77424ec56326bd0eb906a536de50ad0ca6402859d64185a2c0f1f9ea4a1a7f88

Analysis

max time kernel
136s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe
Size

430KB
MD5

0fe2858e0e16ac8a1df5aa63ca7dbfd5
SHA1

119678ca264fa18f7a1bda12ad17487b2abf325b
SHA256

77424ec56326bd0eb906a536de50ad0ca6402859d64185a2c0f1f9ea4a1a7f88
SHA512

9d70255823d5b90daf0eb6a36dc277ac3f4511fb5f83aeb2f2e7b5179ff29493d00580674dd6d349659299f57085d43e844f3a93f553b22be50b256abeba629a
SSDEEP

12288:ibee0PGl89WazvzkmMxM+ltxQMAn0Iv1b70ZSf2b:2edGBazvZMHltxtIv1bUS+b

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Winder.lnk	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe

Loads dropped DLL 1 IoCs

pid	Process
2096	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe = "C:\\System32\\0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe"	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2096	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe
2096	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe
2096	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe
2096	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe
2096	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2096	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2096	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2096	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe
2096	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2780	2096	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe	28
PID 2096 wrote to memory of 2780	2096	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe	28
PID 2096 wrote to memory of 2780	2096	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe	28
PID 2096 wrote to memory of 2780	2096	0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe	28

C:\Users\Admin\AppData\Local\Temp\0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe
"C:\Users\Admin\AppData\Local\Temp\0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS1.vbs"
  2⤵
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS1.vbs

Filesize
653B

MD5
b81115435256a2b3354f468fa035d208

SHA1
3a1a3a10d21648528e2b41b1383ac0188dc8e4b8

SHA256
9135fea51f8794df773661fe193cbebcdf57d5e102a729cfd60b98bb0b98544b

SHA512
17367390bca1a4836ed86265cb8135772d894fdec7c1c8377af84aeb92b6517cde19f66f7e7fcf8dea57701c708a7a9549e881bb7a67938b302aa4814de5b4bf

Download Submit
\System32\0fe2858e0e16ac8a1df5aa63ca7dbfd5.exe

Filesize
430KB

MD5
ae67456c6b3279e6e22b7f5d05459314

SHA1
c65438621cbeaffc555cb5824dc2cc454a7270b1

SHA256
b9eff69862194eab33a3550b1baaeb45420a284fe7dca1e2f39e66d317254280

SHA512
2044343f5cebf001c5358fb8f2b4586116429d173441c3d73b03b93006e167fe44df0ac452b1edda53a02793441e5d2185e8cd5f683b2a60f53f0ad0ce8638b0

Download Submit
memory/2096-0-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/2096-6-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2096-13-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/2096-14-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download