aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f

Analysis

max time kernel
151s
max time network
99s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe
Size

198KB
MD5

a134c1aa25e2134f76c40591cae70ff0
SHA1

a93d183c03f31d75b0bedafc80fbff26aadb0174
SHA256

aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f
SHA512

772446e674f22f6413d463dde2c9de46ea346c0e7d4fc2740d0e18ade266b297e38f906d385e972bb85a650a04a951261f4fffc4b8309989a472a8bf73332081
SSDEEP

3072:nBI5ArKGCnhgU1XA+ArXjeaMoh6lgUaVwQ+/76bSSN+PS7VyoCeJ6ikzG26LOUp:nK5ArKjbAxXSaegUqGeGpBohMzi

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
948	forfdt32.exe
552	~19E8.tmp
296	cliprint.exe

Deletes itself 1 IoCs

pid	Process
796	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1900	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe
1900	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe
948	forfdt32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoayed = "C:\\Users\\Admin\\AppData\\Roaming\\ntpretup\\forfdt32.exe"	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cliprint.exe	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
948	forfdt32.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE
296	cliprint.exe
1400	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1400	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1400	Explorer.EXE
1400	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1400	Explorer.EXE
1400	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 948	1900	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe	27
PID 1900 wrote to memory of 948	1900	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe	27
PID 1900 wrote to memory of 948	1900	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe	27
PID 1900 wrote to memory of 948	1900	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe	27
PID 948 wrote to memory of 552	948	forfdt32.exe	28
PID 948 wrote to memory of 552	948	forfdt32.exe	28
PID 948 wrote to memory of 552	948	forfdt32.exe	28
PID 948 wrote to memory of 552	948	forfdt32.exe	28
PID 552 wrote to memory of 1400	552	~19E8.tmp	10
PID 1900 wrote to memory of 796	1900	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe	30
PID 1900 wrote to memory of 796	1900	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe	30
PID 1900 wrote to memory of 796	1900	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe	30
PID 1900 wrote to memory of 796	1900	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe	30
PID 796 wrote to memory of 568	796	cmd.exe	32
PID 796 wrote to memory of 568	796	cmd.exe	32
PID 796 wrote to memory of 568	796	cmd.exe	32
PID 796 wrote to memory of 568	796	cmd.exe	32

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
568	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1400
- C:\Users\Admin\AppData\Local\Temp\aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe
  "C:\Users\Admin\AppData\Local\Temp\aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Roaming\ntpretup\forfdt32.exe
    "C:\Users\Admin\AppData\Roaming\ntpretup\forfdt32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Users\Admin\AppData\Local\Temp\~19E8.tmp
      "C:\Users\Admin\AppData\Local\Temp\~19E8.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:552
- - C:\Windows\SysWOW64\cmd.exe
    /C 7086142.cmd
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe"
      4⤵
      Views/modifies file attributes
      PID:568

C:\Windows\SysWOW64\cliprint.exe
C:\Windows\SysWOW64\cliprint.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7086142.cmd

Filesize
285B

MD5
13dce8faf6f6316262e635926489b3f0

SHA1
95aa738d1b30720a16accedf1938195fb2f9752a

SHA256
2e9de79d1b2149c1852120bd1ed09ba8b0ba861a4e9b97061faf69ebfb8e3b7a

SHA512
7d70c21245b96b6852c9ca9c83f1bd760940fc3450305a724057127d3ff9baccb4d6db670d530e66a97afa6a1ee44626f7bbb6295fecd9e8d6b14a2ff2b8992f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~19E8.tmp

Filesize
6KB

MD5
317e24d34df67df951989662b840e157

SHA1
9dfdcd90c5929b0c9d0de600d10d24ad1c445c5c

SHA256
6449eeb2f5b612105a0f55dcf16c981ca31a40e61bae92b8a44a69933dad164d

SHA512
e36d4c9e8c848b40486bcd178ea4aba0d777e86b54916539fa02fd66d42882f5473e2ccd5ddfe42edfd604aaaa270141e782ac7470cbfe3a52445be046f23721

Download Submit
C:\Users\Admin\AppData\Roaming\ntpretup\forfdt32.exe

Filesize
172KB

MD5
61a5b4994f02a8ee6ce564428cc2396a

SHA1
4bbb3349281f3e1c4afa827294b0736068d3d1b4

SHA256
daa883edd408ae3be96aaaac4e4c6966b5490c16da7854941f302baba544f15e

SHA512
fe890b979ad4ab9568c3e5d36975f0453c2e8198b7b759fe2b692716998d6048d6b9d0b257615332df3111131766f97608723322b46182e1bcb68182d162471d

