8f731d05e4af37a6e8657b38fd304167dfe13909802f42592b6fc48410af10dc

Analysis

max time kernel
34s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e7d1d50f6c018c6b19688fbeeb31eb7.exe
Size

849KB
MD5

4e7d1d50f6c018c6b19688fbeeb31eb7
SHA1

5b9baa203a6fe462b2e9e67186494f84da8eb42d
SHA256

8f731d05e4af37a6e8657b38fd304167dfe13909802f42592b6fc48410af10dc
SHA512

0884e78b27c73b627a1af13249cb30a3a73a6aa6b1df10a35620cebdc652b2500179b5983a36972d1b72333bb1e9efa24cdacef961f704d02038340c26d9a177
SSDEEP

12288:RLrhnDCfbf+ARV2zqu8qltaSEDayBgXN8/ryxmmWgS1D7I8AV4Hjvz9RSj4kc/XR:jnDCze2lixm4SWrV4HjRRSAVyJAmmD

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1128	4e7d1d50f6c018c6b19688fbeeb31eb7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Tray = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4e7d1d50f6c018c6b19688fbeeb31eb7.exe"	4e7d1d50f6c018c6b19688fbeeb31eb7.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shelldata\cfg\windowlog.dat	4e7d1d50f6c018c6b19688fbeeb31eb7.exe
File opened for modification	C:\Windows\SysWOW64\shelldata\cfg\windowlog.dat	4e7d1d50f6c018c6b19688fbeeb31eb7.exe
File created	C:\Windows\SysWOW64\shelldata\cfg\applog.dat	4e7d1d50f6c018c6b19688fbeeb31eb7.exe
File opened for modification	C:\Windows\SysWOW64\shelldata\cfg\applog.dat	4e7d1d50f6c018c6b19688fbeeb31eb7.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ISNSYS.dll	4e7d1d50f6c018c6b19688fbeeb31eb7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1128	4e7d1d50f6c018c6b19688fbeeb31eb7.exe
1128	4e7d1d50f6c018c6b19688fbeeb31eb7.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1128	4e7d1d50f6c018c6b19688fbeeb31eb7.exe
1128	4e7d1d50f6c018c6b19688fbeeb31eb7.exe
1128	4e7d1d50f6c018c6b19688fbeeb31eb7.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 4188	1128	4e7d1d50f6c018c6b19688fbeeb31eb7.exe	96
PID 1128 wrote to memory of 4188	1128	4e7d1d50f6c018c6b19688fbeeb31eb7.exe	96

C:\Users\Admin\AppData\Local\Temp\4e7d1d50f6c018c6b19688fbeeb31eb7.exe
"C:\Users\Admin\AppData\Local\Temp\4e7d1d50f6c018c6b19688fbeeb31eb7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ISNSYS.dll

Filesize
71KB

MD5
4addfa4eda0a136f2648f37371e6b175

SHA1
b0459754ce40404d331c1756e838b4b7a250e2c0

SHA256
3e03959b6bac87c95281224cda76f2abcb6154868f4e1b5bb30bbd3d16604a89

SHA512
b39cb4f1d5eb8b775d8a0fde1e767545b34fc9140092fcebb6ae22a6a9e6b5a5fae8b4805cea3a51bcb6a0b5d1d3c8bdf9891a010ae5d0b54c1d9809a5919b43

Download Submit
C:\Windows\SysWOW64\shelldata\cfg\applog.dat

Filesize
1KB

MD5
31516d618ce16774fc28da5eb8af5be8

SHA1
4057724713f50470f041dade5f3e3355a27b0024

SHA256
43617b8e6889edb5cdef464ac7d816d2be722169a7871c0c28dabac074c72702

SHA512
067a736a2fb34ad392cc075dd56784835aed6f651e9faff3872eda887ccac27dea6a4524dd8c89549cc80aa226d1fe2e6654779cee602f334836b49186f4db45

Download Submit
C:\Windows\SysWOW64\shelldata\cfg\applog.dat

Filesize
1KB

MD5
fde11cf4d12487f4ccda867a2adb0bcc

SHA1
139b87d37b611a5efee6aef0282259353cde0ecb

SHA256
a9a37ae8136068db26c46c6371cfafba46c678aa7d8a89508ff009acebbe958a

SHA512
f52151414c58dd517add307ae373ec64f5467188a9974d04ec11984c15530f99a528c98c95e027c0d865708c52a1cf1ed8feac76b92dee00f3054bef2aaf4e11

Download Submit
C:\Windows\SysWOW64\shelldata\cfg\applog.dat

Filesize
1KB

MD5
e83af43f74d2bee7d93dd2cc2e9ef216

SHA1
6bde2e44f1d9bbaa7b165d82e55938e0cf8bdfc5

SHA256
fab3165b7371068510aa9b071f5693f066de2a0fc3443e594a43eee993869b36

SHA512
1237af1c19ecd8c1f1de0205bc9321f2b595493dd2499383ef0f129c95f90d8ec6fa3943fb84db5965bc9d1b19af3f755efe9009a4e564f623f3e35a695634d4

Download Submit
memory/1128-0-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1128-5-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1128-7-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1128-23-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1128-48-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/1128-68-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download