eaf7f2337fd37afb1315b03a94ddabe47f960547e08df0f4698ba556a815d41f

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

694bee946ed34b1ba426d9cbd20f1ad5.exe
Size

54KB
MD5

694bee946ed34b1ba426d9cbd20f1ad5
SHA1

960e7176f3311bfb921c8b48c6598a129aa83905
SHA256

eaf7f2337fd37afb1315b03a94ddabe47f960547e08df0f4698ba556a815d41f
SHA512

d200e5fe7d3cb2e8c69e25e52611980171bc51574eeb12d377990c99db0a5ad4f62d34470906e52479fd35c811dd04df5086c75b743f2e11c9b156ccc4f33e19
SSDEEP

768:ldPrFwRYFapYstQQ2kDDIiJgLhHtR1krnGOVZWnrtvUsonlJVoJa9b1nY:ltFw9tQQ2krgLdt8jKrtvUsUJoJM

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2080	socketme.exe

Loads dropped DLL 4 IoCs

pid	Process
1992	694bee946ed34b1ba426d9cbd20f1ad5.exe
1992	694bee946ed34b1ba426d9cbd20f1ad5.exe
2080	socketme.exe
2080	socketme.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\socketme = "socketme.exe"	socketme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\socketme = "socketme.exe"	694bee946ed34b1ba426d9cbd20f1ad5.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\socketme.exe	694bee946ed34b1ba426d9cbd20f1ad5.exe
File opened for modification	C:\Windows\SysWOW64\socketme.exe	694bee946ed34b1ba426d9cbd20f1ad5.exe
File created	C:\Windows\SysWOW64\32syslib.dll	694bee946ed34b1ba426d9cbd20f1ad5.exe
File created	C:\Windows\SysWOW64\hide.dll	694bee946ed34b1ba426d9cbd20f1ad5.exe
File created	C:\Windows\SysWOW64\socketme.exe	socketme.exe
File opened for modification	C:\Windows\SysWOW64\32syslib.dll	socketme.exe
File opened for modification	C:\Windows\SysWOW64\hide.dll	socketme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2080	socketme.exe
2080	socketme.exe
2080	socketme.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2080	1992	694bee946ed34b1ba426d9cbd20f1ad5.exe	28
PID 1992 wrote to memory of 2080	1992	694bee946ed34b1ba426d9cbd20f1ad5.exe	28
PID 1992 wrote to memory of 2080	1992	694bee946ed34b1ba426d9cbd20f1ad5.exe	28
PID 1992 wrote to memory of 2080	1992	694bee946ed34b1ba426d9cbd20f1ad5.exe	28

C:\Users\Admin\AppData\Local\Temp\694bee946ed34b1ba426d9cbd20f1ad5.exe
"C:\Users\Admin\AppData\Local\Temp\694bee946ed34b1ba426d9cbd20f1ad5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\socketme.exe
  "C:\Windows\System32\socketme.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\32syslib.dll

Filesize
5KB

MD5
0b5eccbf1ac781014e6831d099ee15db

SHA1
527e331e2f2e8a9e955f5070f563394ed17d631f

SHA256
be50aab08c66c05ddc815c5d4cfdec3f446c4c45a30495bf18f3f80c0788cec8

SHA512
e4a3799eb7b6ee20af4f34b68c0bd11a890c95d6aa9ff0d518c8edff7932da71aa1e0ac8f2ea963f805965a877ed63c12f895f185fb07015272a136f603a25bb

Download Submit
C:\Windows\SysWOW64\hide.dll

Filesize
21KB

MD5
544f25499be553eee4fa3f8b2d482685

SHA1
be43b0060e94527506f5fdbafe1f5a3fdb84ecf7

SHA256
a9645fac0341243c47bc9408fd771096664e03b7a8a31351e2ec799a47b31b9b

SHA512
453b6c58a80a02dede9f9c54fdda62c8dad30badf9f93f24d8a857b7c6f7be95946bf26c9a478c90e967e5a183c2564675afff3514d772042f645a3dd84f7a3a

Download Submit
\Windows\SysWOW64\socketme.exe

Filesize
54KB

MD5
694bee946ed34b1ba426d9cbd20f1ad5

SHA1
960e7176f3311bfb921c8b48c6598a129aa83905

SHA256
eaf7f2337fd37afb1315b03a94ddabe47f960547e08df0f4698ba556a815d41f

SHA512
d200e5fe7d3cb2e8c69e25e52611980171bc51574eeb12d377990c99db0a5ad4f62d34470906e52479fd35c811dd04df5086c75b743f2e11c9b156ccc4f33e19

Download Submit
memory/2080-20-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download
memory/2080-21-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads