Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 15:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
28c6034dc13ef0e2b698e0727b63ff2e.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
28c6034dc13ef0e2b698e0727b63ff2e.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
28c6034dc13ef0e2b698e0727b63ff2e.exe
-
Size
212KB
-
MD5
28c6034dc13ef0e2b698e0727b63ff2e
-
SHA1
a843d1343435822d258a79c466fbf4467720321b
-
SHA256
9ab36fc25c0d3dcd810216b0abbfac8f438ab5f64528b954b762f44b642e3bf6
-
SHA512
1438865c11f49adfa24a69bc393d7a50fe0e4c833c22ea42d2153d219a3837e85e284f76956b33553f7b12f1c383fae92ae5626c2c56983ac3a3ac529de8632e
-
SSDEEP
3072:D9UB99PLzx+sJhGYiNAcXOqQnys80/p5GomjRMEQYbLlmuPU+BfPc1rPU35pJuct:DqBjxEOqQn580/JXEJpc1rPYJn
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 28c6034dc13ef0e2b698e0727b63ff2e.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" heexeoq.exe -
Executes dropped EXE 1 IoCs
pid Process 2176 heexeoq.exe -
Loads dropped DLL 2 IoCs
pid Process 2888 28c6034dc13ef0e2b698e0727b63ff2e.exe 2888 28c6034dc13ef0e2b698e0727b63ff2e.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /p" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /z" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /e" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /f" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /n" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /h" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /t" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /k" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /x" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /i" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /l" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /j" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /q" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /d" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /b" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /m" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /w" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /u" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /g" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /o" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /y" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /a" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /s" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /c" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /r" heexeoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /k" 28c6034dc13ef0e2b698e0727b63ff2e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\heexeoq = "C:\\Users\\Admin\\heexeoq.exe /v" heexeoq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2888 28c6034dc13ef0e2b698e0727b63ff2e.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe 2176 heexeoq.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2888 28c6034dc13ef0e2b698e0727b63ff2e.exe 2176 heexeoq.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2176 2888 28c6034dc13ef0e2b698e0727b63ff2e.exe 28 PID 2888 wrote to memory of 2176 2888 28c6034dc13ef0e2b698e0727b63ff2e.exe 28 PID 2888 wrote to memory of 2176 2888 28c6034dc13ef0e2b698e0727b63ff2e.exe 28 PID 2888 wrote to memory of 2176 2888 28c6034dc13ef0e2b698e0727b63ff2e.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\28c6034dc13ef0e2b698e0727b63ff2e.exe"C:\Users\Admin\AppData\Local\Temp\28c6034dc13ef0e2b698e0727b63ff2e.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\heexeoq.exe"C:\Users\Admin\heexeoq.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2176
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5220af695564e533f2d9e9f29583b9fda
SHA197328fcd0f87b618fb0fe14de0c57870429dfcbd
SHA25663d9350bb5c76b72ded3531dcbb0bf51311bb0c7454b3df564e7715a13d10a79
SHA512eb697fbab01b2977c38913f081993bd88387781268782b4a6a8989066f65f2cfd4772d0014dbba8b4a7d38b610134c96ba8c07b2cbcab43376529b3233d2d308
-
Filesize
212KB
MD5562387e7071c1c54e141e3fca3e3187e
SHA1ce103156e7ebf94d4e41ee993282b21236814c7b
SHA25629513a215fc1b68f2f99b23725eb37240e759fa5facd7319e6891c6cf4310579
SHA5122351bb96afc2df8978af311844378687350db3a4e71cc28b367366f340a1c60966d50233a05e8592595036a13649e9f1f09c712deaa2cfe76a63f2f636fd8cab