Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
23/11/2022, 09:46
General
-
Target
688015ef6e32189888233cf986e72d26be26ec234836d839f0ed854387c50a5e.exe
-
Size
32KB
-
MD5
ebd4ff5dd3b586aa279899a33dbc093b
-
SHA1
f861dc94a155c8a3d7952c79eca146ef61123c39
-
SHA256
688015ef6e32189888233cf986e72d26be26ec234836d839f0ed854387c50a5e
-
SHA512
973561d45cc8e4b31a91f0daf4504f555b34c352fd0d26750b4e3693ee38161881908598e909beaf2c2616b394f2a9dbdf5091158ae7594c09448329ad96dcf6
-
SSDEEP
192:/Tmxc4FkYQPY7bKTpBVhUkEV/r0rwxk1VY+gkGG2KM/qqleJnJtM3gxU4kzk/xA0:/TAnuAApBVhUfo16oCGvjc8WlD94o6
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\688015ef6e32189888233cf986e72d26be26ec234836d839f0ed854387c50a5e.exe"C:\Users\Admin\AppData\Local\Temp\688015ef6e32189888233cf986e72d26be26ec234836d839f0ed854387c50a5e.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im dl.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im dl.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c explorer C:\users\public\windows\dl.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\users\public\windows\dl.exe3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Run Time2" /t REG_SZ /d "c:\users\public\windows\dl.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Run Time2" /t REG_SZ /d "c:\users\public\windows\dl.exe" /f3⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Run Time" /t REG_SZ /d "c:\users\public\windows\m.e.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Run Time" /t REG_SZ /d "c:\users\public\windows\m.e.exe" /f3⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\users\public\windows\file.sys /stext C:\users\public\windows\Att\log.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +h +r +s c:\Users\public\windows2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s c:\Users\public\windows3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im file.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im file.sys3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c if exist C:\users\public\windows\windows.exe explorer C:\users\public\windows\windows.exe2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir C:\ > C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir B:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir A:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir D:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir R:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir Q:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir G:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir H:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir I:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir J:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir K:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir L:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir N:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir M:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir O:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir P:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir F:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir E:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir S:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir T:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir U:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir V:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir W:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir X:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir Y:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir z:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /y C:\users\public\windows\key.sys C:\users\public\windows\Att\key.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /q C:\users\public\windows\Att\pic.jpg2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /q C:\users\public\windows\Att\log.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /q C:\users\public\windows\Att\key.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /q C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Run Time" /t REG_SZ /d "c:\users\public\windows\m.e.exe" /f2⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Run Time" /t REG_SZ /d "c:\users\public\windows\m.e.exe" /f3⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Run Time2" /t REG_SZ /d "c:\users\public\windows\dl.exe" /f2⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Run Time2" /t REG_SZ /d "c:\users\public\windows\dl.exe" /f3⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\users\public\windows\file.sys /stext C:\users\public\windows\Att\log.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib +h +r +s c:\Users\public\windows2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s c:\Users\public\windows3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im file.sys2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im file.sys3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c if exist C:\users\public\windows\windows.exe explorer C:\users\public\windows\windows.exe2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir C:\ > C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir B:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir A:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir D:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir R:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir Q:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir G:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir H:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir I:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir J:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir K:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir L:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir N:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir M:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir O:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir P:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir F:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir S:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir E:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir T:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir U:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir V:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir W:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir X:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir z:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /y C:\users\public\windows\key.sys C:\users\public\windows\Att\key.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c dir Y:\ >> C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /q C:\users\public\windows\Att\pic.jpg2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /q C:\users\public\windows\Att\log.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /q C:\users\public\windows\Att\key.txt2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c del /f /q C:\users\public\windows\Att\abban.txt2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
64KB