77e48cb8b08427f70d79a6c59879f0de8ef5a8b34c0bfefd04d0986d70a4b4da

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e3eb01ce1076d27edbb8a7c52198f37.exe
Size

62KB
MD5

7e3eb01ce1076d27edbb8a7c52198f37
SHA1

0497bc656f5fddf37dca56cb1bd1259f1f9f0aba
SHA256

77e48cb8b08427f70d79a6c59879f0de8ef5a8b34c0bfefd04d0986d70a4b4da
SHA512

4ee88112142ef7dd508af5229d157b57d5478f97288fb1b72605b4a818645b1f9b91c4ae0f61b9f97a5dd626965f55c3cdfbb41a96f2f2a3a36400c9b79105bb
SSDEEP

768:h25ylJz2omQYdKdlDAKKfW6DFKibnqenVA7/Hpheb+V7xnRqA66Ky+4XO4:E2RQK/JKjKizqenV2L36Ar

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2984	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\pomhic.lih	7e3eb01ce1076d27edbb8a7c52198f37.exe
File opened for modification	C:\Windows\SysWOW64\windows.hil	7e3eb01ce1076d27edbb8a7c52198f37.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexploer.exe	7e3eb01ce1076d27edbb8a7c52198f37.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\iexplore.exe	7e3eb01ce1076d27edbb8a7c52198f37.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}.reg	7e3eb01ce1076d27edbb8a7c52198f37.exe
File opened for modification	\??\c:\windows\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}.bat	7e3eb01ce1076d27edbb8a7c52198f37.exe
File opened for modification	C:\Windows\racc.bat	7e3eb01ce1076d27edbb8a7c52198f37.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open\Command	7e3eb01ce1076d27edbb8a7c52198f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	7e3eb01ce1076d27edbb8a7c52198f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe"	7e3eb01ce1076d27edbb8a7c52198f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open\ = "´ò¿ªÖ÷Ò³(&H)"	7e3eb01ce1076d27edbb8a7c52198f37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell	7e3eb01ce1076d27edbb8a7c52198f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ = "Open"	7e3eb01ce1076d27edbb8a7c52198f37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&R)	7e3eb01ce1076d27edbb8a7c52198f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&R)\	7e3eb01ce1076d27edbb8a7c52198f37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	7e3eb01ce1076d27edbb8a7c52198f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideAsDeletePerUser	7e3eb01ce1076d27edbb8a7c52198f37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	7e3eb01ce1076d27edbb8a7c52198f37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	7e3eb01ce1076d27edbb8a7c52198f37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&R)\Command	7e3eb01ce1076d27edbb8a7c52198f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	7e3eb01ce1076d27edbb8a7c52198f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	7e3eb01ce1076d27edbb8a7c52198f37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open	7e3eb01ce1076d27edbb8a7c52198f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideFolderVerbs	7e3eb01ce1076d27edbb8a7c52198f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideOnDesktopPerUser	7e3eb01ce1076d27edbb8a7c52198f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParseDisplayName	7e3eb01ce1076d27edbb8a7c52198f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open\Command\ = "C:\\Program Files\\Internet Explorer\\SIGNUP\\iexplore.exe %1 h%t%t%p:%//%w%w%w.%19%11%16%19%15.%c%o%m/#3"	7e3eb01ce1076d27edbb8a7c52198f37.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "10"	7e3eb01ce1076d27edbb8a7c52198f37.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2548	regedit.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2092	PING.EXE
2576	PING.EXE
1740	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1368	7e3eb01ce1076d27edbb8a7c52198f37.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1904	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	28
PID 1368 wrote to memory of 1904	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	28
PID 1368 wrote to memory of 1904	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	28
PID 1368 wrote to memory of 1904	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	28
PID 1368 wrote to memory of 2460	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	33
PID 1368 wrote to memory of 2460	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	33
PID 1368 wrote to memory of 2460	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	33
PID 1368 wrote to memory of 2460	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	33
PID 1368 wrote to memory of 2720	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	31
PID 1368 wrote to memory of 2720	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	31
PID 1368 wrote to memory of 2720	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	31
PID 1368 wrote to memory of 2720	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	31
PID 1368 wrote to memory of 2688	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	34
PID 1368 wrote to memory of 2688	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	34
PID 1368 wrote to memory of 2688	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	34
PID 1368 wrote to memory of 2688	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	34
PID 1368 wrote to memory of 2984	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	39
PID 1368 wrote to memory of 2984	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	39
PID 1368 wrote to memory of 2984	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	39
PID 1368 wrote to memory of 2984	1368	7e3eb01ce1076d27edbb8a7c52198f37.exe	39
PID 2688 wrote to memory of 2092	2688	cmd.exe	38
PID 2688 wrote to memory of 2092	2688	cmd.exe	38
PID 2688 wrote to memory of 2092	2688	cmd.exe	38
PID 2688 wrote to memory of 2092	2688	cmd.exe	38
PID 2984 wrote to memory of 1740	2984	cmd.exe	36
PID 2984 wrote to memory of 1740	2984	cmd.exe	36
PID 2984 wrote to memory of 1740	2984	cmd.exe	36
PID 2984 wrote to memory of 1740	2984	cmd.exe	36
PID 2688 wrote to memory of 2576	2688	cmd.exe	40
PID 2688 wrote to memory of 2576	2688	cmd.exe	40
PID 2688 wrote to memory of 2576	2688	cmd.exe	40
PID 2688 wrote to memory of 2576	2688	cmd.exe	40
PID 2688 wrote to memory of 2548	2688	cmd.exe	41
PID 2688 wrote to memory of 2548	2688	cmd.exe	41
PID 2688 wrote to memory of 2548	2688	cmd.exe	41
PID 2688 wrote to memory of 2548	2688	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\7e3eb01ce1076d27edbb8a7c52198f37.exe
"C:\Users\Admin\AppData\Local\Temp\7e3eb01ce1076d27edbb8a7c52198f37.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\system32\cacls" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk" /E /C /G everyone:F
  2⤵
  PID:1904
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\system32\cacls" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk" /E /C /G everyone:F
  2⤵
  PID:2720
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\system32\cacls" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk" /E /C /G everyone:F
  2⤵
  PID:2460
- C:\WINDOWS\SysWOW64\cmd.exe
  C:\WINDOWS\system32\cmd.exe /c c:\windows\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2092
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2576
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s {e17d4fc0-5564-11d1-83f2-00a0c90dc849}.reg
    3⤵
    - Runs .reg file with regedit
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\racc.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2984

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
1⤵
- Runs ping.exe
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\racc.bat

Filesize
217B

MD5
72a006b7137f79093c0aa1e8961d44f4

SHA1
a3e972c916b6cf66c43d7467cf07535f79b92a62

SHA256
12e0c3dd30f810cd900ef12a2195232d64d0dd7f96a90307765177e7333f2cd3

SHA512
33456fc19821571709080305e912eca9743ebbed6ef67c46fee0a3a213a4f91929595c6ab097e0bf25a7944fe3b7328de3a8bf3143b82f4e2fcbace57dc5a72a

Download Submit
C:\Windows\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}.reg

Filesize
174B

MD5
9a6cb5b54c68a97bde0a95826e73a83c

SHA1
909a9d7abd33f16ee843c7f93cde51af6db01e2e

SHA256
b7ef73c48fb8896d4ab1b703a4be8153c3ba3b242e09c07b935586117b677769

SHA512
ec737cb7c7ec256e15a001a9d9e03758b60c7356ad687f010c6a9e16953b518b51b99fbd7aaa173ace7389496ad1ddc54b2190c4ab7281917a6b627c138fd740

Download Submit
\??\c:\windows\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}.bat

Filesize
186B

MD5
7e64707263e2f70cb09aef8e88592a2c

SHA1
3ec6aaa65888e63cb675672bde6525fcc94487da

SHA256
db6614bec72aaeb48e307d4c082c30ad0341d5fb486f2624690f21f045cb47c3

SHA512
fa4b720d17b8e025c1d00fc1efc73222dac68592d81a861b4b7179a074e16753d06fa9f79139e6f8231f2c28652788b2d6b3c97b87a01e636c1b735f0e46fa14

Download Submit
memory/1368-11-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download