983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc

Resubmissions

26/11/2023, 07:00

231126-hs2q9afc83 7

22/11/2023, 15:11

231122-skwv5sdc47 7

Analysis

max time kernel
71s
max time network
80s
platform
windows10-1703_x64
resource
win10-20231025-en
resource tags

arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system
submitted
26/11/2023, 07:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
Size

3.1MB
MD5

79478b5b07ac98ab3e74e1cf14d2cc83
SHA1

f3d6a96125e47e7b671139047828c5987e144d2d
SHA256

983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc
SHA512

8cb740017d3b725e51340b7517980f8eeee8ebdb0d3abe3f61b2083d36fbdf8b53959f2df8793f09598e51348cf4a67daecfcbe700ffb662969adce5e5f5a9c7
SSDEEP

49152:QSG332u2RwEAvtt/JTof30WCT7sQ+rGQ:xG332uhEA985GQ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 30 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	hh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Music"	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	hh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 7800310000000000724a71a811004d7573696300640009000400efbe724a6fa8724a71a82e000000680500000000010000000000000000003a00000000003e261d004d007500730069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380030003300000014000000	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 7c003100000000005957766211005075626c69630000660009000400efbe724a6fa8595776622e000000630500000000010000000000000000003c0000000000e0cb41005000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016000000	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000595776621100557365727300640009000400efbe724a0b5d595776622e000000320500000000010000000000000000003a0000000000523b110155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 54003100000000007a573838100034554e48787200003e0009000400efbe7a5738387a5738382e0000007eab010000000900000000000000000000000000000017f8fb00340055004e00480078007200000016000000	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	hh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	hh.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
372	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
372	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
372	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
372	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
372	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
372	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2516	hh.exe
2516	hh.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 1020	372	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe	71
PID 372 wrote to memory of 1020	372	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe	71
PID 372 wrote to memory of 1020	372	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe	71
PID 372 wrote to memory of 2516	372	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe	72
PID 372 wrote to memory of 2516	372	983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe	72

C:\Users\Admin\AppData\Local\Temp\983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe
"C:\Users\Admin\AppData\Local\Temp\983d67d04388730ba628b27784a602d7e62f0e4089dee0332606bc9273063cfc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1020
- C:\Windows\hh.exe
  C:\Windows\hh.exe C:\Users\Public\Music\4UNHxr
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ATDTTW\CVCBSBc.exe

Filesize
13.1MB

MD5
b9cc4082b3d835bdf60f54d187cfc81e

SHA1
c0354fc04bcd27dd79aa5019a99654b7600c8388

SHA256
4b4fc187a3503f68fbeb540865b21d77e98bc8e83a155c8d5e725fe24eaa1910

SHA512
932064375ed1dfab06193b413b9400cf0ad83b3e3feb307e0f7ea8c5d1003577dbd2cb30e51fc32860f995085062fc77365ad6976513788e71c28d10d11b6ce7

Download Submit
C:\Users\Admin\AppData\Roaming\63MJ2\Embarcaderophi.lnk

Filesize
797B

MD5
b2872d58f5fddf385d1de7e55a5e15ab

SHA1
486698799986a0d0351a909cba783591061ff64b

SHA256
0d6d5c2e4afa942a8202ba67f855e8a9410afe7c117cca98e23d95cb7853453c

SHA512
635447dd3b3648d39a3de7c4b00dd6330ad757b82aa5d430b76ece92c59b2d95d06fb26f661a13f5d80b7e573b3bbe39bb10cca15ee1b129556742e5759c7cb9

Download Submit
C:\Users\Admin\AppData\Roaming\63MJ2\r81V.exe

Filesize
105KB

MD5
6b8ebc942fe392c669b0b21bc8f83a03

SHA1
18fb9645a7365ae17b8386e47bec0b5ba6f5122f

SHA256
e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

SHA512
0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

Download Submit
C:\Users\Admin\AppData\Roaming\63MJ2\r81V.exe

Filesize
105KB

MD5
6b8ebc942fe392c669b0b21bc8f83a03

SHA1
18fb9645a7365ae17b8386e47bec0b5ba6f5122f

SHA256
e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

SHA512
0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

Download Submit
C:\Users\Public\9C9C9C

Filesize
14.3MB

MD5
fa8e77c7e449aee331882f3f7d3db2a0

SHA1
4b7bff07d1e35f29dce8519a85f77304275f8b57

SHA256
4f4712991061b558707171e1406a0f3e74c2643834b841fadbdb61e86335e63d

SHA512
610d40af77197980b7ad016eda66ae6329564976e459139f724fed0b5e6e82c5d700748a9fa2ddaae4e6f0eac96c8efbc98545564b065d92cb008208843a2ec6

Download Submit
C:\Users\Public\Music\4UNHxr\03KDtn.url

Filesize
67B

MD5
eab032b4d22533c8679d354af74b5d71

SHA1
9fcfe605c92238d1ca7210ea6ffb05cef0323654

SHA256
e0194ca9c90324ac2843ee762a7ca87ab149f14b1437132fbd626bf903a6206b

SHA512
5d4307ce0931447a05b7cc1f97f534fac1525866d4e5e67235852a1b41e77346376b874f6569754bc4e3e692a03d1548114e3640d98daf2a1be88545b52f40b6

Download Submit
C:\Users\Public\Music\4UNHxr\03KDtn.url

Filesize
67B

MD5
eab032b4d22533c8679d354af74b5d71

SHA1
9fcfe605c92238d1ca7210ea6ffb05cef0323654

SHA256
e0194ca9c90324ac2843ee762a7ca87ab149f14b1437132fbd626bf903a6206b

SHA512
5d4307ce0931447a05b7cc1f97f534fac1525866d4e5e67235852a1b41e77346376b874f6569754bc4e3e692a03d1548114e3640d98daf2a1be88545b52f40b6

Download Submit
C:\Users\Public\Music\4UNHxr\1UOEyr.lnk

Filesize
1006B

MD5
ca400a30dba6013470078c5ea1a59e0e

SHA1
7500ad760886a4df103faf567c979351c2edf028

SHA256
0f27166a5f35f44cbfd10025bd0cd9c0a655fc04d4b7b878d14bbfe61e1da6bb

SHA512
aa4164842460660348630a87f439041dda1b87e4f0e7eca8ea34f6ab6e014abad6a81224944633cc59036e8cccecb2d4e40021d45785736a94fc0828e796549b

Download Submit
C:\Users\Public\Music\4UNHxr\3WNGwq.url

Filesize
67B

MD5
eab032b4d22533c8679d354af74b5d71

SHA1
9fcfe605c92238d1ca7210ea6ffb05cef0323654

SHA256
e0194ca9c90324ac2843ee762a7ca87ab149f14b1437132fbd626bf903a6206b

SHA512
5d4307ce0931447a05b7cc1f97f534fac1525866d4e5e67235852a1b41e77346376b874f6569754bc4e3e692a03d1548114e3640d98daf2a1be88545b52f40b6

Download Submit
C:\Users\Public\Music\4UNHxr\69QJDt.url

Filesize
67B

MD5
eab032b4d22533c8679d354af74b5d71

SHA1
9fcfe605c92238d1ca7210ea6ffb05cef0323654

SHA256
e0194ca9c90324ac2843ee762a7ca87ab149f14b1437132fbd626bf903a6206b

SHA512
5d4307ce0931447a05b7cc1f97f534fac1525866d4e5e67235852a1b41e77346376b874f6569754bc4e3e692a03d1548114e3640d98daf2a1be88545b52f40b6

Download Submit
C:\Users\Public\Music\4UNHxr\92WMGz.url

Filesize
67B

MD5
eab032b4d22533c8679d354af74b5d71

SHA1
9fcfe605c92238d1ca7210ea6ffb05cef0323654

SHA256
e0194ca9c90324ac2843ee762a7ca87ab149f14b1437132fbd626bf903a6206b

SHA512
5d4307ce0931447a05b7cc1f97f534fac1525866d4e5e67235852a1b41e77346376b874f6569754bc4e3e692a03d1548114e3640d98daf2a1be88545b52f40b6

Download Submit
C:\Users\Public\Music\4UNHxr\C92SMC.lnk

Filesize
1006B

MD5
ca400a30dba6013470078c5ea1a59e0e

SHA1
7500ad760886a4df103faf567c979351c2edf028

SHA256
0f27166a5f35f44cbfd10025bd0cd9c0a655fc04d4b7b878d14bbfe61e1da6bb

SHA512
aa4164842460660348630a87f439041dda1b87e4f0e7eca8ea34f6ab6e014abad6a81224944633cc59036e8cccecb2d4e40021d45785736a94fc0828e796549b

Download Submit
C:\Users\Public\Music\4UNHxr\OEyrib.lnk

Filesize
1006B

MD5
ca400a30dba6013470078c5ea1a59e0e

SHA1
7500ad760886a4df103faf567c979351c2edf028

SHA256
0f27166a5f35f44cbfd10025bd0cd9c0a655fc04d4b7b878d14bbfe61e1da6bb

SHA512
aa4164842460660348630a87f439041dda1b87e4f0e7eca8ea34f6ab6e014abad6a81224944633cc59036e8cccecb2d4e40021d45785736a94fc0828e796549b

Download Submit
C:\Users\Public\Music\4UNHxr\QGAga0.lnk

Filesize
1006B

MD5
e5ee2754964fdd263a9ea41a91428f0f

SHA1
1792797b76779ca5994896997052dce1297b1f79

SHA256
242174797e72876ff224a02d65baa0b704de99bf8a17dc556fba1c40ce34e5b9

SHA512
eabf97a5c8d7bfbe783eed8a22371fa7c7fe12a7edffbc7b78b683809734df7633f281ce2022d7c6970ad5448e412e92a8fe335797931bfc45e83488dae7dd45

Download Submit
C:\Users\Public\Music\4UNHxr\QUAunq.url

Filesize
67B

MD5
eab032b4d22533c8679d354af74b5d71

SHA1
9fcfe605c92238d1ca7210ea6ffb05cef0323654

SHA256
e0194ca9c90324ac2843ee762a7ca87ab149f14b1437132fbd626bf903a6206b

SHA512
5d4307ce0931447a05b7cc1f97f534fac1525866d4e5e67235852a1b41e77346376b874f6569754bc4e3e692a03d1548114e3640d98daf2a1be88545b52f40b6

Download Submit
C:\Users\Public\Music\4UNHxr\RArke4.lnk

Filesize
1006B

MD5
ca400a30dba6013470078c5ea1a59e0e

SHA1
7500ad760886a4df103faf567c979351c2edf028

SHA256
0f27166a5f35f44cbfd10025bd0cd9c0a655fc04d4b7b878d14bbfe61e1da6bb

SHA512
aa4164842460660348630a87f439041dda1b87e4f0e7eca8ea34f6ab6e014abad6a81224944633cc59036e8cccecb2d4e40021d45785736a94fc0828e796549b

Download Submit
C:\Users\Public\Music\4UNHxr\TNGxqk.url

Filesize
67B

MD5
eab032b4d22533c8679d354af74b5d71

SHA1
9fcfe605c92238d1ca7210ea6ffb05cef0323654

SHA256
e0194ca9c90324ac2843ee762a7ca87ab149f14b1437132fbd626bf903a6206b

SHA512
5d4307ce0931447a05b7cc1f97f534fac1525866d4e5e67235852a1b41e77346376b874f6569754bc4e3e692a03d1548114e3640d98daf2a1be88545b52f40b6

Download Submit
C:\Users\Public\Music\4UNHxr\pi9SJM.url

Filesize
67B

MD5
eab032b4d22533c8679d354af74b5d71

SHA1
9fcfe605c92238d1ca7210ea6ffb05cef0323654

SHA256
e0194ca9c90324ac2843ee762a7ca87ab149f14b1437132fbd626bf903a6206b

SHA512
5d4307ce0931447a05b7cc1f97f534fac1525866d4e5e67235852a1b41e77346376b874f6569754bc4e3e692a03d1548114e3640d98daf2a1be88545b52f40b6

Download Submit
C:\Users\Public\Music\4UNHxr\rb1UOE.lnk

Filesize
1006B

MD5
ca400a30dba6013470078c5ea1a59e0e

SHA1
7500ad760886a4df103faf567c979351c2edf028

SHA256
0f27166a5f35f44cbfd10025bd0cd9c0a655fc04d4b7b878d14bbfe61e1da6bb

SHA512
aa4164842460660348630a87f439041dda1b87e4f0e7eca8ea34f6ab6e014abad6a81224944633cc59036e8cccecb2d4e40021d45785736a94fc0828e796549b

Download Submit
C:\Users\Public\Music\4UNHxr\ysib5V.lnk

Filesize
1006B

MD5
ca400a30dba6013470078c5ea1a59e0e

SHA1
7500ad760886a4df103faf567c979351c2edf028

SHA256
0f27166a5f35f44cbfd10025bd0cd9c0a655fc04d4b7b878d14bbfe61e1da6bb

SHA512
aa4164842460660348630a87f439041dda1b87e4f0e7eca8ea34f6ab6e014abad6a81224944633cc59036e8cccecb2d4e40021d45785736a94fc0828e796549b

Download Submit
C:\Users\Public\Music\4UNHxr\ysib5V.lnk

Filesize
1006B

MD5
ca400a30dba6013470078c5ea1a59e0e

SHA1
7500ad760886a4df103faf567c979351c2edf028

SHA256
0f27166a5f35f44cbfd10025bd0cd9c0a655fc04d4b7b878d14bbfe61e1da6bb

SHA512
aa4164842460660348630a87f439041dda1b87e4f0e7eca8ea34f6ab6e014abad6a81224944633cc59036e8cccecb2d4e40021d45785736a94fc0828e796549b

Download Submit
memory/372-2-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/372-11-0x0000000000930000-0x0000000000976000-memory.dmp

Filesize
280KB

Download