8f1e4e2dfeb7eebd5e3d17234bf44a6dd0a7fd68e4d6a9c7de73ec880c9ff2e2

Analysis

max time kernel
129s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b04547260183db1eac33e54db382748.exe
Size

193KB
MD5

2b04547260183db1eac33e54db382748
SHA1

8574962facbb3cf8c517ee65bdafe1ce97d8ff7d
SHA256

8f1e4e2dfeb7eebd5e3d17234bf44a6dd0a7fd68e4d6a9c7de73ec880c9ff2e2
SHA512

3857466e33bd1f153cf830b05578d3093f47f798d1ff0ad73436b43490ad5cd23859eeeaf969341c9819f7621190409608606017ac08d8e0f7e430cc106cfd8d
SSDEEP

3072:43jPII0UAW8mzNdJpfRRqVcF2Fg9B45rFwV2bVCQmp+ZGkkCyKpEi:43jPIIzAW8kd0Fg9m5xwvQA+2pm

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2732	Framework.net
2844	2b04547260183db1eac33e54db382748.ехе
2992	Framework.net
2572	conhost.ехе

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.NET = "C:\\Windows\\Microsoft.NET\\Framework\\Framework.net start"	Framework.net

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\conhost.ехе	Framework.net
File created	C:\Windows\system32\conhost.ехе	Framework.net

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\Framework.net	2b04547260183db1eac33e54db382748.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\Framework.net	2b04547260183db1eac33e54db382748.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\DefaultIcon\ = "%SystemRoot%\\System32\\shell32.dll,-154"	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shell\runas	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\ = "Componente para aplicaciones Microsoft .NET"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\InfoTip = "Componente para aplicaciones Microsoft .NET"	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.net	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shell\runas	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ехе\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	Framework.net
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shell\open\EditFlags = 00000000	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shellex	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\ = "Componente para aplicaciones Microsoft .NET"	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\DefaultIcon	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shellex\DropHandler	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shellex\PropertySheetHandlers\ShimLayer Property Page\ = "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.net\ = "netfile"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\ = "Aplicación"	Framework.net
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\EditFlags = 38070000	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shell\runas\command\ = "\"%1\" %*"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\TileInfo = "prop:FileVersion;FileDescription"	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shellex	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shell\open\command\ = "\"%1\" %*"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.net\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shell\open\command\ = "\"%1\" %*"	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ехе	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.net\ = "netfile"	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}"	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shell	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shell\runas\ = "\"%1\" %*"	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ехе\Content Type = "application/x-msdownload"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\DefaultIcon\ = "%SystemRoot%\\System32\\shell32.dll,-154"	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shellex\DropHandler	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shell\open	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex\PropertySheetHandlers\PifProps	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex\PropertySheetHandlers\PifProps\ = "{86F19A00-42A0-1069-A2E9-08002B30309D}"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.eхe\Content Type = "application/x-msdownload"	Framework.net
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\EditFlags = 38070000	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\DefaultIcon\ = "\"%1\""	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\DefaultIcon	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shell\open\command\ = "\"%1\" %*"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shell\runas\command\ = "\"%1\" %*"	Framework.net
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\EditFlags = 38070000	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shell\open	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shell\runas\command	2b04547260183db1eac33e54db382748.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shell\open\EditFlags = 00000000	Framework.net
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shell\open\EditFlags = 00000000	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.net\PersistentHandler	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shell	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shell\open\command	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\TileInfo = "Microsoft .NET Framework Setup"	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shellex\PropertySheetHandlers\PifProps\ = "{86F19A00-42A0-1069-A2E9-08002B30309D}"	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex\DropHandler	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex\PropertySheetHandlers\ShimLayer Property Page\ = "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shellex\PropertySheetHandlers\PifProps	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex\PropertySheetHandlers\ShimLayer Property Page\ = "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"	Framework.net
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shell\open\EditFlags = 00000000	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.eхe\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.net\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\DefaultIcon	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex\PropertySheetHandlers\ShimLayer Property Page	2b04547260183db1eac33e54db382748.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\netfile\shellex\PropertySheetHandlers\ShimLayer Property Page	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.eхe\ = "eхefile"	Framework.net
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\shellex\PropertySheetHandlers\PifProps\ = "{86F19A00-42A0-1069-A2E9-08002B30309D}"	2b04547260183db1eac33e54db382748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ехеfile\InfoTip = "prop:FileVersion;FileDescription"	Framework.net
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\eхefile\shellex\PropertySheetHandlers\PifProps	Framework.net

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2732	2424	2b04547260183db1eac33e54db382748.exe	28
PID 2424 wrote to memory of 2732	2424	2b04547260183db1eac33e54db382748.exe	28
PID 2424 wrote to memory of 2732	2424	2b04547260183db1eac33e54db382748.exe	28
PID 2424 wrote to memory of 2844	2424	2b04547260183db1eac33e54db382748.exe	29
PID 2424 wrote to memory of 2844	2424	2b04547260183db1eac33e54db382748.exe	29
PID 2424 wrote to memory of 2844	2424	2b04547260183db1eac33e54db382748.exe	29
PID 2732 wrote to memory of 2992	2732	Framework.net	30
PID 2732 wrote to memory of 2992	2732	Framework.net	30
PID 2732 wrote to memory of 2992	2732	Framework.net	30
PID 2992 wrote to memory of 2572	2992	Framework.net	31
PID 2992 wrote to memory of 2572	2992	Framework.net	31
PID 2992 wrote to memory of 2572	2992	Framework.net	31

C:\Users\Admin\AppData\Local\Temp\2b04547260183db1eac33e54db382748.exe
"C:\Users\Admin\AppData\Local\Temp\2b04547260183db1eac33e54db382748.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\Microsoft.NET\Framework\Framework.net
  "C:\Windows\Microsoft.NET\Framework\Framework.net" bautiza
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\Microsoft.NET\Framework\Framework.net
    "C:\Windows\Microsoft.NET\Framework\Framework.net" vive
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\system32\conhost.ехе
      "C:\Windows\system32\conhost.ехе" vive
      4⤵
      Executes dropped EXE
      PID:2572
- C:\Users\Admin\appdata\local\temp\2b04547260183db1eac33e54db382748.ехе
  "C:\Users\Admin\appdata\local\temp\2b04547260183db1eac33e54db382748.ехе"
  2⤵
  - Executes dropped EXE
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2b04547260183db1eac33e54db382748.ехе

Filesize
94KB

MD5
bae4be589972a5d011ae1f395e358d63

SHA1
dca9024695412e3e1d5dec8c50c51476ee0ace15

SHA256
c2b5ef85fffb98fded3a7a961fa03c6607a4b886cfef5903db84893c75dca29e

SHA512
dc0d5200a15d0c021f66359e9eea9881dca2b4f59dc55fbf4693658fdf4e6dce1d64b8b9d46a3b3a3359f3803060f9dc447e87f1e2f7e252929ac8b5c702b61c

Download Submit
C:\Windows\Microsoft.NET\Framework\Framework.net

Filesize
117KB

MD5
26e133568cff7fd39ef6cef7503cfd3c

SHA1
cec88342cd8e20b75208d2fe07242f90768904ea

SHA256
8166208700f0dd40d00e506127e340601a2b49ef127c1e9d22f836e77f06a82c

SHA512
8c18d099a9f04e3a18ea8309568817f05021b2ac50f8922859db700ff424c6230a3116b3557212ea597460dcda4cff27fbcd893bed1e0452fb3406d75904fab2

Download Submit
memory/2424-1-0x0000000000940000-0x00000000009C0000-memory.dmp

Filesize
512KB

Download
memory/2424-2-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2424-34-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2424-0-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2424-33-0x0000000000940000-0x00000000009C0000-memory.dmp

Filesize
512KB

Download
memory/2424-32-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2572-28-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2572-37-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2572-29-0x0000000000980000-0x0000000000A00000-memory.dmp

Filesize
512KB

Download
memory/2732-10-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2732-19-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2732-9-0x0000000001F50000-0x0000000001FD0000-memory.dmp

Filesize
512KB

Download
memory/2732-8-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-25-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-23-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2844-31-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2844-20-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2844-35-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2844-36-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-26-0x0000000001F90000-0x0000000002010000-memory.dmp

Filesize
512KB

Download
memory/2992-27-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-30-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads