33ef02da1169a63c03748ad431fe60fc3600996663e93a909c910008be43872e

Analysis

max time kernel
141s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49631a98ce6ff91370cd1d6d0f90a083.exe
Size

29KB
MD5

49631a98ce6ff91370cd1d6d0f90a083
SHA1

c19b8a52222bbf3c3b55f1bdb9383a76e84107c1
SHA256

33ef02da1169a63c03748ad431fe60fc3600996663e93a909c910008be43872e
SHA512

4d62e6ffc4404ab0fcc6bbfab1626b358b546c0a3ea4de974a5fa005cdf549685582b8212cc67af770eb740565a7711fc4dc1401dc314f05c7e22a0377aa4ea2
SSDEEP

768:j+Fmr6Wit2zShufZTMSE73suEHnbcuyD7UQNf:iF92G61Hnouy8gf

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2172	49631a98ce6ff91370cd1d6d0f90a083.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\u:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\y:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\z:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\k:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\l:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\m:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\p:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\t:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\v:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\e:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\h:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\n:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\r:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\s:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\x:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\g:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\i:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\j:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\q:	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened (read-only)	\??\w:	49631a98ce6ff91370cd1d6d0f90a083.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259417073.CPL	49631a98ce6ff91370cd1d6d0f90a083.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\rgdltecq\ngoifz.pif	49631a98ce6ff91370cd1d6d0f90a083.exe
File opened for modification	C:\Program Files (x86)\Common Files\rgdltecq\ngoifz.pif	49631a98ce6ff91370cd1d6d0f90a083.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	49631a98ce6ff91370cd1d6d0f90a083.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	49631a98ce6ff91370cd1d6d0f90a083.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\ = "C:\\Windows\\SysWow64\\259417073.CPL"	49631a98ce6ff91370cd1d6d0f90a083.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32	49631a98ce6ff91370cd1d6d0f90a083.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	49631a98ce6ff91370cd1d6d0f90a083.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe
2172	49631a98ce6ff91370cd1d6d0f90a083.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	49631a98ce6ff91370cd1d6d0f90a083.exe
Token: SeDebugPrivilege	2172	49631a98ce6ff91370cd1d6d0f90a083.exe

C:\Users\Admin\AppData\Local\Temp\49631a98ce6ff91370cd1d6d0f90a083.exe
"C:\Users\Admin\AppData\Local\Temp\49631a98ce6ff91370cd1d6d0f90a083.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\259417073.CPL

Filesize
11.8MB

MD5
49da592544470a33e3761136de613da5

SHA1
9dbae5bab483aecf3f125f0c1507c72ab337d5de

SHA256
26a1a1979c470a63a6a64d97a2e6c1a8267e98367f96cd0dedc93b0a3e70b084

SHA512
e0e0bcf5d6b84b31e239f2ba7617a3f6dcc487c66eec06bf4f14151d4d14b83be23e6adb7e801db6148848dda0091244b720bd3aa9359df27e434e056e230d6a

Download Submit
memory/2172-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2172-5-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download