Download Submit
C:\Users\Admin\AppData\Roaming\ntpretup\forfdt32.exe

Filesize
172KB

MD5
61a5b4994f02a8ee6ce564428cc2396a

SHA1
4bbb3349281f3e1c4afa827294b0736068d3d1b4

SHA256
daa883edd408ae3be96aaaac4e4c6966b5490c16da7854941f302baba544f15e

SHA512
fe890b979ad4ab9568c3e5d36975f0453c2e8198b7b759fe2b692716998d6048d6b9d0b257615332df3111131766f97608723322b46182e1bcb68182d162471d

Download Submit
C:\Windows\SysWOW64\cliprint.exe

Filesize
198KB

MD5
a134c1aa25e2134f76c40591cae70ff0

SHA1
a93d183c03f31d75b0bedafc80fbff26aadb0174

SHA256
aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f

SHA512
772446e674f22f6413d463dde2c9de46ea346c0e7d4fc2740d0e18ade266b297e38f906d385e972bb85a650a04a951261f4fffc4b8309989a472a8bf73332081

Download Submit
C:\Windows\SysWOW64\cliprint.exe

Filesize
198KB

MD5
a134c1aa25e2134f76c40591cae70ff0

SHA1
a93d183c03f31d75b0bedafc80fbff26aadb0174

SHA256
aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f

SHA512
772446e674f22f6413d463dde2c9de46ea346c0e7d4fc2740d0e18ade266b297e38f906d385e972bb85a650a04a951261f4fffc4b8309989a472a8bf73332081

Download Submit
\Users\Admin\AppData\Local\Temp\~19E8.tmp

Filesize
6KB

MD5
317e24d34df67df951989662b840e157

SHA1
9dfdcd90c5929b0c9d0de600d10d24ad1c445c5c

SHA256
6449eeb2f5b612105a0f55dcf16c981ca31a40e61bae92b8a44a69933dad164d

SHA512
e36d4c9e8c848b40486bcd178ea4aba0d777e86b54916539fa02fd66d42882f5473e2ccd5ddfe42edfd604aaaa270141e782ac7470cbfe3a52445be046f23721

Download Submit
\Users\Admin\AppData\Roaming\ntpretup\forfdt32.exe

Filesize
172KB

MD5
61a5b4994f02a8ee6ce564428cc2396a

SHA1
4bbb3349281f3e1c4afa827294b0736068d3d1b4

SHA256
daa883edd408ae3be96aaaac4e4c6966b5490c16da7854941f302baba544f15e

SHA512
fe890b979ad4ab9568c3e5d36975f0453c2e8198b7b759fe2b692716998d6048d6b9d0b257615332df3111131766f97608723322b46182e1bcb68182d162471d

Download Submit
\Users\Admin\AppData\Roaming\ntpretup\forfdt32.exe

Filesize
172KB

MD5
61a5b4994f02a8ee6ce564428cc2396a

SHA1
4bbb3349281f3e1c4afa827294b0736068d3d1b4

SHA256
daa883edd408ae3be96aaaac4e4c6966b5490c16da7854941f302baba544f15e

SHA512
fe890b979ad4ab9568c3e5d36975f0453c2e8198b7b759fe2b692716998d6048d6b9d0b257615332df3111131766f97608723322b46182e1bcb68182d162471d

Download Submit
memory/296-74-0x00000000000E0000-0x0000000000124000-memory.dmp

Filesize
272KB

Download
memory/1400-67-0x00000000026E0000-0x0000000002721000-memory.dmp

Filesize
260KB

Download
memory/1400-65-0x00000000026E0000-0x0000000002721000-memory.dmp

Filesize
260KB

Download
memory/1400-75-0x000007FEF6970000-0x000007FEF6AB3000-memory.dmp

Filesize
1.3MB

Download
memory/1400-76-0x000007FEDCA00000-0x000007FEDCA0A000-memory.dmp

Filesize
40KB

Download
memory/1900-55-0x0000000000070000-0x00000000000B4000-memory.dmp

Filesize
272KB

Download
memory/1900-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download