85f07d32020197bef222466253a8de86b06793f2895a9de784845a458c339470

Analysis

max time kernel
93s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ab67ae7fb3a8d434bbee0f9a737098f.exe
Size

136KB
MD5

1ab67ae7fb3a8d434bbee0f9a737098f
SHA1

8f07b685a4a3ee4052edb5fedc9e2355a0bccd5e
SHA256

85f07d32020197bef222466253a8de86b06793f2895a9de784845a458c339470
SHA512

b44669d1337e9a36ad8885bd6989bc051674813ed4ec9f67277d65b7ebfbbbd8745572af5cf3085c4478280cafdf513f1812c84d279cd7bd9b24498345dfbf41
SSDEEP

768:jZKM11gG4ChfiPO0rfz0shcUypMC5/VKhZyg3ini2ine7+:gMDgG4ChfiPOefgsOUqQwg

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Syssrc32 = "C:\\Windows\\Syssrc32.exe"	1ab67ae7fb3a8d434bbee0f9a737098f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fndfst32 = "C:\\Windows\\System\\fndfst32.exe"	1ab67ae7fb3a8d434bbee0f9a737098f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer Shell = "C:\\Windows\\System\\Explorer.exe"	1ab67ae7fb3a8d434bbee0f9a737098f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System applets = "C:\\Windows\\System\\applets.exe"	1ab67ae7fb3a8d434bbee0f9a737098f.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System\Sysexp32.exe	1ab67ae7fb3a8d434bbee0f9a737098f.exe
File created	C:\Windows\System\Sysexp32.exe	1ab67ae7fb3a8d434bbee0f9a737098f.exe
File created	C:\Windows\System\fndfst32.exe	1ab67ae7fb3a8d434bbee0f9a737098f.exe
File opened for modification	C:\Windows\System\Explorer.exe	1ab67ae7fb3a8d434bbee0f9a737098f.exe
File created	C:\Windows\System\Explorer.exe	1ab67ae7fb3a8d434bbee0f9a737098f.exe
File created	C:\Windows\Help\intret.cnt	1ab67ae7fb3a8d434bbee0f9a737098f.exe
File opened for modification	C:\Windows\System\mplayerw.exe	1ab67ae7fb3a8d434bbee0f9a737098f.exe
File created	C:\Windows\System\mplayerw.exe	1ab67ae7fb3a8d434bbee0f9a737098f.exe
File opened for modification	C:\Windows\Syssrc32.exe	1ab67ae7fb3a8d434bbee0f9a737098f.exe
File opened for modification	C:\Windows\Help\intret.cnt	1ab67ae7fb3a8d434bbee0f9a737098f.exe
File opened for modification	C:\Windows\System\applets.exe	1ab67ae7fb3a8d434bbee0f9a737098f.exe
File created	C:\Windows\System\applets.exe	1ab67ae7fb3a8d434bbee0f9a737098f.exe
File created	C:\Windows\Syssrc32.exe	1ab67ae7fb3a8d434bbee0f9a737098f.exe
File opened for modification	C:\Windows\System\fndfst32.exe	1ab67ae7fb3a8d434bbee0f9a737098f.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3332	4444	WerFault.exe	22

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	1ab67ae7fb3a8d434bbee0f9a737098f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\Explore = "%SystemRoot%\\SysWow64\\NOTEPAD.EXE %1"	1ab67ae7fb3a8d434bbee0f9a737098f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\System\\Sysexp32.exe %1"	1ab67ae7fb3a8d434bbee0f9a737098f.exe

C:\Users\Admin\AppData\Local\Temp\1ab67ae7fb3a8d434bbee0f9a737098f.exe
"C:\Users\Admin\AppData\Local\Temp\1ab67ae7fb3a8d434bbee0f9a737098f.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
PID:4444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 296
  2⤵
  - Program crash
  PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4444 -ip 4444
1⤵
PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\Sysexp32.exe

Filesize
148KB

MD5
40e3098726060082e43d0023cddc2dd6

SHA1
a1c8fef643d8d93741d9f0ae40106af51e60d54c

SHA256
42946d969de32b415f750ffd76b5cdc133e44f5566d94b6b33a71654890aad77

SHA512
81df6b57b582aa7525956db4042a6b823fdfef64bdb4b49cd032692e46f537600d7c9da9b9caa30a4b61c623416433749a49bb169545d20257ed2f5c53f374e9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads