c2533bad43ab0449d202876cc4a8e6d8abbee23fd74f85407ad93b458e6091a0

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 03:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4f0c60d07e6662695b601a51bc2cbc98.exe
Size

70KB
MD5

4f0c60d07e6662695b601a51bc2cbc98
SHA1

e2659562672a0365022fb70c795cb0e154c50f3c
SHA256

c2533bad43ab0449d202876cc4a8e6d8abbee23fd74f85407ad93b458e6091a0
SHA512

db362410d2d27dafe0ad78b2deabab4e233417f67b448a538f94ada51cd5e2170130b20a4d56bac49f23173f2ecb2d7262a6c692c54b4b3550ced81e76f48b26
SSDEEP

1536:j0qesbkIvHkPJ/gbGuKh1cZ/VogBnLUxy+H2SwGO1ZE:j0qhjvoIrg2/CGLU4soZE

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\Microsoft\Active Setup\Installed Components	4f0c60d07e6662695b601a51bc2cbc98.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}	4f0c60d07e6662695b601a51bc2cbc98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}\stubpath = "C:\\Windows\\system32\\intrenat.exe s"	4f0c60d07e6662695b601a51bc2cbc98.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\intrenat = "C:\\Windows\\system32\\intrenat.exe"	4f0c60d07e6662695b601a51bc2cbc98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\intrenat = "C:\\Windows\\system32\\intrenat.exe"	4f0c60d07e6662695b601a51bc2cbc98.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\plugin1.dat	4f0c60d07e6662695b601a51bc2cbc98.exe
File opened for modification	C:\Windows\SysWOW64\intrenat.exe	4f0c60d07e6662695b601a51bc2cbc98.exe
File created	C:\Windows\SysWOW64\intrenat.exe	4f0c60d07e6662695b601a51bc2cbc98.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1832	4f0c60d07e6662695b601a51bc2cbc98.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1832	4f0c60d07e6662695b601a51bc2cbc98.exe
1832	4f0c60d07e6662695b601a51bc2cbc98.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1356	1832	4f0c60d07e6662695b601a51bc2cbc98.exe	7
PID 1832 wrote to memory of 1356	1832	4f0c60d07e6662695b601a51bc2cbc98.exe	7
PID 1832 wrote to memory of 1992	1832	4f0c60d07e6662695b601a51bc2cbc98.exe	17
PID 1832 wrote to memory of 1992	1832	4f0c60d07e6662695b601a51bc2cbc98.exe	17
PID 1832 wrote to memory of 1992	1832	4f0c60d07e6662695b601a51bc2cbc98.exe	17
PID 1832 wrote to memory of 1992	1832	4f0c60d07e6662695b601a51bc2cbc98.exe	17
PID 1832 wrote to memory of 1992	1832	4f0c60d07e6662695b601a51bc2cbc98.exe	17
PID 1832 wrote to memory of 1992	1832	4f0c60d07e6662695b601a51bc2cbc98.exe	17
PID 1832 wrote to memory of 1992	1832	4f0c60d07e6662695b601a51bc2cbc98.exe	17
PID 1832 wrote to memory of 1992	1832	4f0c60d07e6662695b601a51bc2cbc98.exe	17
PID 1832 wrote to memory of 1356	1832	4f0c60d07e6662695b601a51bc2cbc98.exe	7
PID 1832 wrote to memory of 1356	1832	4f0c60d07e6662695b601a51bc2cbc98.exe	7

C:\Users\Admin\AppData\Local\Temp\4f0c60d07e6662695b601a51bc2cbc98.exe
"C:\Users\Admin\AppData\Local\Temp\4f0c60d07e6662695b601a51bc2cbc98.exe"
1⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1992

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-2-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1832-14-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download