983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc

Resubmissions

26/11/2023, 07:00

231126-hs2q9afc83 7

22/11/2023, 15:11

231122-skwv5sdc47 7

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 07:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
Size

3.1MB
MD5

79478b5b07ac98ab3e74e1cf14d2cc83
SHA1

f3d6a96125e47e7b671139047828c5987e144d2d
SHA256

983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc
SHA512

8cb740017d3b725e51340b7517980f8eeee8ebdb0d3abe3f61b2083d36fbdf8b53959f2df8793f09598e51348cf4a67daecfcbe700ffb662969adce5e5f5a9c7
SSDEEP

49152:QSG332u2RwEAvtt/JTof30WCT7sQ+rGQ:xG332uhEA985GQ

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_Classes\Local Settings	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000007a5728381000746a6436575100003a0008000400efbe7a5728387a5728382a000000b85e010000000800000000000000000000000000000074006a006400360057005100000016000000	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 78003100000000007a57263811005075626c69630000620008000400efbeee3a851a7a5726382a0000007c0200000000010000000000000000003800000000005000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016000000	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 740031000000000057578d7a1100557365727300600008000400efbeee3a851a57578d7a2a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	hh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff	hh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Music"	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 74003100000000007a57283811004d7573696300600008000400efbeee3a851a7a5728382a000000820200000000010000000000000000003600000000004d007500730069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380030003300000014000000	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	hh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2736	hh.exe
2736	hh.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2264	1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe	29
PID 1356 wrote to memory of 2264	1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe	29
PID 1356 wrote to memory of 2264	1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe	29
PID 1356 wrote to memory of 2264	1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe	29
PID 1356 wrote to memory of 2736	1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe	30
PID 1356 wrote to memory of 2736	1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe	30
PID 1356 wrote to memory of 2736	1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe	30
PID 1356 wrote to memory of 2736	1356	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe	30

C:\Users\Admin\AppData\Local\Temp\983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
"C:\Users\Admin\AppData\Local\Temp\983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2264
- C:\Windows\hh.exe
  C:\Windows\hh.exe C:\Users\Public\Music\tjd6WQ
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\XGXG0G\T9T9TCc.exe

Filesize
13.1MB

MD5
b9cc4082b3d835bdf60f54d187cfc81e

SHA1
c0354fc04bcd27dd79aa5019a99654b7600c8388

SHA256
4b4fc187a3503f68fbeb540865b21d77e98bc8e83a155c8d5e725fe24eaa1910

SHA512
932064375ed1dfab06193b413b9400cf0ad83b3e3feb307e0f7ea8c5d1003577dbd2cb30e51fc32860f995085062fc77365ad6976513788e71c28d10d11b6ce7

Download Submit
C:\Users\Admin\AppData\Roaming\UDXDX\KEuo.exe

Filesize
105KB

MD5
6b8ebc942fe392c669b0b21bc8f83a03

SHA1
18fb9645a7365ae17b8386e47bec0b5ba6f5122f

SHA256
e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

SHA512
0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

Download Submit
C:\Users\Admin\AppData\Roaming\UDXDX\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk

Filesize
756B

MD5
cf1902aa7e9519cf301706fcb77551a8

SHA1
435ac4ead78f046e082346351843a9c32f78fc04

SHA256
7b5418dfd8ef943b5ed035a9700e50ec10e9f1b4c382f690ea8bc74d2835a227

SHA512
1f09db84df4a2531880b5f7127b84b08e8342e31cfd1efb46aa532aea0722bbb0943cda28d3fc78dba0279abe9336d3bc416582099b79f8adb8515c003e54681

Download Submit
C:\Users\Public\GWG_F_

Filesize
14.3MB

MD5
fa8e77c7e449aee331882f3f7d3db2a0

SHA1
4b7bff07d1e35f29dce8519a85f77304275f8b57

SHA256
4f4712991061b558707171e1406a0f3e74c2643834b841fadbdb61e86335e63d

SHA512
610d40af77197980b7ad016eda66ae6329564976e459139f724fed0b5e6e82c5d700748a9fa2ddaae4e6f0eac96c8efbc98545564b065d92cb008208843a2ec6

Download Submit
C:\Users\Public\Music\tjd6WQ\KDunh7.url

Filesize
67B

MD5
bfb881dc2963304a3b9ba0288c0d7da4

SHA1
b7c27a2886a66a0571c8b798dfca9fae79763db1

SHA256
74f9120feeed3d72037f9a3c1c7ba4ebe70bb3807a2117c48adab51cdbe0e8c8

SHA512
d86f8ff85da293eecb5274be40d42b2ed168269adbded095e5044700666469044dd78d7d375a46d018743760e5f9b755da75a160b44fc11a8688df85663ec0f8

Download Submit
C:\Users\Public\Music\tjd6WQ\zqj93W.lnk

Filesize
923B

MD5
207d405ed0ff4f90a491c1ef5c062136

SHA1
4c55ac9b744e2d2cce3527536de9a4ae7fbf647e

SHA256
68309197bf7f3941e8b72294154c3eef0fcea8013ac08e6e93fccaf0da8862aa

SHA512
f3d7dd1aff04b652b912f17efb7613f71eb21966bb60a7103a56da73679271e7e4cae7bcff4e42f8b3a9dec7beaff10c771d5a7c2c31689c5e747afc66bf09d1

Download Submit
\ProgramData\XGXG0G\T9T9TCc.exe

Filesize
13.1MB

MD5
b9cc4082b3d835bdf60f54d187cfc81e

SHA1
c0354fc04bcd27dd79aa5019a99654b7600c8388

SHA256
4b4fc187a3503f68fbeb540865b21d77e98bc8e83a155c8d5e725fe24eaa1910

SHA512
932064375ed1dfab06193b413b9400cf0ad83b3e3feb307e0f7ea8c5d1003577dbd2cb30e51fc32860f995085062fc77365ad6976513788e71c28d10d11b6ce7

Download Submit
\Users\Admin\AppData\Roaming\UDXDX\KEuo.exe

Filesize
105KB

MD5
6b8ebc942fe392c669b0b21bc8f83a03

SHA1
18fb9645a7365ae17b8386e47bec0b5ba6f5122f

SHA256
e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

SHA512
0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

Download Submit
\Users\Admin\AppData\Roaming\UDXDX\KEuo.exe

Filesize
105KB

MD5
6b8ebc942fe392c669b0b21bc8f83a03

SHA1
18fb9645a7365ae17b8386e47bec0b5ba6f5122f

SHA256
e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

SHA512
0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

Download Submit
\Users\Admin\AppData\Roaming\UDXDX\KEuo.exe

Filesize
105KB

MD5
6b8ebc942fe392c669b0b21bc8f83a03

SHA1
18fb9645a7365ae17b8386e47bec0b5ba6f5122f

SHA256
e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

SHA512
0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

Download Submit
\Users\Admin\AppData\Roaming\UDXDX\KEuo.exe

Filesize
105KB

MD5
6b8ebc942fe392c669b0b21bc8f83a03

SHA1
18fb9645a7365ae17b8386e47bec0b5ba6f5122f

SHA256
e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

SHA512
0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

Download Submit
\Users\Admin\AppData\Roaming\UDXDX\KEuo.exe

Filesize
105KB

MD5
6b8ebc942fe392c669b0b21bc8f83a03

SHA1
18fb9645a7365ae17b8386e47bec0b5ba6f5122f

SHA256
e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

SHA512
0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

Download Submit
\Users\Admin\AppData\Roaming\UDXDX\KEuo.exe

Filesize
105KB

MD5
6b8ebc942fe392c669b0b21bc8f83a03

SHA1
18fb9645a7365ae17b8386e47bec0b5ba6f5122f

SHA256
e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

SHA512
0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

Download Submit
\Users\Admin\AppData\Roaming\UDXDX\KEuo.exe

Filesize
105KB

MD5
6b8ebc942fe392c669b0b21bc8f83a03

SHA1
18fb9645a7365ae17b8386e47bec0b5ba6f5122f

SHA256
e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

SHA512
0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

Download Submit
memory/1356-30-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

Filesize
64KB

Download
memory/1356-2-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/1356-72-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

Filesize
64KB

Download
memory/1356-11-0x0000000002B50000-0x0000000002B96000-memory.dmp

Filesize
280KB

Download
memory/1356-93-0x0000000002BA0000-0x0000000002BA6000-memory.dmp

Filesize
24KB

Download
memory/2736-42-0x0000000004150000-0x0000000004160000-memory.dmp

Filesize
64KB

Download