 1580	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 3032	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 3032	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 3032	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 3032	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 3032	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 3032	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 3032	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 3032	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 3032	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 3032	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 3032	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 3032	2056	WindowsService.exe	WindowsService.exe
PID 2056 wrote to memory of 3032	2056	WindowsService.exe	WindowsService.exe

C:\Users\Admin\AppData\Local\Temp\e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
"C:\Users\Admin\AppData\Local\Temp\e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe
"C:\Users\Admin\AppData\Local\Temp\e8d0e23d5aa07643065509a781685239885b04a3d39d78aa537e3dc3ae5075a2.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DNTLB.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
4⤵
- Adds Run key to start application
PID:2864

C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
4⤵
- Executes dropped EXE
PID:3032

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DNTLB.bat
Filesize
157B

MD5
f6a90c20834f271a907a4e2bc28184c2

SHA1
36c9d1602b74f622346fbb22693597d7889df48d

SHA256
73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

SHA512
39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

Download Submit
\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
Filesize
144KB

MD5
5e4a93d347247cfade9093c9f29d3601

SHA1
3d1f14773d89c4c1fa1b94d17b22d34399e657c4

SHA256
ed1932f7066e654bb43a25bd95cc42a296e879262594722fc2c284045cf44f85

SHA512
814baacd28b071ea99691f05a424984f921cc8d0f7852cd42187e0f01afe2ff9330a5a709b901046e3ee09a87fe413424cee4e7bd02144573fb10e77f4ad3870

Download Submit
memory/1580-1015-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1580-1038-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2568-443-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2568-1033-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2836-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download