573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585

General

Target

573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe
Size

52KB
MD5

2a72c920d64a878511682e43c87e5270
SHA1

cbe0118c82ff55d37575d1d0070a1d9cec07c229
SHA256

573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585
SHA512

24ab2e61fae46dcd384f87458ffef3cc0ae7a558a1e27cfd98d48fa6c322b3de504d6ac0f2a12a7e57e2cc51a74996d24a8688860d3e0385f0c75cac8f13d6ec
SSDEEP

768:iMJDmX0vMs3i6EJnXPUWPYf4c/AS3qERQpTn3b:vIX23i6ExX1bOEpv

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

WinSeven.exe

pid process

604 WinSeven.exe

Loads dropped DLL 2 IoCs

Processes:

573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe

pid	process
1348	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe
1348	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exeREG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinShell = "C:\\WinShell\\WinSeven.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinShell = "C:\\WinShell\\WinSeven.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WinSeven.exe

description	ioc	process
File opened (read-only)	\??\T:	WinSeven.exe
File opened (read-only)	\??\E:	WinSeven.exe
File opened (read-only)	\??\K:	WinSeven.exe
File opened (read-only)	\??\N:	WinSeven.exe
File opened (read-only)	\??\O:	WinSeven.exe
File opened (read-only)	\??\M:	WinSeven.exe
File opened (read-only)	\??\W:	WinSeven.exe
File opened (read-only)	\??\Y:	WinSeven.exe
File opened (read-only)	\??\A:	WinSeven.exe
File opened (read-only)	\??\G:	WinSeven.exe
File opened (read-only)	\??\J:	WinSeven.exe
File opened (read-only)	\??\L:	WinSeven.exe
File opened (read-only)	\??\B:	WinSeven.exe
File opened (read-only)	\??\P:	WinSeven.exe
File opened (read-only)	\??\V:	WinSeven.exe
File opened (read-only)	\??\Z:	WinSeven.exe
File opened (read-only)	\??\R:	WinSeven.exe
File opened (read-only)	\??\S:	WinSeven.exe
File opened (read-only)	\??\U:	WinSeven.exe
File opened (read-only)	\??\X:	WinSeven.exe
File opened (read-only)	\??\F:	WinSeven.exe
File opened (read-only)	\??\H:	WinSeven.exe
File opened (read-only)	\??\I:	WinSeven.exe
File opened (read-only)	\??\Q:	WinSeven.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exe

pid process

1236 REG.exe
304 REG.exe

pid	process
1236	REG.exe
304	REG.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WinSeven.exe

pid	process
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe
604	WinSeven.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exeWinSeven.exe

description	pid	process	target process
PID 1348 wrote to memory of 1236	1348	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe	REG.exe
PID 1348 wrote to memory of 1236	1348	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe	REG.exe
PID 1348 wrote to memory of 1236	1348	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe	REG.exe
PID 1348 wrote to memory of 1236	1348	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe	REG.exe
PID 1348 wrote to memory of 604	1348	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe	WinSeven.exe
PID 1348 wrote to memory of 604	1348	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe	WinSeven.exe
PID 1348 wrote to memory of 604	1348	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe	WinSeven.exe
PID 1348 wrote to memory of 604	1348	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe	WinSeven.exe
PID 604 wrote to memory of 304	604	WinSeven.exe	REG.exe
PID 604 wrote to memory of 304	604	WinSeven.exe	REG.exe
PID 604 wrote to memory of 304	604	WinSeven.exe	REG.exe
PID 604 wrote to memory of 304	604	WinSeven.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe
"C:\Users\Admin\AppData\Local\Temp\573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\REG.exe
  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinShell /t REG_SZ /d C:\WinShell\WinSeven.exe /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1236
- C:\WinShell\WinSeven.exe
  C:\WinShell\WinSeven.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinShell /t REG_SZ /d C:\WinShell\WinSeven.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\taskhost.exe

Filesize
52KB

MD5
938d6d97628275a512e07c66be5ccecf

SHA1
97e468e47489e38b33b0f14714a775c619ba9a90

SHA256
5fd0979fbbecbde4e4c00555c04c739c9769b18923009bc715c012201afeaa13

SHA512
f1327386d651fceed2264742f23ec0b1229920af18e8f054f6052f46cb9a126bf02038a31de2bc75bdf2b72b1303b1bbb57696aba4b4810fae2905c2c3bdda2f

Download Submit
C:\WinShell\WinSeven.exe

Filesize
52KB

MD5
2a72c920d64a878511682e43c87e5270

SHA1
cbe0118c82ff55d37575d1d0070a1d9cec07c229

SHA256
573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585

SHA512
24ab2e61fae46dcd384f87458ffef3cc0ae7a558a1e27cfd98d48fa6c322b3de504d6ac0f2a12a7e57e2cc51a74996d24a8688860d3e0385f0c75cac8f13d6ec

Download Submit
C:\WinShell\WinSeven.exe

Filesize
52KB

MD5
2a72c920d64a878511682e43c87e5270

SHA1
cbe0118c82ff55d37575d1d0070a1d9cec07c229

SHA256
573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585

SHA512
24ab2e61fae46dcd384f87458ffef3cc0ae7a558a1e27cfd98d48fa6c322b3de504d6ac0f2a12a7e57e2cc51a74996d24a8688860d3e0385f0c75cac8f13d6ec

Download Submit
\WinShell\WinSeven.exe

Filesize
52KB

MD5
2a72c920d64a878511682e43c87e5270

SHA1
cbe0118c82ff55d37575d1d0070a1d9cec07c229

SHA256
573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585

SHA512
24ab2e61fae46dcd384f87458ffef3cc0ae7a558a1e27cfd98d48fa6c322b3de504d6ac0f2a12a7e57e2cc51a74996d24a8688860d3e0385f0c75cac8f13d6ec

Download Submit
\WinShell\WinSeven.exe

Filesize
52KB

MD5
2a72c920d64a878511682e43c87e5270

SHA1
cbe0118c82ff55d37575d1d0070a1d9cec07c229

SHA256
573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585

SHA512
24ab2e61fae46dcd384f87458ffef3cc0ae7a558a1e27cfd98d48fa6c322b3de504d6ac0f2a12a7e57e2cc51a74996d24a8688860d3e0385f0c75cac8f13d6ec

Download Submit
memory/304-59-0x0000000000000000-mapping.dmp

Download
memory/604-57-0x0000000000000000-mapping.dmp

Download
memory/1236-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads