8e39ea0fcd41322b3523eb56e6353e7234e7d4754fb0e8cd48a102e4f7883790

Analysis

max time kernel
127s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f4dff7c3f155ecf672fcc5258001a5e.exe
Size

72KB
MD5

1f4dff7c3f155ecf672fcc5258001a5e
SHA1

28f33ba3ff471cd4979b66049096b3f26034599d
SHA256

8e39ea0fcd41322b3523eb56e6353e7234e7d4754fb0e8cd48a102e4f7883790
SHA512

805196d794c37e4f89e35828defce05e42fa30906df64f4d96335668c4dbaac3383e8fab66481c01a677ff0cab37f06731bb842178a1f03090a6bd54bd4b2174
SSDEEP

1536:73i6EBXlLOUp5/HNi/SZKWcb+sp9NLMXy3i6EP:0LOUp5/HNi/SQ5Csp9NLa

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Admin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Admin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Admin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Admin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Admin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1f4dff7c3f155ecf672fcc5258001a5e.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe	Admin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe	Admin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe	Admin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe	Admin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe	1f4dff7c3f155ecf672fcc5258001a5e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe	1f4dff7c3f155ecf672fcc5258001a5e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe	Admin.exe

Executes dropped EXE 5 IoCs

pid	Process
2452	Admin.exe
2888	Admin.exe
2792	Admin.exe
2648	Admin.exe
2624	Admin.exe

Loads dropped DLL 10 IoCs

pid	Process
2296	1f4dff7c3f155ecf672fcc5258001a5e.exe
2296	1f4dff7c3f155ecf672fcc5258001a5e.exe
2296	1f4dff7c3f155ecf672fcc5258001a5e.exe
2296	1f4dff7c3f155ecf672fcc5258001a5e.exe
2296	1f4dff7c3f155ecf672fcc5258001a5e.exe
2296	1f4dff7c3f155ecf672fcc5258001a5e.exe
2296	1f4dff7c3f155ecf672fcc5258001a5e.exe
2296	1f4dff7c3f155ecf672fcc5258001a5e.exe
2296	1f4dff7c3f155ecf672fcc5258001a5e.exe
2296	1f4dff7c3f155ecf672fcc5258001a5e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\system3 = "C:\\Users\\Public\\Documents\\Admin.exe"	1f4dff7c3f155ecf672fcc5258001a5e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\system5 = "C:\\ProgramData\\Admin.exe"	1f4dff7c3f155ecf672fcc5258001a5e.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Admin.exe
File opened (read-only)	\??\N:	Admin.exe
File opened (read-only)	\??\U:	Admin.exe
File opened (read-only)	\??\L:	Admin.exe
File opened (read-only)	\??\A:	Admin.exe
File opened (read-only)	\??\V:	Admin.exe
File opened (read-only)	\??\Q:	Admin.exe
File opened (read-only)	\??\O:	1f4dff7c3f155ecf672fcc5258001a5e.exe
File opened (read-only)	\??\R:	1f4dff7c3f155ecf672fcc5258001a5e.exe
File opened (read-only)	\??\O:	Admin.exe
File opened (read-only)	\??\T:	Admin.exe
File opened (read-only)	\??\K:	Admin.exe
File opened (read-only)	\??\P:	Admin.exe
File opened (read-only)	\??\S:	Admin.exe
File opened (read-only)	\??\O:	Admin.exe
File opened (read-only)	\??\M:	Admin.exe
File opened (read-only)	\??\V:	Admin.exe
File opened (read-only)	\??\T:	Admin.exe
File opened (read-only)	\??\R:	Admin.exe
File opened (read-only)	\??\K:	Admin.exe
File opened (read-only)	\??\P:	Admin.exe
File opened (read-only)	\??\L:	Admin.exe
File opened (read-only)	\??\L:	1f4dff7c3f155ecf672fcc5258001a5e.exe
File opened (read-only)	\??\U:	Admin.exe
File opened (read-only)	\??\A:	Admin.exe
File opened (read-only)	\??\E:	Admin.exe
File opened (read-only)	\??\N:	Admin.exe
File opened (read-only)	\??\P:	Admin.exe
File opened (read-only)	\??\S:	Admin.exe
File opened (read-only)	\??\U:	Admin.exe
File opened (read-only)	\??\S:	Admin.exe
File opened (read-only)	\??\G:	Admin.exe
File opened (read-only)	\??\J:	Admin.exe
File opened (read-only)	\??\K:	Admin.exe
File opened (read-only)	\??\Q:	Admin.exe
File opened (read-only)	\??\V:	Admin.exe
File opened (read-only)	\??\J:	1f4dff7c3f155ecf672fcc5258001a5e.exe
File opened (read-only)	\??\Q:	Admin.exe
File opened (read-only)	\??\R:	Admin.exe
File opened (read-only)	\??\J:	Admin.exe
File opened (read-only)	\??\M:	Admin.exe
File opened (read-only)	\??\P:	1f4dff7c3f155ecf672fcc5258001a5e.exe
File opened (read-only)	\??\B:	Admin.exe
File opened (read-only)	\??\A:	Admin.exe
File opened (read-only)	\??\B:	Admin.exe
File opened (read-only)	\??\G:	Admin.exe
File opened (read-only)	\??\K:	Admin.exe
File opened (read-only)	\??\N:	Admin.exe
File opened (read-only)	\??\B:	Admin.exe
File opened (read-only)	\??\E:	Admin.exe
File opened (read-only)	\??\I:	Admin.exe
File opened (read-only)	\??\N:	Admin.exe
File opened (read-only)	\??\E:	Admin.exe
File opened (read-only)	\??\A:	Admin.exe
File opened (read-only)	\??\U:	1f4dff7c3f155ecf672fcc5258001a5e.exe
File opened (read-only)	\??\U:	Admin.exe
File opened (read-only)	\??\H:	Admin.exe
File opened (read-only)	\??\M:	Admin.exe
File opened (read-only)	\??\R:	Admin.exe
File opened (read-only)	\??\O:	Admin.exe
File opened (read-only)	\??\Q:	Admin.exe
File opened (read-only)	\??\H:	Admin.exe
File opened (read-only)	\??\H:	1f4dff7c3f155ecf672fcc5258001a5e.exe
File opened (read-only)	\??\S:	1f4dff7c3f155ecf672fcc5258001a5e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
2296	1f4dff7c3f155ecf672fcc5258001a5e.exe
2452	Admin.exe
2888	Admin.exe
2792	Admin.exe
2648	Admin.exe
2624	Admin.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2296	1f4dff7c3f155ecf672fcc5258001a5e.exe
2452	Admin.exe
2888	Admin.exe
2792	Admin.exe
2648	Admin.exe
2624	Admin.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2452	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	28
PID 2296 wrote to memory of 2452	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	28
PID 2296 wrote to memory of 2452	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	28
PID 2296 wrote to memory of 2452	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	28
PID 2296 wrote to memory of 2888	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	29
PID 2296 wrote to memory of 2888	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	29
PID 2296 wrote to memory of 2888	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	29
PID 2296 wrote to memory of 2888	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	29
PID 2296 wrote to memory of 2792	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	30
PID 2296 wrote to memory of 2792	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	30
PID 2296 wrote to memory of 2792	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	30
PID 2296 wrote to memory of 2792	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	30
PID 2296 wrote to memory of 2648	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	31
PID 2296 wrote to memory of 2648	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	31
PID 2296 wrote to memory of 2648	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	31
PID 2296 wrote to memory of 2648	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	31
PID 2296 wrote to memory of 2624	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	32
PID 2296 wrote to memory of 2624	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	32
PID 2296 wrote to memory of 2624	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	32
PID 2296 wrote to memory of 2624	2296	1f4dff7c3f155ecf672fcc5258001a5e.exe	32

C:\Users\Admin\AppData\Local\Temp\1f4dff7c3f155ecf672fcc5258001a5e.exe
"C:\Users\Admin\AppData\Local\Temp\1f4dff7c3f155ecf672fcc5258001a5e.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe
  "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2452
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2888
- C:\Users\Public\Documents\Admin.exe
  "C:\Users\Public\Documents\Admin.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2792
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Admin.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Admin.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2648
- C:\ProgramData\Admin.exe
  "C:\ProgramData\Admin.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3RZM3750.txt

Filesize
148B

MD5
a5a853c6d00d4fbf544d1460562b5ccb

SHA1
fc4acdcd5e9e1329617f0001052d24119f3f4d51

SHA256
90d4ad507f8167b37d085c68abc1a5e44aad19c434381044574d4d22a8adf987

SHA512
7b3f0c05157eabf61e7b013dd45dd270bce3d47ef2d307ca64b854290f42f706ebb877649827ed034c14c3a05445d37d742b899708d9ccd58929911d61e99ebe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\56C40DZ6.txt

Filesize
148B

MD5
cda423add6ca97abc97fb9cb69f8c815

SHA1
6b1f2966db198cebf04e26441d4ffeb5ad0c3d61

SHA256
fdf9ea2931bdee826f2dc93ac9668ef89bdfc50763f9da660b1f3605d3e55c8f

SHA512
8097d0f5103a8f245f8a14a250efa721d39e8510afb575bb1dfe11640cacb3f471fba0b115643cc9a8b6a6bcb2ce8261189245404c3d8696247bf25627c9c561

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7GV8YG2Y.txt

Filesize
147B

MD5
33f5b742a3e851a688e782c501af1c18

SHA1
de3b25e7c2e2e8e33d051830ce36454fd75b62d9

SHA256
469e3407ca2cf02bcdbafedf192e1b757f35df66509156aff369c71c53f6f7e9

SHA512
29cfa6ce663313480dc224acd0489e5e26bbf331abbb5642f29550cf01aa2d5e4aa78a5c277445ed4adf178984da5e34291c16a601c5d33100497670e5a8a01f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AQGU1KZ2.txt

Filesize
147B

MD5
fbceac982a959154282e557208b53ae2

SHA1
71a4ab87bc42d1d37235b41068866a1c8f41f9b9

SHA256
e5340301a32bb9b231c34c5996797c113548f342d78a9042957a2c97b713b593

SHA512
3ff2b2c44e4f31242a3142ebaf5b4ea301b4eb8f0d18600aca9a2bd128bc2dba88b69fe00d47da01f31d9b508e9a871a688790944ffa5649706d319cc6bb7b1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\D2TKRT7R.txt

Filesize
148B

MD5
58552c233e139e673fd7f4915a47f887

SHA1
313c2d10159e076875021da3fa0537d3989fecc3

SHA256
5c83bea8c36792399c01bff8e69439e62e06403c88e8be391bd20bed1ca9000d

SHA512
ae8b9730a2a48a94915f0b847031f9e67306896340fde3ec6eb0224d95f14ba42a12a963ae52e01af860546592c01a8632efb707e0035be8e41457e5504fdb60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HJBZ4UXI.txt

Filesize
90B

MD5
c82f833faca10bba30c23de2e57f0586

SHA1
a5e46aff91fca87769a7c72417fc3cd3fbb915a8

SHA256
a7ca938f80919768a4935d2810c76bcc33c08bfd72653781da1d6b0f5429dea8

SHA512
a30ea2260baba0c9e6bd5f5bf3c3b10dd398c0537e11a5714f27f05cd824b3322cf774b2d74f73c8a55b6a31ea336e80d94b4ffd39c0be2a27155a81988573ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MPZ11EBW.txt

Filesize
147B

MD5
547c1a1be5fc101241e9be37197f1bf4

SHA1
9a8a2888aa836dfb6cfe393f83ee5f3ae8791933

SHA256
544f2e2fae22c8a76fb833a2fb00f273901005de802d7d6c665857fc1cdfe9c3

SHA512
fcef0fd8de522ef8c6f0e3676fe420272200ab0006debb5a251c415535027c29ad9633f474531d6cbdeabb45d229942acb91a7cda6be209f21f144ca2b72d47e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TG88KIYZ.txt

Filesize
147B

MD5
abb93b71d271fa99b823cbb66dde0487

SHA1
5b2b516e0105f3a5c5de19c8c7611dfa80c57ce8

SHA256
966ebb0df1376b2a6cc6cd325d231ad6767c855ed836fe8f2fd6ceb7a9bfcde9

SHA512
877f69274ad26a78bf21954679680a5eac5e2985d73dea5c3ba0bdd6522d5e3aea51e2b67089b2a8099468ad118b7e7abbe347a4597824807bfb65ec224dda79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V50MB1SS.txt

Filesize
147B

MD5
5813d838307e0bd7e93a1524b08fa480

SHA1
4d2475d936bf12131bb3b67d98256a030cb481b2

SHA256
8a56a910396d6f1c4b7a5b0a2826e7276218912e311c4d32ab4d8d039dd14052

SHA512
50fb7c23f6a643b6a1229af6ec4d4f0f164b8aaf81578e62b6e3ea8a6e9c0202a8e17c85b55c951aeb6e9c3127497e7d626cc60f7bce3a05a10c38e43dab3358

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W534P29G.txt

Filesize
148B

MD5
3b49cd87dcb224e2daa7d33657eb89e0

SHA1
ecf0bf79e98c49894f66ee16468ccc0872e97624

SHA256
7452210e4282a2d9bc45136381cbf7afeccccf7a55f649fb888024c5d90173bd

SHA512
c63ba68ade6d6eae98a8b3ba63b0419b77bf7f765f77567741d082ad21d945e1c0a1c4ac31f01b83a98fbe4d58dbac85ad877b4ea7abb75dbaaecea02060f485

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZSYILZS7.txt

Filesize
147B

MD5
16d0ecbf6fc2f96d216d437101319372

SHA1
b96f72f054a0ab38dbb1a9f875916ec0012343dd

SHA256
8cc088c289022eeb36647425c32c0c0880043d1ecd30946f97b9e4602f64c50e

SHA512
4da7303844d584fe717b180592d99310c75ab1f2eaf6bf5701b3d87f27796be73c77e3736a43294a05a197fc3c183664969dbb87d7bec64bf4fffa8389e6eb2f

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Admin.exe

Filesize
72KB

MD5
1f4dff7c3f155ecf672fcc5258001a5e

SHA1
28f33ba3ff471cd4979b66049096b3f26034599d

SHA256
8e39ea0fcd41322b3523eb56e6353e7234e7d4754fb0e8cd48a102e4f7883790

SHA512
805196d794c37e4f89e35828defce05e42fa30906df64f4d96335668c4dbaac3383e8fab66481c01a677ff0cab37f06731bb842178a1f03090a6bd54bd4b2174

Download Submit
memory/2296-66-0x0000000003560000-0x0000000003585000-memory.dmp

Filesize
148KB

Download
memory/2296-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2296-43-0x0000000003560000-0x0000000003585000-memory.dmp

Filesize
148KB

Download
memory/2296-28-0x0000000003560000-0x0000000003585000-memory.dmp

Filesize
148KB

Download
memory/2296-14-0x0000000003550000-0x0000000003575000-memory.dmp

Filesize
148KB

Download
memory/2452-17-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2888-30-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads