Analysis
-
max time kernel
160s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 09:02
Static task
static1
Behavioral task
behavioral1
Sample
6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exe
Resource
win10v2004-20220812-en
General
-
Target
6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exe
-
Size
52KB
-
MD5
41f83a2522a774e9d24c529121dca3b0
-
SHA1
e9533ca6cdb6232f5e63fb8df4ef3d9f0a2b7596
-
SHA256
6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967
-
SHA512
30d3a6d83ccbddebc2341fc33b8962e883b7c1f5a9feda4f7482460d5446c35fedfb859af2ee08d2ca303fe47d4c89284ad9561b4096e7e94420c3717b923c99
-
SSDEEP
768:iMJDmX0vMs3i6EJnXPUWPYf4c/AS3qERQpTn3tOn:vIX23i6ExX1bOEp2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WinSeven.exepid process 860 WinSeven.exe -
Loads dropped DLL 2 IoCs
Processes:
6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exepid process 1536 6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exe 1536 6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
REG.exeREG.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinShell = "C:\\WinShell\\WinSeven.exe" REG.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinShell = "C:\\WinShell\\WinSeven.exe" REG.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
WinSeven.exedescription ioc process File opened (read-only) \??\O: WinSeven.exe File opened (read-only) \??\W: WinSeven.exe File opened (read-only) \??\Y: WinSeven.exe File opened (read-only) \??\B: WinSeven.exe File opened (read-only) \??\F: WinSeven.exe File opened (read-only) \??\K: WinSeven.exe File opened (read-only) \??\N: WinSeven.exe File opened (read-only) \??\Q: WinSeven.exe File opened (read-only) \??\S: WinSeven.exe File opened (read-only) \??\T: WinSeven.exe File opened (read-only) \??\V: WinSeven.exe File opened (read-only) \??\A: WinSeven.exe File opened (read-only) \??\E: WinSeven.exe File opened (read-only) \??\I: WinSeven.exe File opened (read-only) \??\M: WinSeven.exe File opened (read-only) \??\X: WinSeven.exe File opened (read-only) \??\Z: WinSeven.exe File opened (read-only) \??\P: WinSeven.exe File opened (read-only) \??\G: WinSeven.exe File opened (read-only) \??\H: WinSeven.exe File opened (read-only) \??\J: WinSeven.exe File opened (read-only) \??\L: WinSeven.exe File opened (read-only) \??\R: WinSeven.exe File opened (read-only) \??\U: WinSeven.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WinSeven.exepid process 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe 860 WinSeven.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exeWinSeven.exedescription pid process target process PID 1536 wrote to memory of 1700 1536 6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exe REG.exe PID 1536 wrote to memory of 1700 1536 6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exe REG.exe PID 1536 wrote to memory of 1700 1536 6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exe REG.exe PID 1536 wrote to memory of 1700 1536 6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exe REG.exe PID 1536 wrote to memory of 860 1536 6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exe WinSeven.exe PID 1536 wrote to memory of 860 1536 6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exe WinSeven.exe PID 1536 wrote to memory of 860 1536 6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exe WinSeven.exe PID 1536 wrote to memory of 860 1536 6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exe WinSeven.exe PID 860 wrote to memory of 484 860 WinSeven.exe REG.exe PID 860 wrote to memory of 484 860 WinSeven.exe REG.exe PID 860 wrote to memory of 484 860 WinSeven.exe REG.exe PID 860 wrote to memory of 484 860 WinSeven.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exe"C:\Users\Admin\AppData\Local\Temp\6ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\REG.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinShell /t REG_SZ /d C:\WinShell\WinSeven.exe /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:1700
-
-
C:\WinShell\WinSeven.exeC:\WinShell\WinSeven.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\REG.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinShell /t REG_SZ /d C:\WinShell\WinSeven.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:484
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD541f83a2522a774e9d24c529121dca3b0
SHA1e9533ca6cdb6232f5e63fb8df4ef3d9f0a2b7596
SHA2566ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967
SHA51230d3a6d83ccbddebc2341fc33b8962e883b7c1f5a9feda4f7482460d5446c35fedfb859af2ee08d2ca303fe47d4c89284ad9561b4096e7e94420c3717b923c99
-
Filesize
52KB
MD541f83a2522a774e9d24c529121dca3b0
SHA1e9533ca6cdb6232f5e63fb8df4ef3d9f0a2b7596
SHA2566ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967
SHA51230d3a6d83ccbddebc2341fc33b8962e883b7c1f5a9feda4f7482460d5446c35fedfb859af2ee08d2ca303fe47d4c89284ad9561b4096e7e94420c3717b923c99
-
Filesize
52KB
MD541f83a2522a774e9d24c529121dca3b0
SHA1e9533ca6cdb6232f5e63fb8df4ef3d9f0a2b7596
SHA2566ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967
SHA51230d3a6d83ccbddebc2341fc33b8962e883b7c1f5a9feda4f7482460d5446c35fedfb859af2ee08d2ca303fe47d4c89284ad9561b4096e7e94420c3717b923c99
-
Filesize
52KB
MD541f83a2522a774e9d24c529121dca3b0
SHA1e9533ca6cdb6232f5e63fb8df4ef3d9f0a2b7596
SHA2566ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967
SHA51230d3a6d83ccbddebc2341fc33b8962e883b7c1f5a9feda4f7482460d5446c35fedfb859af2ee08d2ca303fe47d4c89284ad9561b4096e7e94420c3717b923c99
-
Filesize
52KB
MD541f83a2522a774e9d24c529121dca3b0
SHA1e9533ca6cdb6232f5e63fb8df4ef3d9f0a2b7596
SHA2566ea05f70451fd67d148800d867e07ab9dab628f365971c4474990c856a170967
SHA51230d3a6d83ccbddebc2341fc33b8962e883b7c1f5a9feda4f7482460d5446c35fedfb859af2ee08d2ca303fe47d4c89284ad9561b4096e7e94420c3717b923c99