c2e01983eb3132929ee391c9fadc3638f2ad85e62363e87e79c4f5382175f040

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 12:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8c8a32921cd3c618b5eed7e01c3b3435.exe
Size

78KB
MD5

8c8a32921cd3c618b5eed7e01c3b3435
SHA1

74016feaceefec461112e376e9501a72aa3ee19a
SHA256

c2e01983eb3132929ee391c9fadc3638f2ad85e62363e87e79c4f5382175f040
SHA512

657b6f56c58bd85316073c61e915aa88b7f43178ffd6adcb7036761c836ed0f5505f296533a97de28d86537ea89d44330fa38809cce807ac6be0138714e9629c
SSDEEP

1536:PVdePelp2Xy+tuQOzOYE5aXPn1kF8cenb9jUp5uAITHbS6:oweqOYEUXPn1/pUp89THbL

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
5116	8c8a32921cd3c618b5eed7e01c3b3435.exe
5116	8c8a32921cd3c618b5eed7e01c3b3435.exe
5116	8c8a32921cd3c618b5eed7e01c3b3435.exe
5116	8c8a32921cd3c618b5eed7e01c3b3435.exe
5116	8c8a32921cd3c618b5eed7e01c3b3435.exe
5116	8c8a32921cd3c618b5eed7e01c3b3435.exe
5116	8c8a32921cd3c618b5eed7e01c3b3435.exe
5116	8c8a32921cd3c618b5eed7e01c3b3435.exe
5116	8c8a32921cd3c618b5eed7e01c3b3435.exe
5116	8c8a32921cd3c618b5eed7e01c3b3435.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WAASME~1\WAASME~1.ETL	cmd.exe
File opened for modification	C:\Windows\Logs\WAASME~1\WAASME~2.ETL	cmd.exe
File opened for modification	C:\Windows\Logs\WAASME~1\WAASME~3.ETL	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	8c8a32921cd3c618b5eed7e01c3b3435.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Microsoft Office\root\Office16\Winword.exe.FriendlyAppName = "Word"	8c8a32921cd3c618b5eed7e01c3b3435.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe.FriendlyAppName = "Adobe Acrobat Reader DC"	8c8a32921cd3c618b5eed7e01c3b3435.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache-Backup	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache-Backup\C:\Program Files\Internet Explorer\iexplore.exe.ApplicationCompany = "Microsoft Corporation"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache-Backup\C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe.FriendlyAppName = "Adobe Acrobat Reader DC"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Microsoft Office\root\Office16\Winword.exe.ApplicationCompany = "Microsoft Corporation"	8c8a32921cd3c618b5eed7e01c3b3435.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache-Backup	8c8a32921cd3c618b5eed7e01c3b3435.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache-Backup\LangID = 0904	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache-Backup\C:\Program Files\Internet Explorer\iexplore.exe.FriendlyAppName = "Internet Explorer"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache-Backup\C:\Program Files\Microsoft Office\root\Office16\Winword.exe.ApplicationCompany = "Microsoft Corporation"	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\LangID = 0904	8c8a32921cd3c618b5eed7e01c3b3435.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Internet Explorer\iexplore.exe.FriendlyAppName = "Internet Explorer"	8c8a32921cd3c618b5eed7e01c3b3435.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe.ApplicationCompany = "Adobe Systems Incorporated"	8c8a32921cd3c618b5eed7e01c3b3435.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache-Backup\C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe.ApplicationCompany = "Adobe Systems Incorporated"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	8c8a32921cd3c618b5eed7e01c3b3435.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Internet Explorer\iexplore.exe.ApplicationCompany = "Microsoft Corporation"	8c8a32921cd3c618b5eed7e01c3b3435.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache-Backup\C:\Program Files\Microsoft Office\root\Office16\Winword.exe.FriendlyAppName = "Word"	reg.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1836	regedit.exe
436	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5116	8c8a32921cd3c618b5eed7e01c3b3435.exe
5116	8c8a32921cd3c618b5eed7e01c3b3435.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 984	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	87
PID 5116 wrote to memory of 984	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	87
PID 5116 wrote to memory of 984	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	87
PID 984 wrote to memory of 2508	984	cmd.exe	89
PID 984 wrote to memory of 2508	984	cmd.exe	89
PID 984 wrote to memory of 2508	984	cmd.exe	89
PID 5116 wrote to memory of 4636	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	90
PID 5116 wrote to memory of 4636	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	90
PID 5116 wrote to memory of 4636	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	90
PID 5116 wrote to memory of 4700	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	93
PID 5116 wrote to memory of 4700	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	93
PID 5116 wrote to memory of 4700	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	93
PID 5116 wrote to memory of 4668	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	96
PID 5116 wrote to memory of 4668	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	96
PID 5116 wrote to memory of 4668	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	96
PID 5116 wrote to memory of 3188	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	99
PID 5116 wrote to memory of 3188	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	99
PID 5116 wrote to memory of 3188	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	99
PID 3188 wrote to memory of 4896	3188	cmd.exe	101
PID 3188 wrote to memory of 4896	3188	cmd.exe	101
PID 3188 wrote to memory of 4896	3188	cmd.exe	101
PID 5116 wrote to memory of 5072	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	102
PID 5116 wrote to memory of 5072	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	102
PID 5072 wrote to memory of 1836	5072	regedt32.exe	103
PID 5072 wrote to memory of 1836	5072	regedt32.exe	103
PID 5116 wrote to memory of 3172	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	104
PID 5116 wrote to memory of 3172	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	104
PID 5116 wrote to memory of 3172	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	104
PID 3172 wrote to memory of 392	3172	cmd.exe	106
PID 3172 wrote to memory of 392	3172	cmd.exe	106
PID 3172 wrote to memory of 392	3172	cmd.exe	106
PID 5116 wrote to memory of 4884	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	107
PID 5116 wrote to memory of 4884	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	107
PID 4884 wrote to memory of 436	4884	regedt32.exe	108
PID 4884 wrote to memory of 436	4884	regedt32.exe	108
PID 5116 wrote to memory of 4176	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	109
PID 5116 wrote to memory of 4176	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	109
PID 5116 wrote to memory of 4176	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	109
PID 5116 wrote to memory of 1432	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	111
PID 5116 wrote to memory of 1432	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	111
PID 5116 wrote to memory of 1432	5116	8c8a32921cd3c618b5eed7e01c3b3435.exe	111

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2508	attrib.exe
392	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8c8a32921cd3c618b5eed7e01c3b3435.exe
"C:\Users\Admin\AppData\Local\Temp\8c8a32921cd3c618b5eed7e01c3b3435.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +h /D "C:\Users\Admin\AppData\Local\Temp\Data\Viber Media S.à r.l"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h /D "C:\Users\Admin\AppData\Local\Temp\Data\Viber Media S.à r.l"
    3⤵
    - Views/modifies file attributes
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c MKLINK /J "C:\Users\Admin\AppData\Roaming\ViberPC" "C:\Users\Admin\AppData\Local\Temp\Data\ViberPC"
  2⤵
  PID:4636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c MKLINK /J "C:\Users\Admin\Documents\ViberDownloads" "C:\Users\Admin\AppData\Local\Temp\Data\ViberDownloads"
  2⤵
  PID:4700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c MKLINK /J "C:\Users\Admin\AppData\Local\Viber Media S.à r.l" "C:\Users\Admin\AppData\Local\Temp\Data\Viber Media S.à r.l"
  2⤵
  PID:4668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg copy "HKCR\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" "HKCR\Local Settings\Software\Microsoft\Windows\Shell\MuiCache-Backup" /s /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\SysWOW64\reg.exe
    reg copy "HKCR\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" "HKCR\Local Settings\Software\Microsoft\Windows\Shell\MuiCache-Backup" /s /f
    3⤵
    - Modifies registry class
    PID:4896
- C:\Windows\system32\regedt32.exe
  sysnative\regedt32.exe /s "C:\Users\Admin\AppData\Local\Temp\Data\ID.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\regedit.exe
    "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\Data\ID.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +h "C:\Users\Admin\AppData\Local\Temp\Data\*.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Admin\AppData\Local\Temp\Data\*.reg"
    3⤵
    - Views/modifies file attributes
    PID:392
- C:\Windows\system32\regedt32.exe
  sysnative\regedt32.exe /s "C:\Users\Admin\AppData\Local\Temp\Data\MachineGuid.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\regedit.exe
    "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\Data\MachineGuid.reg"
    3⤵
    - Runs .reg file with regedit
    PID:436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c pushd %TEMP% && rd /s /q .
  2⤵
  PID:4176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c pushd %WINDIR%\Logs && rd /s /q .
  2⤵
  - Drops file in Windows directory
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Data\MachineGuid.reg

Filesize
298B

MD5
90ea323fbfbcd23980a07d21818c6fdb

SHA1
cb2062dbfb85a81af4e7a57ec84a8d7639ea1522

SHA256
fcd7523dea1c8e4bf86917e74db64767239a9a50b3ab611a69ecccd2438e7b7a

SHA512
80f189f90360fab542ea651cb535a66359d92bb63621cebfda7ddaa7a2f4dcc8db69b40ee957d141c7d95192b58a4a3bac88ecd94d511fd8fea584291c0efe24

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp4586.tmp

Filesize
126KB

MD5
b5437fdf6c57c8d2378c6b93660af08f

SHA1
38acede01373878a2ae429c6b07a73a8720484d8

SHA256
1e29d181588a1a276a6463538f3dc7dd848b96e654293c9e129465ee44ab6ac2

SHA512
49de1f330739a423eda28817029b8e59fbf90c620e31446a8127b7d2387510d96fa4dd438289388dd379b4e0566b28a69ef0aa7658412be0a6e45ee6f89b6107

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp4587.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp4587.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp4587.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit