75f5fae8f75dfa54e7ff3dae1fd76234ac2948d91d7238b6458003ec2ed37b70

Analysis

max time kernel
142s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e0eff7079eff8797680109cb9fdcb6c.exe
Size

1.9MB
MD5

0e0eff7079eff8797680109cb9fdcb6c
SHA1

875b4b657cfa08d1521fd6d9910962230c2a14b4
SHA256

75f5fae8f75dfa54e7ff3dae1fd76234ac2948d91d7238b6458003ec2ed37b70
SHA512

c7c3833109bf7458c2e9cd4229d69e37c9823bbe783c64d3b4c4fa0b2c842c73c76ecf280121d400af492ad609aaddbc910dbc5643f9bb2d47b8a023bac7a879
SSDEEP

49152:1bF0xWdc/eS4exnHZi18axvXP8l33t1JFCGLvEcTIMMdY17V:ZF0x8c/11HBGv/WHtUQvx/yY15

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\PCenter\\pc.exe"	0e0eff7079eff8797680109cb9fdcb6c.exe

Executes dropped EXE 1 IoCs

pid	Process
2576	agent.exe

Loads dropped DLL 6 IoCs

pid	Process
2032	0e0eff7079eff8797680109cb9fdcb6c.exe
2032	0e0eff7079eff8797680109cb9fdcb6c.exe
2032	0e0eff7079eff8797680109cb9fdcb6c.exe
2576	agent.exe
2576	agent.exe
2576	agent.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\agent.exe = "C:\\Program Files (x86)\\PCenter\\agent.exe"	0e0eff7079eff8797680109cb9fdcb6c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PCenter\faq\images\gimg10.jpg	0e0eff7079eff8797680109cb9fdcb6c.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg2.jpg	0e0eff7079eff8797680109cb9fdcb6c.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg3.jpg	0e0eff7079eff8797680109cb9fdcb6c.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg5.jpg	0e0eff7079eff8797680109cb9fdcb6c.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg7.jpg	0e0eff7079eff8797680109cb9fdcb6c.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg8.jpg	0e0eff7079eff8797680109cb9fdcb6c.exe
File created	C:\Program Files (x86)\PCenter\pc.exe	0e0eff7079eff8797680109cb9fdcb6c.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg1.jpg	0e0eff7079eff8797680109cb9fdcb6c.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg4.jpg	0e0eff7079eff8797680109cb9fdcb6c.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg9.jpg	0e0eff7079eff8797680109cb9fdcb6c.exe
File created	C:\Program Files (x86)\PCenter\sounds\3.mp3	0e0eff7079eff8797680109cb9fdcb6c.exe
File created	C:\Program Files (x86)\PCenter\faq\guide.html	0e0eff7079eff8797680109cb9fdcb6c.exe
File created	C:\Program Files (x86)\PCenter\faq\images\gimg6.jpg	0e0eff7079eff8797680109cb9fdcb6c.exe
File created	C:\Program Files (x86)\PCenter\uninstall.exe	0e0eff7079eff8797680109cb9fdcb6c.exe
File created	C:\Program Files (x86)\PCenter\agent.exe	0e0eff7079eff8797680109cb9fdcb6c.exe
File created	C:\Program Files (x86)\PCenter\sounds\1.mp3	0e0eff7079eff8797680109cb9fdcb6c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2576	agent.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2576	agent.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2576	agent.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2576	2032	0e0eff7079eff8797680109cb9fdcb6c.exe	23
PID 2032 wrote to memory of 2576	2032	0e0eff7079eff8797680109cb9fdcb6c.exe	23
PID 2032 wrote to memory of 2576	2032	0e0eff7079eff8797680109cb9fdcb6c.exe	23
PID 2032 wrote to memory of 2576	2032	0e0eff7079eff8797680109cb9fdcb6c.exe	23
PID 2032 wrote to memory of 2576	2032	0e0eff7079eff8797680109cb9fdcb6c.exe	23
PID 2032 wrote to memory of 2576	2032	0e0eff7079eff8797680109cb9fdcb6c.exe	23
PID 2032 wrote to memory of 2576	2032	0e0eff7079eff8797680109cb9fdcb6c.exe	23

C:\Users\Admin\AppData\Local\Temp\0e0eff7079eff8797680109cb9fdcb6c.exe
"C:\Users\Admin\AppData\Local\Temp\0e0eff7079eff8797680109cb9fdcb6c.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Program Files (x86)\PCenter\agent.exe
  "C:\Program Files (x86)\PCenter\agent.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PCenter\agent.exe

Filesize
30KB

MD5
e652a22bd77113f3626792db69e8b94d

SHA1
5b98f50feaecc6906fd9810d6b82cededdb09925

SHA256
44b1367ef7d14edadfb75207b92db7c26e6509852d93a0c2d5052052b7f22c44

SHA512
980150204d87633f9a35be39d105598d61ac7760d2bef8347bda86de2c15b978cfcc5d4c294a7a2ff9e193af84fa7187d3caa0570ab3a225f919d521f832a4ae

Download Submit
C:\Program Files (x86)\PCenter\agent.exe

Filesize
13KB

MD5
28d34ac215b92a191d4bd2cd39ffda3e

SHA1
85660ca0cbb1e9b219a69a87a3d3a4ef5e3652f4

SHA256
f71b147c7b082a5e2cb67ead26a93962b18e469d2989155cb562a5908c7056a9

SHA512
eec46922007a3dc383755704cf21b03d28942bcd717bb5cd02635ee0f76cc463cf58c3a6469a97a2a5cc80825400e88504e50858235bfb415c57b5e51648727a

Download Submit
C:\Program Files (x86)\PCenter\agent.exe

Filesize
37KB

MD5
6f7193f2acb9bb662b25ddd97a980966

SHA1
308594ecf08480be44d3cc2008736d76e7f5418b

SHA256
07c5988d61e9f49bc0cd940de3c51f14d7dbc2de5f6d98cdb26bc2a97b83663d

SHA512
3d9b7229ddc256534b6ddd96e818d933918f34ecbb8a929187b0ced9a87a7a751109498c9b7b5c6ff24f8e78a311eaf95776e936d6bfea41f99071d7bcc03e10

Download Submit
\Program Files (x86)\PCenter\agent.exe

Filesize
58B

MD5
24c806f539d29e2c8c2aa6735d433ced

SHA1
8a64fae1f667cb8d6e712c74f4ae7c3907b184b2

SHA256
fa99547d8552faeb6822f646cc4e23b4e257e0b3f9144f52abb33cf851108489

SHA512
70934d9fc8cad9561b1186452437d68a8942132c4185ac71c66429543c79dd8f7c7ce1b6439443505d475d83184ed4d6712f687fdad821728a877f8b8871dac4

Download Submit
\Program Files (x86)\PCenter\agent.exe

Filesize
7KB

MD5
2c76436ca63d1c9c1af462b7880a9e69

SHA1
28ef6d389f3b96a4124a02be575dd672a5526f88

SHA256
58e9bcd8ce90601316b4613ca584776fe1c85fa1d7eb50ee3b3ee4323f33097d

SHA512
bc1e2388abb7dd360de17222a9feb18c1dcdacf880af5a18a64063c489afba9e6a92edf628d709f3b185e4cb12ab331b288395b60365ad8658382b4fe9c9310d

Download Submit
\Program Files (x86)\PCenter\agent.exe

Filesize
11KB

MD5
ff249bd63b185b700c9a054a613fe4a1

SHA1
c789cb98580cbfe4176db7362d6c33a35be10f9c

SHA256
52cd3a0f60c12f1385e23758e6e8cb1c2b5df8d63319e282df23e582d7c99f96

SHA512
f61206139b891e42a5fcde6b51d4286d7e80cec87b92550c0ee98f996a2bced97672a2c7d6fa7d4b35f7af0d6b3e7386c0708b631dde5074d1df1f669bc891e8

Download Submit
\Program Files (x86)\PCenter\agent.exe

Filesize
1KB

MD5
426f2c00bb4ce14848eada4dcbb23c07

SHA1
02258ba4c4c693b08877707a20d31ed0917b29e5

SHA256
9fe22e6825bf0cafb2c18548151bba090ce0ed198caf8a049dd49f105f4de88b

SHA512
17b15fbf10dbd48f6e90d0b97adb43673eb46109288192e6b65b8d374d01bbdb4233883dc3172d4d33a0fad8107fae2b2cd559a590f6c575a040d13211b4f6d3

Download Submit
\Program Files (x86)\PCenter\agent.exe

Filesize
9KB

MD5
ad0d19f566e82e3dfd275f721d0fc75e

SHA1
ac76a851f46036dab3a4d04b5700b37129866630

SHA256
d3f9fb6f74d4e1e6e2a7b8a4027d6e6220623297980547ff906a0c3bad46f295

SHA512
9a13c1d8f04f41ed2d8c83a7af83d237be4faa1671b352b4de6df8675886992fe9b6f45edb539c0d8218d635aa296ddd32eacca32e78b18bf8cf1972190a2776

Download Submit
\Program Files (x86)\PCenter\pc.exe

Filesize
2KB

MD5
a8f066c0e816950d287c9a3eb5a63e08

SHA1
ba3d6c8405ea67b011e6969770b959c0c41006a8

SHA256
c5bbbb31a66083ef7d2544324e86e3b6d0ab702ab31048bbdcdede9d5506f80f

SHA512
6800eb06b2ce7b9db6b0707c06aede9c58f91e608f8333ee0690cede159a3607400c8987507f99e7f0d4bc120fa475ddb89ed093960edc8d1c5350e5922b037c

Download Submit
memory/2576-39-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/2576-40-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download