8e02312f540275875ccbe10a5b6fa6f300463ff9e69332a4a9512654252233f5

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 10:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

165ea3c204e269e8e2d314a012783e67.exe
Size

425KB
MD5

165ea3c204e269e8e2d314a012783e67
SHA1

047809d2c5b510461c6e899242df02030215ed82
SHA256

8e02312f540275875ccbe10a5b6fa6f300463ff9e69332a4a9512654252233f5
SHA512

8610638eb4d9e0355c530086272532b846e95c94a5e4e9c18828e9d0e49ed022ec3ce0ef16044f8710b149a56c7bce5e3a357e4ded6086c933f988909d59268f
SSDEEP

12288:wWPfpxNzSBwlcACfGcy+Ovln0GBgfnVDbPP:wWPflzQwlcAUGh+Odnpg1P

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2124	rinst.exe
2776	winxp.exe

Loads dropped DLL 12 IoCs

pid	Process
2232	165ea3c204e269e8e2d314a012783e67.exe
2232	165ea3c204e269e8e2d314a012783e67.exe
2124	rinst.exe
2124	rinst.exe
2124	rinst.exe
2124	rinst.exe
2124	rinst.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2232	165ea3c204e269e8e2d314a012783e67.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winxp = "C:\\Windows\\SysWOW64\\winxp.exe"	winxp.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	winxp.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\winxp.exe	rinst.exe
File created	C:\Windows\SysWOW64\winxphk.dll	rinst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2776	winxp.exe
2776	winxp.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe
2776	winxp.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2124	2232	165ea3c204e269e8e2d314a012783e67.exe	28
PID 2232 wrote to memory of 2124	2232	165ea3c204e269e8e2d314a012783e67.exe	28
PID 2232 wrote to memory of 2124	2232	165ea3c204e269e8e2d314a012783e67.exe	28
PID 2232 wrote to memory of 2124	2232	165ea3c204e269e8e2d314a012783e67.exe	28
PID 2232 wrote to memory of 2124	2232	165ea3c204e269e8e2d314a012783e67.exe	28
PID 2232 wrote to memory of 2124	2232	165ea3c204e269e8e2d314a012783e67.exe	28
PID 2232 wrote to memory of 2124	2232	165ea3c204e269e8e2d314a012783e67.exe	28
PID 2124 wrote to memory of 2776	2124	rinst.exe	29
PID 2124 wrote to memory of 2776	2124	rinst.exe	29
PID 2124 wrote to memory of 2776	2124	rinst.exe	29
PID 2124 wrote to memory of 2776	2124	rinst.exe	29
PID 2124 wrote to memory of 2776	2124	rinst.exe	29
PID 2124 wrote to memory of 2776	2124	rinst.exe	29
PID 2124 wrote to memory of 2776	2124	rinst.exe	29

C:\Users\Admin\AppData\Local\Temp\165ea3c204e269e8e2d314a012783e67.exe
"C:\Users\Admin\AppData\Local\Temp\165ea3c204e269e8e2d314a012783e67.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\winxp.exe
    C:\Windows\system32\winxp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
1KB

MD5
2d08236682a7b9cff2a30056e890631e

SHA1
c1f6e53779985b22d5861c1cf9529658137abf26

SHA256
6d4767f609f7e583db552120607e7d685d62b096df314ebebf766c370840be85

SHA512
d08d9c52c121e8712513cedeabffaf678e51298937151f594e3151112e59a3f0cd58f119a1766934307b8c5b749b1675568000853da393f45d73e2d7cf893b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
7KB

MD5
8c09ca5f67accdb937da1b3882e717d1

SHA1
5b70ac5ddb0911621bb7cc1953d8671b7cae904c

SHA256
d1f861e834cc5deabddb3e451be42eedf30140bcdb41da5ed9df369c996fc4ef

SHA512
154ff4c7d0b13c2fa9102693747d608420e57584c41e0ff99669f34921f47f7ce60228315bd37ba22949691edc590a21412fa9c6963e6b684b0d7554b5526b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winxp.exe

Filesize
408KB

MD5
6d4ec7272c525c08413cbae1da0952ec

SHA1
f018f517ffd1af840e60472f0fdd1fd851cb2ca5

SHA256
954e5920b0bfa5f8243deef4def5f9287e4f77ce8f4dd3c91f6fd55b85d6e879

SHA512
6b5ecd985d674d4e64b2f729bfbf24486f3c8135e0c8d15afe8c1e7a6bdbdee69a6976da1d61bd40b5dfe71e876e9a01be57e047fbc5e547f64d9d699b26d0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\winxphk.dll

Filesize
21KB

MD5
976bd0b26ea1f4264aadb7589e729f7d

SHA1
58770541f18cc8724f4d20ded9b0024aaaef3e9f

SHA256
a592c558224e28295e88da3d4f3ff61cf5393f36280cf4c6e73ca6e33e64f816

SHA512
7403ae471c4332ebe77bdf59d55ed4060e02151fb9b5eb47bc521cb74e8e0015287429e357a8b72f16231d9206c3ed2ff6c3174357c1f410662bc0342461f0f2

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
7KB

MD5
a1f0199fd68f6b20360e22e9500150b4

SHA1
61a1cd33b8313df6517e3ea46688b2e39a202d16

SHA256
bc73b6a686f95e0a202203bd1f53032a1b3ba18b51faea5c1ca55223367009d2

SHA512
28d8460cbc64b490685a2eea1af8bc5734fd31eaa96e36ceb2f65f9ce8837b4b5639748726dcb0e48b358627831049246c72a6e9ebd386a8ef25a4ed906588e8

Download Submit
C:\Windows\SysWOW64\winxp.exe

Filesize
408KB

MD5
ce74bebd69c23687ef526e57c4f66f55

SHA1
3c02c39c428de4046a7e835a598ada33cd0134b9

SHA256
42b34ed97b2421ac597bec137b599057e9bc8abee86b13d7dc6fbee4e577789a

SHA512
2659399ecdc81f74d261425645f12dceda7831e66b36613bb50c8c91dac9094bc395a89908e7487b1d7104fbfdba4183ecc36c261bb3a821ac6d672894255fac

Download Submit
C:\Windows\SysWOW64\winxphk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit
memory/2232-52-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads