790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994

Analysis

max time kernel
151s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
Size

9.6MB
MD5

8bbf32652f6abb02f0a7f2a685c05fb1
SHA1

df2a98d438b6f1335e48f24a4a0db3905b8be7a8
SHA256

790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994
SHA512

85e72b9ae43abff1e4ae6da697c0988b64da543f9d1a2a122a12c95f3f6d328d71be723d7990ddc783892ae76d1a065b58e7277cc472dd27e527f01d858be610
SSDEEP

98304:rB2+2HuJMe8d1XdhBiiMaHB2+2HuJMe8d1XdhBiiMatQ3YI+W:rKiMeoikHKiMeoiktQoI+W

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\s.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe"	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPDMC.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
2604	790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe

C:\Users\Admin\AppData\Local\Temp\790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe
"C:\Users\Admin\AppData\Local\Temp\790e94a172413951c8ea0706e310d9f305e0563f734102e54e1340b82691a994.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\UndoWait.exe

Filesize
9.8MB

MD5
4404438e8cfa0609e66bc09e456037af

SHA1
e5756649c7c5a76dc974529ed17a09b64389acd1

SHA256
37900c1437fc6792d5b5679b48271657b57366db6bb89e0e4234939289678c39

SHA512
7caa9a7876a3a6721d9a4f570386f0e8ffa2d902ff0a1227119db0a52f0996c2d17cddf15093c4c85bc2066d112b47c57e20bf8b98ad522907333ad270dcc39c

Download Submit