f2787b27913cb1b1addc0200c4afa00c643a6b38cca3c4213ec1f16b7e331697

Analysis

max time kernel
152s
max time network
169s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2787b27913cb1b1addc0200c4afa00c643a6b38cca3c4213ec1f16b7e331697.exe
Size

9KB
MD5

025ebe37cbd1df010258595ae75a20e7
SHA1

a991f680d7f96b3ef3ab5dd814ed5e1162831ed7
SHA256

f2787b27913cb1b1addc0200c4afa00c643a6b38cca3c4213ec1f16b7e331697
SHA512

48fd55a4ba080c358cb1741c546e5754553ffe0933e82e025049f5996fe879e3d227428405a116a4abf89982a0b5d22e32112d8ed6920b6100cc02835d6280c0
SSDEEP

192:7s01DK+colPfr55/IGy2AfnwB5fVHw3Gwin34zk:RDxcIhI+A/exw3GBn34Y

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1456	WebLdr.exe

Deletes itself 1 IoCs

pid	Process
1456	WebLdr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	WebLdr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WebLdr = "C:\\Windows\\WebLdr.exe"	WebLdr.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\WebLdr.exe	f2787b27913cb1b1addc0200c4afa00c643a6b38cca3c4213ec1f16b7e331697.exe
File opened for modification	C:\Windows\WebLdr.exe	f2787b27913cb1b1addc0200c4afa00c643a6b38cca3c4213ec1f16b7e331697.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
904	f2787b27913cb1b1addc0200c4afa00c643a6b38cca3c4213ec1f16b7e331697.exe
1456	WebLdr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 1456	904	f2787b27913cb1b1addc0200c4afa00c643a6b38cca3c4213ec1f16b7e331697.exe	27
PID 904 wrote to memory of 1456	904	f2787b27913cb1b1addc0200c4afa00c643a6b38cca3c4213ec1f16b7e331697.exe	27
PID 904 wrote to memory of 1456	904	f2787b27913cb1b1addc0200c4afa00c643a6b38cca3c4213ec1f16b7e331697.exe	27
PID 904 wrote to memory of 1456	904	f2787b27913cb1b1addc0200c4afa00c643a6b38cca3c4213ec1f16b7e331697.exe	27

C:\Users\Admin\AppData\Local\Temp\f2787b27913cb1b1addc0200c4afa00c643a6b38cca3c4213ec1f16b7e331697.exe
"C:\Users\Admin\AppData\Local\Temp\f2787b27913cb1b1addc0200c4afa00c643a6b38cca3c4213ec1f16b7e331697.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\WebLdr.exe
  C:\Windows\WebLdr.exe -del=C:\Users\Admin\AppData\Local\Temp\f2787b27913cb1b1addc0200c4afa00c643a6b38cca3c4213ec1f16b7e331697.exe
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WebLdr.exe

Filesize
9KB

MD5
025ebe37cbd1df010258595ae75a20e7

SHA1
a991f680d7f96b3ef3ab5dd814ed5e1162831ed7

SHA256
f2787b27913cb1b1addc0200c4afa00c643a6b38cca3c4213ec1f16b7e331697

SHA512
48fd55a4ba080c358cb1741c546e5754553ffe0933e82e025049f5996fe879e3d227428405a116a4abf89982a0b5d22e32112d8ed6920b6100cc02835d6280c0

Download Submit
C:\Windows\WebLdr.exe

Filesize
9KB

MD5
025ebe37cbd1df010258595ae75a20e7

SHA1
a991f680d7f96b3ef3ab5dd814ed5e1162831ed7

SHA256
f2787b27913cb1b1addc0200c4afa00c643a6b38cca3c4213ec1f16b7e331697

SHA512
48fd55a4ba080c358cb1741c546e5754553ffe0933e82e025049f5996fe879e3d227428405a116a4abf89982a0b5d22e32112d8ed6920b6100cc02835d6280c0

Download Submit