573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585

General

Target

573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe
Size

52KB
MD5

2a72c920d64a878511682e43c87e5270
SHA1

cbe0118c82ff55d37575d1d0070a1d9cec07c229
SHA256

573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585
SHA512

24ab2e61fae46dcd384f87458ffef3cc0ae7a558a1e27cfd98d48fa6c322b3de504d6ac0f2a12a7e57e2cc51a74996d24a8688860d3e0385f0c75cac8f13d6ec
SSDEEP

768:iMJDmX0vMs3i6EJnXPUWPYf4c/AS3qERQpTn3b:vIX23i6ExX1bOEpv

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

WinSeven.exe

pid process

436 WinSeven.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exeREG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinShell = "C:\\WinShell\\WinSeven.exe"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinShell = "C:\\WinShell\\WinSeven.exe"	REG.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WinSeven.exe

description	ioc	process
File opened (read-only)	\??\I:	WinSeven.exe
File opened (read-only)	\??\O:	WinSeven.exe
File opened (read-only)	\??\R:	WinSeven.exe
File opened (read-only)	\??\Z:	WinSeven.exe
File opened (read-only)	\??\E:	WinSeven.exe
File opened (read-only)	\??\S:	WinSeven.exe
File opened (read-only)	\??\T:	WinSeven.exe
File opened (read-only)	\??\Q:	WinSeven.exe
File opened (read-only)	\??\B:	WinSeven.exe
File opened (read-only)	\??\G:	WinSeven.exe
File opened (read-only)	\??\K:	WinSeven.exe
File opened (read-only)	\??\M:	WinSeven.exe
File opened (read-only)	\??\P:	WinSeven.exe
File opened (read-only)	\??\V:	WinSeven.exe
File opened (read-only)	\??\X:	WinSeven.exe
File opened (read-only)	\??\A:	WinSeven.exe
File opened (read-only)	\??\Y:	WinSeven.exe
File opened (read-only)	\??\H:	WinSeven.exe
File opened (read-only)	\??\J:	WinSeven.exe
File opened (read-only)	\??\L:	WinSeven.exe
File opened (read-only)	\??\N:	WinSeven.exe
File opened (read-only)	\??\U:	WinSeven.exe
File opened (read-only)	\??\W:	WinSeven.exe
File opened (read-only)	\??\F:	WinSeven.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exe

pid process

2700 REG.exe
5064 REG.exe

pid	process
2700	REG.exe
5064	REG.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WinSeven.exe

pid	process
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe
436	WinSeven.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exeWinSeven.exe

description	pid	process	target process
PID 3292 wrote to memory of 2700	3292	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe	REG.exe
PID 3292 wrote to memory of 2700	3292	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe	REG.exe
PID 3292 wrote to memory of 2700	3292	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe	REG.exe
PID 3292 wrote to memory of 436	3292	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe	WinSeven.exe
PID 3292 wrote to memory of 436	3292	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe	WinSeven.exe
PID 3292 wrote to memory of 436	3292	573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe	WinSeven.exe
PID 436 wrote to memory of 5064	436	WinSeven.exe	REG.exe
PID 436 wrote to memory of 5064	436	WinSeven.exe	REG.exe
PID 436 wrote to memory of 5064	436	WinSeven.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe
"C:\Users\Admin\AppData\Local\Temp\573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\SysWOW64\REG.exe
  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinShell /t REG_SZ /d C:\WinShell\WinSeven.exe /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:2700
- C:\WinShell\WinSeven.exe
  C:\WinShell\WinSeven.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinShell /t REG_SZ /d C:\WinShell\WinSeven.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:5064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\taskhost.exe

Filesize
52KB

MD5
2a72c920d64a878511682e43c87e5270

SHA1
cbe0118c82ff55d37575d1d0070a1d9cec07c229

SHA256
573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585

SHA512
24ab2e61fae46dcd384f87458ffef3cc0ae7a558a1e27cfd98d48fa6c322b3de504d6ac0f2a12a7e57e2cc51a74996d24a8688860d3e0385f0c75cac8f13d6ec

Download Submit
C:\WinShell\WinSeven.exe

Filesize
52KB

MD5
2a72c920d64a878511682e43c87e5270

SHA1
cbe0118c82ff55d37575d1d0070a1d9cec07c229

SHA256
573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585

SHA512
24ab2e61fae46dcd384f87458ffef3cc0ae7a558a1e27cfd98d48fa6c322b3de504d6ac0f2a12a7e57e2cc51a74996d24a8688860d3e0385f0c75cac8f13d6ec

Download Submit
C:\WinShell\WinSeven.exe

Filesize
52KB

MD5
2a72c920d64a878511682e43c87e5270

SHA1
cbe0118c82ff55d37575d1d0070a1d9cec07c229

SHA256
573104c3c9b6716d1dd1f9fc87f205aaf26d8a679cd8e9b360dc84dceb17c585

SHA512
24ab2e61fae46dcd384f87458ffef3cc0ae7a558a1e27cfd98d48fa6c322b3de504d6ac0f2a12a7e57e2cc51a74996d24a8688860d3e0385f0c75cac8f13d6ec

Download Submit
memory/436-133-0x0000000000000000-mapping.dmp

Download
memory/2700-132-0x0000000000000000-mapping.dmp

Download
memory/5064-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads