9d76dd3d120b554def124db5edf875230f6609d71475765f1255822bdfc1f8f4

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

188cd2171b27bda87f2451747d038eac.exe
Size

21KB
MD5

188cd2171b27bda87f2451747d038eac
SHA1

06a9108a9f3c9cf5f1cce17388686fd2f97410de
SHA256

9d76dd3d120b554def124db5edf875230f6609d71475765f1255822bdfc1f8f4
SHA512

3fff32535c0678557ca39ef9ec37b9bca917aecb379a1cde3002f78211040ce7e4aadd1de7c80ca5c1859d238646a57543c18f1ab2946732f69e9c1499849773
SSDEEP

384:+h/3opT7gogrRa07KSPZM95FhJ22ywEyrAMedMBQRTmFKdAdkQD+Ft9row:04pnvg9a0HMF+wNedMBQglept9v

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1368	188cd2171b27bda87f2451747d038eac.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\E0D39066.cfg	188cd2171b27bda87f2451747d038eac.exe
File opened for modification	C:\Windows\SysWOW64\E0D39066.dll	188cd2171b27bda87f2451747d038eac.exe
File created	C:\Windows\SysWOW64\6457aed.drv	188cd2171b27bda87f2451747d038eac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0D39066-96D7-4891-8527-488ADAFCD60F}	188cd2171b27bda87f2451747d038eac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0D39066-96D7-4891-8527-488ADAFCD60F}\InprocServer32	188cd2171b27bda87f2451747d038eac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0D39066-96D7-4891-8527-488ADAFCD60F}\InprocServer32\ = "E0D39066.dll"	188cd2171b27bda87f2451747d038eac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0D39066-96D7-4891-8527-488ADAFCD60F}\InprocServer32\ThreadingModel = "Apartment"	188cd2171b27bda87f2451747d038eac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{E0D39066-96D7-4891-8527-488ADAFCD60F}\InprocServer32	188cd2171b27bda87f2451747d038eac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	188cd2171b27bda87f2451747d038eac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID	188cd2171b27bda87f2451747d038eac.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1368	188cd2171b27bda87f2451747d038eac.exe
1368	188cd2171b27bda87f2451747d038eac.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe
Token: SeDebugPrivilege	1368	188cd2171b27bda87f2451747d038eac.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1368	188cd2171b27bda87f2451747d038eac.exe
1368	188cd2171b27bda87f2451747d038eac.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1368	188cd2171b27bda87f2451747d038eac.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2812	1368	188cd2171b27bda87f2451747d038eac.exe	28
PID 1368 wrote to memory of 2812	1368	188cd2171b27bda87f2451747d038eac.exe	28
PID 1368 wrote to memory of 2812	1368	188cd2171b27bda87f2451747d038eac.exe	28
PID 1368 wrote to memory of 2812	1368	188cd2171b27bda87f2451747d038eac.exe	28

C:\Users\Admin\AppData\Local\Temp\188cd2171b27bda87f2451747d038eac.exe
"C:\Users\Admin\AppData\Local\Temp\188cd2171b27bda87f2451747d038eac.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\188CD2~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\E0D39066.dll

Filesize
11KB

MD5
cfb8e135d06f33b9846b8640d7825ce9

SHA1
17c4cb59dc9ecc96a633c0df0831ae566585ed76

SHA256
608db9c488f642bfe4803b47f742d08bef0a2c4e355ca0b91d645ab9ce06965d

SHA512
9c7daecfa85f2a48a14405d7b00c4feb23cc7632160ce1f535174ebc044b1b7ecc8b9023fc7e69ca2ed7aa381522e52b339569292aa27af80fce1928e7128fbc

Download Submit
memory/1368-1-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1368-8-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1368-9-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download