79fc9df9125a9e81c45ddb3a52801a41305287f5fc804dfbad538a36ee830cbc

Analysis

max time kernel
0s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07297e833cc07c21d319b8020b769166.exe
Size

1.5MB
MD5

07297e833cc07c21d319b8020b769166
SHA1

fa6f4737fcd1daf68a32b497e21709e0dc7c6200
SHA256

79fc9df9125a9e81c45ddb3a52801a41305287f5fc804dfbad538a36ee830cbc
SHA512

4245aa7e35c14c3fc5d25832b842ee79de9584b7c7c2a9671af490030ab8b8c12595cda4a6fcbc3b2682c4cd1f6678098145280f9807b8be5ea132f83bc56066
SSDEEP

24576:j2VydjNC8iVYyhy7LIxO/Ia0+ZlxRxB7Yc9F0u1mHSTmza3n7F6A35UYv:dM8YhyvSO/KU7+EF0Amyzn74Yf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
548	gtop353.exe
828	Setup_TheWorld_1.exe

Loads dropped DLL 11 IoCs

pid	Process
4908	07297e833cc07c21d319b8020b769166.exe
4908	07297e833cc07c21d319b8020b769166.exe
4908	07297e833cc07c21d319b8020b769166.exe
4908	07297e833cc07c21d319b8020b769166.exe
4908	07297e833cc07c21d319b8020b769166.exe
4908	07297e833cc07c21d319b8020b769166.exe
4908	07297e833cc07c21d319b8020b769166.exe
4908	07297e833cc07c21d319b8020b769166.exe
4908	07297e833cc07c21d319b8020b769166.exe
4908	07297e833cc07c21d319b8020b769166.exe
4908	07297e833cc07c21d319b8020b769166.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000023217-12.dat	nsis_installer_1
behavioral2/files/0x0006000000023217-12.dat	nsis_installer_2
behavioral2/files/0x0006000000023217-11.dat	nsis_installer_1
behavioral2/files/0x0006000000023217-11.dat	nsis_installer_2
behavioral2/files/0x0007000000023212-9.dat	nsis_installer_1
behavioral2/files/0x0007000000023212-9.dat	nsis_installer_2
behavioral2/files/0x0007000000023212-7.dat	nsis_installer_1
behavioral2/files/0x0007000000023212-7.dat	nsis_installer_2

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	07297e833cc07c21d319b8020b769166.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	07297e833cc07c21d319b8020b769166.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	07297e833cc07c21d319b8020b769166.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	07297e833cc07c21d319b8020b769166.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	07297e833cc07c21d319b8020b769166.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 548	4908	07297e833cc07c21d319b8020b769166.exe	24
PID 4908 wrote to memory of 548	4908	07297e833cc07c21d319b8020b769166.exe	24
PID 4908 wrote to memory of 548	4908	07297e833cc07c21d319b8020b769166.exe	24
PID 4908 wrote to memory of 828	4908	07297e833cc07c21d319b8020b769166.exe	20
PID 4908 wrote to memory of 828	4908	07297e833cc07c21d319b8020b769166.exe	20
PID 4908 wrote to memory of 828	4908	07297e833cc07c21d319b8020b769166.exe	20

C:\Users\Admin\AppData\Local\Temp\07297e833cc07c21d319b8020b769166.exe
"C:\Users\Admin\AppData\Local\Temp\07297e833cc07c21d319b8020b769166.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\Setup_TheWorld_1.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup_TheWorld_1.exe"
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Users\Admin\AppData\Local\Temp\gtop353.exe
  "C:\Users\Admin\AppData\Local\Temp\gtop353.exe"
  2⤵
  - Executes dropped EXE
  PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup_TheWorld_1.exe

Filesize
47KB

MD5
a4c2d3e5909d2a494d5414f4d739bf1d

SHA1
e9c0323777683989fc38a55882311393d589a409

SHA256
c11626fd5a752151bc2c755acd7bc150022d4c8fd85afeab8d76f63a4c1ae472

SHA512
f3041cede03008e272499bcb76ff600855b98d8cc1f87711a0a077622587a6f36a3ec9e2f567349f3b493c30bcd673ff232fc813fc02686217f9bb6297e6dab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup_TheWorld_1.exe

Filesize
42KB

MD5
48f423a826acbe2cdcb98c78edee21a2

SHA1
3d5f32c787cad55a591a6a5f3a4426d8f1d2753d

SHA256
7959bca81f1dc1678ed7c7b0f85d208a1ff98b30ca369523d2d25687ca3925d8

SHA512
9577b10d5e8332d71930dbb350e32fcb0e4b847237c7cdb9f5a505d4cd73f8be3fa90d0ef1e14b95238be5a6ff3c13af32bf37b58c5d1f1e1f46d4d3e4436d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtop353.exe

Filesize
106KB

MD5
62fbb3e14937de1409e88d2a8c1c9858

SHA1
56517d1ae0a28bce84c410039547cc94dd376113

SHA256
67b5e5f78309cae5953fc810448eab09356cd1abfb564b143b843381f12ea652

SHA512
e19db83560e0a7f434e0bc396613c47007dbb4356ea93de8f4121870f1ce53b8b4fdfda8cc50c61f3a413f5903d7516de4ac9bd40aa3a77cfb6d798a53306b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtop353.exe

Filesize
91KB

MD5
d4ea8a0081b5e692862efb23a89c5866

SHA1
f423512b6e87e4d6ad40541a905669a0855790ec

SHA256
a4a32015b5b31d6780eb37bfed9d230b65aa33134830921763a798a0024d0f65

SHA512
8083701dc2e2f22cd9cc103191cb482a4ec1a449cd618c8b24535d408d11e228b5734d0659340980344b848ebe86267debfb7250d15c1526fdefd8fa631a72ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv494E.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv494E.tmp\ShellLink.dll

Filesize
1KB

MD5
3ad8337647881f299446a7ad95ecd870

SHA1
650552ad3ba899e7d0fa108eb86178ab547220fa

SHA256
69630884c89f72ac853dc79e07a2e2e79042828f0db2844a32a9d2e734d3df76

SHA512
ae27fea7d7e76b105d0d6d78a38b4d18bf975a0bb1dea1434c8c33f478124461ec92d51e50b26db1e6029dee532e518b55400ec4dc1655c04b0aca96616e223f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv494E.tmp\ShellLink.dll

Filesize
2KB

MD5
cd21f835eff9d0a9b514afacd23e78c9

SHA1
98e6dd5fd9343a6ad0cd561edb3b40cb56d80da4

SHA256
d9dfa00dd35d1fa192c833eec3695c4abeecc9d7617612e44e80741c48058bac

SHA512
a36d28cb7a0ad1e0bc6eb38c017e1157eee35d9533f1846aae0f7b28a98523011f0b747f80f712a1f0648194df4753af44d21d5d2f0c42485d676bfe8094e7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv494E.tmp\ShellLink.dll

Filesize
2KB

MD5
65d1c2e81ab6ba8f7e49dd534fb6bf49

SHA1
7eaeabb2dc174f74a0728f2c8c889df74d2e919c

SHA256
599165662cf0d2fb78e240cd5d09a955f362339003ef5d6f1cce54759b957051

SHA512
bce0e85a490f9bda4e07ec8ccd5f51f566745e64d597d4707d8ed8d98310b239d614d8d90fcf9368158e5aaed782d788559bba30567b83a66c4d8a307ed2a0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv494E.tmp\ShellLink.dll

Filesize
1KB

MD5
e3b02737a410ee68259115b97083f1dd

SHA1
76f6745022edf0621f92839ab9f0a7bdd8bb0b02

SHA256
1d8787450f060b1b6675209d439f05f5295d2637018ba5c7af86040eac5fd4a7

SHA512
e8e45583104c15a8bc914e81dc64da42e7967dc26cd92ecd72f36a0f08f31a4abdc11284dd54311d7dc9627982ff5659abe0889077c7ff75d42026adc5a28fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv494E.tmp\ShellLink.dll

Filesize
173B

MD5
cca9a4cd3414923e5456fc402a01f2ba

SHA1
14dd26f5a17f5658113b2fd764ea6fe962420d59

SHA256
d75a95f0e5e28284df7c115ab13338d2ab76e52ee66d5f0f1ffb7a94221ba3ed

SHA512
11c4ad5c9d6c43444ca3fd251ecfb55396832726876bf84983f584bcb18fec0ff35ff5f11d09298ad9c2a15d0c008fd631ae51cd125b6a039c0f8b0271d45fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv494E.tmp\System.dll

Filesize
1KB

MD5
0aa5a15ed70052d5183cd38aad168f63

SHA1
6ecd23176912c3dae8ba59580330fc4eb770f365

SHA256
02681d220b904b4b167ef9c137313e9681d9911a2a5ae801cfdae61c0fc58207

SHA512
d1f96fb40781f70cd002d2d8ad246a42bd2acd79be072a904a624358891bc6a336da135e302e064c05c72f890f4b25d6296661a52cc46f7fa7e5683c5e57bbed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv494E.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit