d472e6a48a086160dff10dfc116b493da32c98268652f5fb509fd010516a62c4

Analysis

max time kernel
151s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

238c4f4cc8fe2bb226b1a2cc025a83b4.exe
Size

68KB
MD5

238c4f4cc8fe2bb226b1a2cc025a83b4
SHA1

5f7bf26fe3d903c6d7754a2ed001ef1719169c85
SHA256

d472e6a48a086160dff10dfc116b493da32c98268652f5fb509fd010516a62c4
SHA512

a8afd183326cdafe2dd1d53a59d65fc9f24183a37bd7a6ff7b36bbb7b56fb0cd7b50828345a1c191dfc8050e969c0a5851a0c8f1a388b23c52c0957e66dc81e4
SSDEEP

768:wcUliTda6Al+qOQSgFrhKo//WomvdfQXwYt1IEDIefZsK:/UIxBAcqOK3qowgnt1d

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Admin.exe

Executes dropped EXE 1 IoCs

pid	Process
2012	Admin.exe

Loads dropped DLL 2 IoCs

pid	Process
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	Admin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe
2012	Admin.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2012	2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe	28
PID 2568 wrote to memory of 2012	2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe	28
PID 2568 wrote to memory of 2012	2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe	28
PID 2568 wrote to memory of 2012	2568	238c4f4cc8fe2bb226b1a2cc025a83b4.exe	28

C:\Users\Admin\AppData\Local\Temp\238c4f4cc8fe2bb226b1a2cc025a83b4.exe
"C:\Users\Admin\AppData\Local\Temp\238c4f4cc8fe2bb226b1a2cc025a83b4.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\Admin.exe
  "C:\Users\Admin\Admin.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Admin.exe

Filesize
68KB

MD5
e94f4781f5eb0d5a5a4be1fe36f2ddea

SHA1
b3deaed84091a01c6af4773f30e1916791d1dd4a

SHA256
7519df81ea36b367d42a9c7d6209a2b040838c4ef0f75afaae73f652d9a1d378

SHA512
0b2ee7efcf14359571ccb2114a2b3745cd8c507175b05e65f5ac0ba257363a68498e15cf0d656c3df57ed0f8931c0556ce0cc2adb95fd91257d24e4517c4263e

Download Submit
memory/2012-13-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2568-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download