7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8

General

Target

7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Size

410KB
MD5

7a7480af8a1ccbed68379b892fa3b98f
SHA1

44d1359ee883d40c98e25eadea0b7e1dd8a530b3
SHA256

7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8
SHA512

6240595577c2b1b2f9d278ff482560b90468347aa1c1179ddff3121d143db8988b50e8a36eadfeda8ea71df8219460798941d2812822664e773dfcdc4b7be09c
SSDEEP

6144:WdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70NqY:s8kxNhOZElO5kkWjhD4A45lGU

Score

10^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\OPRXZ.EXE \"%1\" %*"	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	KHEBE.EXE

Executes dropped EXE 1 IoCs

pid	Process
1068	KHEBE.EXE

Loads dropped DLL 2 IoCs

pid	Process
1808	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
1808	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JZESNV.EXE = "C:\\Program Files (x86)\\WYYNP.EXE"	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\G:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\O:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\P:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\J:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\S:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\U:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\V:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\H:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\I:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\N:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\Q:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\R:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\T:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\F:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\K:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\L:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File opened (read-only)	\??\M:	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\OPRXZ.EXE	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File created	C:\Program Files (x86)\WYYNP.EXE	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File created	C:\Program Files\KHEBE.EXE	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File created	C:\Program Files\VZMOY.EXE	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
File created	C:\Program Files (x86)\QJZIMS.EXE	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\System Volume Information\\UCIISYW.EXE \"%1\""	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files\\VZMOY.EXE %1"	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\$Recycle.Bin\\XWC.EXE %1"	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\OPRXZ.EXE \"%1\" %*"	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Users\\LUMDZPH.EXE \"%1\""	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	KHEBE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1068	KHEBE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1068	1808	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe	27
PID 1808 wrote to memory of 1068	1808	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe	27
PID 1808 wrote to memory of 1068	1808	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe	27
PID 1808 wrote to memory of 1068	1808	7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe	27

C:\Users\Admin\AppData\Local\Temp\7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe
"C:\Users\Admin\AppData\Local\Temp\7a966aec2f208fd9da7b3182c974f0734e9862d9df173383ac55bf0e83d672e8.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Program Files\KHEBE.EXE
  "C:\Program Files\KHEBE.EXE"
  2⤵
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\KHEBE.EXE

Filesize
411KB

MD5
656eec7eb1309c2769c5ec82c7b7069f

SHA1
14304023da2c7545201fe08ee4e8a7c58084003e

SHA256
1344cefafc8ee1db7b78ce431263eee0efad70c24d2dd06045b1fb7791c27cae

SHA512
5984388e71fc0622e35ff30c48a44b09dfeaffe4c2ab945fc54d399ae2c47a5837621eb6941405c5a2190c5e6fe8854c04d4cac81826af39837a3e97a2cf80e3

Download Submit
\Program Files\KHEBE.EXE

Filesize
411KB

MD5
656eec7eb1309c2769c5ec82c7b7069f

SHA1
14304023da2c7545201fe08ee4e8a7c58084003e

SHA256
1344cefafc8ee1db7b78ce431263eee0efad70c24d2dd06045b1fb7791c27cae

SHA512
5984388e71fc0622e35ff30c48a44b09dfeaffe4c2ab945fc54d399ae2c47a5837621eb6941405c5a2190c5e6fe8854c04d4cac81826af39837a3e97a2cf80e3

Download Submit
\Program Files\KHEBE.EXE

Filesize
411KB

MD5
656eec7eb1309c2769c5ec82c7b7069f

SHA1
14304023da2c7545201fe08ee4e8a7c58084003e

SHA256
1344cefafc8ee1db7b78ce431263eee0efad70c24d2dd06045b1fb7791c27cae

SHA512
5984388e71fc0622e35ff30c48a44b09dfeaffe4c2ab945fc54d399ae2c47a5837621eb6941405c5a2190c5e6fe8854c04d4cac81826af39837a3e97a2cf80e3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads