Analysis
-
max time kernel
182s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 22:50
Static task
static1
Behavioral task
behavioral1
Sample
1706ed67d8d8f67bfc7f16f6fea1071f.exe
Resource
win7-20231215-en
General
-
Target
1706ed67d8d8f67bfc7f16f6fea1071f.exe
-
Size
284KB
-
MD5
1706ed67d8d8f67bfc7f16f6fea1071f
-
SHA1
0afb89559fa41c0c300c07fb954c932c30d7b28f
-
SHA256
06fb068b1899c50c2ea0561ca20d04f9d3c56f8e8475bf970f0f7c493a760b5b
-
SHA512
02cc08b1558dbf18f0157ca02f45e5483c27bd9110d92a1af2bd3692e1690504f12869ba1ee0a275048949400b3e15de2f16e9539ff26224cbf4555fc2854644
-
SSDEEP
6144:7qRejcYWesEPUF5Z5C5hvh4tL/k7z2oPS1Ew9cSiyPfg+:TOF57CjuJuX2Ew9xY+
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 1706ed67d8d8f67bfc7f16f6fea1071f.exe -
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 1812 BB44.tmp -
Loads dropped DLL 2 IoCs
pid Process 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2240-1-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2240-3-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2240-7-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2240-12-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/988-69-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/988-68-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2240-72-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2240-130-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1656-132-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/988-190-0x0000000001E30000-0x0000000001F30000-memory.dmp upx behavioral1/memory/2240-229-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0D7.exe = "C:\\Program Files (x86)\\LP\\F98B\\0D7.exe" 1706ed67d8d8f67bfc7f16f6fea1071f.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\F98B\0D7.exe 1706ed67d8d8f67bfc7f16f6fea1071f.exe File opened for modification C:\Program Files (x86)\LP\F98B\0D7.exe 1706ed67d8d8f67bfc7f16f6fea1071f.exe File opened for modification C:\Program Files (x86)\LP\F98B\BB44.tmp 1706ed67d8d8f67bfc7f16f6fea1071f.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 800 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 2552 msiexec.exe Token: SeTakeOwnershipPrivilege 2552 msiexec.exe Token: SeSecurityPrivilege 2552 msiexec.exe Token: SeShutdownPrivilege 800 explorer.exe Token: SeShutdownPrivilege 800 explorer.exe Token: SeShutdownPrivilege 800 explorer.exe Token: SeShutdownPrivilege 800 explorer.exe Token: SeShutdownPrivilege 800 explorer.exe Token: SeShutdownPrivilege 800 explorer.exe Token: SeShutdownPrivilege 800 explorer.exe Token: SeShutdownPrivilege 800 explorer.exe Token: SeShutdownPrivilege 800 explorer.exe Token: SeShutdownPrivilege 800 explorer.exe Token: SeShutdownPrivilege 800 explorer.exe Token: SeShutdownPrivilege 800 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe 800 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1812 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 33 PID 2240 wrote to memory of 1812 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 33 PID 2240 wrote to memory of 1812 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 33 PID 2240 wrote to memory of 1812 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 33 PID 2240 wrote to memory of 988 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 34 PID 2240 wrote to memory of 988 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 34 PID 2240 wrote to memory of 988 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 34 PID 2240 wrote to memory of 988 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 34 PID 2240 wrote to memory of 1656 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 37 PID 2240 wrote to memory of 1656 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 37 PID 2240 wrote to memory of 1656 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 37 PID 2240 wrote to memory of 1656 2240 1706ed67d8d8f67bfc7f16f6fea1071f.exe 37 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 1706ed67d8d8f67bfc7f16f6fea1071f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 1706ed67d8d8f67bfc7f16f6fea1071f.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1706ed67d8d8f67bfc7f16f6fea1071f.exe"C:\Users\Admin\AppData\Local\Temp\1706ed67d8d8f67bfc7f16f6fea1071f.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2240 -
C:\Program Files (x86)\LP\F98B\BB44.tmp"C:\Program Files (x86)\LP\F98B\BB44.tmp"2⤵
- Executes dropped EXE
PID:1812
-
-
C:\Users\Admin\AppData\Local\Temp\1706ed67d8d8f67bfc7f16f6fea1071f.exeC:\Users\Admin\AppData\Local\Temp\1706ed67d8d8f67bfc7f16f6fea1071f.exe startC:\Users\Admin\AppData\Roaming\BF8E1\A1BF9.exe%C:\Users\Admin\AppData\Roaming\BF8E12⤵PID:988
-
-
C:\Users\Admin\AppData\Local\Temp\1706ed67d8d8f67bfc7f16f6fea1071f.exeC:\Users\Admin\AppData\Local\Temp\1706ed67d8d8f67bfc7f16f6fea1071f.exe startC:\Program Files (x86)\E1315\lvvm.exe%C:\Program Files (x86)\E13152⤵PID:1656
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:800
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5820714a1153dfde8bf5c242d5b829bed
SHA19159452624e15bc885169dfb1e5e7a50231b7d8f
SHA2569abd9b39fd46e8a8b2cd879902423f677b0a0f76343b1c8a24f9d263977754d5
SHA5127037a8a9f83ccdd49e7ed60cd5f2b0cfa224d475f45869d76b8daf3bafaa0fae1fdc89510003c9ef6e46684b2604075f0fb649aeaf98e90bbec13cc88c4e0fd2
-
Filesize
1KB
MD5870ad183e136f2b2811fd103c16caf6b
SHA13a555550207e09f8cb3fa6d0230b0c41b223b2f0
SHA256129936a175943bfcd7b41c1b719c7c99ce4317651f2d16a31ed5b45acff6b11b
SHA512fab03e052d2416d2243b2f25b317a2fd792b20650c44db46de80ce5a23f903a9af773b6eda4d8be32652770c968363f5600cea75aa794981148aa7699f726ecc
-
Filesize
297B
MD51fde134c51649c7454c529d97819224a
SHA1ec11a5395284164a52fabee3d041f5cb58e9348d
SHA2567849e8adf534031f0c545f6f5294c0c39a394d21013bed70e73e4b7e15c4195a
SHA512b54d78cf88bb5df1f8c4372c0c2fafd5a79e2ccfa0480f9a70bd00a3e9aa8bbefa860c626c9e3df7814ab9946748e5b5f7fbe0d3c0c6549c41de9c462767cc9b
-
Filesize
597B
MD579bce8ffa0c498f43874ef9555bd02bb
SHA1c430dc6161f30ef39a045a1aee60691b2c7d62cf
SHA256231a4a67951c34f6757ebc31e6864a98390f34185bfd9aac3527766002375964
SHA512dce4c5f1b53458f4ca012ddc4ca6ff97539084203403af463f4706b344823c4778f82483d0548a72f7390760b62cc34fcbee66571c21a9a58120bc002b84f907
-
Filesize
897B
MD5efdb9b24a25ee10bcd93d395dbbe7f72
SHA1fbd47e88797bdf8bbf74dee9162d7d6a12ddc2d8
SHA2561e24b531c173bfdf5b9208bccce2240ef90059fcfe3c3c352b4ccae75bdfec1f
SHA51231af207df9ef2dd555d5cc07ec3ae21b59544e3f775ce3037fc317006fbd090cdacb250b410da47a65fb57983b10e416ca44cad099a6aaabc20179b877b54b47
-
Filesize
99KB
MD5f2a253e558976d2d90c49d5154ffe1b8
SHA1527acecd863143b49546317bb4611fea134b442b
SHA256d8420ed0c4c492a51f9c7906d590002de6ec86c4b10dad22c33272615a658d84
SHA5120053d0d2169d10a287f2d01ee6d9b3a4182d5f97ef58cdb3fd66d865c6969df1b0a7b72e3be3b2892aaa9b2ec18152f43216b4da9d2b71142fb2cd737e4db88a