aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754

Analysis

max time kernel
38s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe
Size

383KB
MD5

1db53bc67d0c5582ae95fe3d679e1637
SHA1

1a218c03cdc6bb39059aed3e6558c976d4a4325e
SHA256

aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754
SHA512

65fbe9373d146b2e1b725c6fb0f9c80f657019ffe6bd2a229bb4320a961649b5177ae924573afa0e359ca4f9f4fcf41dcee235613ca565ebbd1d6ff2bfb8042f
SSDEEP

6144:qVFywauUSTZy00xLwo3dxMsDOa25X8QPm+4fqCgM7ciDKl:kywauUSlQ8SdxVq8Qr4yGQiDg

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorer.exe = "c:\\explorer.exe"	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer.exe = "c:\\explorer.exe"	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe

Drops autorun.inf file 1 TTPs 13 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\h:\autorun.inf	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe
File opened for modification	\??\i:\autorun.inf	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe
File opened for modification	\??\l:\autorun.inf	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe
File opened for modification	\??\n:\autorun.inf	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe
File opened for modification	\??\o:\autorun.inf	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe
File opened for modification	\??\e:\autorun.inf	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe
File opened for modification	\??\d:\autorun.inf	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe
File opened for modification	\??\f:\autorun.inf	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe
File opened for modification	\??\g:\autorun.inf	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe
File opened for modification	\??\j:\autorun.inf	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe
File opened for modification	\??\k:\autorun.inf	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe
File opened for modification	\??\m:\autorun.inf	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe
File opened for modification	\??\c:\autorun.inf	aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe

C:\Users\Admin\AppData\Local\Temp\aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe
"C:\Users\Admin\AppData\Local\Temp\aff34d0f05a8c06874ddaff2a666f837d6ad2775a1945722b8d43f6ad9ea4754.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Drops autorun.inf file
PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1388-54-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1388-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1388-56-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads