83aaec8dfa5f0683f1815f4d8b22095d193de47d1e3526853de53a08c92bd7cd

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07707e41a8347c51c7cf3f8e291cf9de.exe
Size

155KB
MD5

07707e41a8347c51c7cf3f8e291cf9de
SHA1

a449aa21a8f5a7483f24d0e58d879588a7e50321
SHA256

83aaec8dfa5f0683f1815f4d8b22095d193de47d1e3526853de53a08c92bd7cd
SHA512

b2a4d3267b78924382249d052e64c6651f4fbd8bccd153c4476a17c7ceaae0187a9fb0d2ef5ec5c46b6da8a24c3ba9c15a94f5a0f67ae080665e1d472cb631b4
SSDEEP

3072:dZ20AXj5iNyPpT4bG2akv1I9gDPQ/EwyNzcMwfz5wAfKmmCuAFR:7AXjiU4bzx1ZnwyNz45Zh2AFR

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\8EE2FCD6\ImagePath = "C:\\Windows\\system32\\8EE2FCD6.EXE -service"	07707e41a8347c51c7cf3f8e291cf9de.exe

Deletes itself 1 IoCs

pid	Process
2368	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2032	8EE2FCD6.EXE

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\8EE2FCD6.EXE	07707e41a8347c51c7cf3f8e291cf9de.exe
File opened for modification	C:\Windows\SysWOW64\8EE2FCD6.EXE	07707e41a8347c51c7cf3f8e291cf9de.exe
File created	C:\Windows\SysWOW64\8EE2FCD6T.EXE	07707e41a8347c51c7cf3f8e291cf9de.exe
File created	C:\Windows\SysWOW64\8EE2FCD6.EXE	8EE2FCD6.EXE
File opened for modification	C:\Windows\SysWOW64\8EE2FCD6T.EXE	8EE2FCD6.EXE
File created	C:\Windows\SysWOW64\8EE2FCD6.DLL	8EE2FCD6.EXE
File created	C:\Windows\SysWOW64\delme.bat	07707e41a8347c51c7cf3f8e291cf9de.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2032	8EE2FCD6.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2368	2240	07707e41a8347c51c7cf3f8e291cf9de.exe	16
PID 2240 wrote to memory of 2368	2240	07707e41a8347c51c7cf3f8e291cf9de.exe	16
PID 2240 wrote to memory of 2368	2240	07707e41a8347c51c7cf3f8e291cf9de.exe	16
PID 2240 wrote to memory of 2368	2240	07707e41a8347c51c7cf3f8e291cf9de.exe	16

C:\Windows\SysWOW64\8EE2FCD6.EXE
C:\Windows\SysWOW64\8EE2FCD6.EXE -service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\system32\delme.bat
1⤵
- Deletes itself
PID:2368

C:\Users\Admin\AppData\Local\Temp\07707e41a8347c51c7cf3f8e291cf9de.exe
"C:\Users\Admin\AppData\Local\Temp\07707e41a8347c51c7cf3f8e291cf9de.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\8EE2FCD6.EXE

Filesize
60KB

MD5
fc098d87de1cf29c6a62703d36d67970

SHA1
22ef31fd5a498b82dfc14b172cb2c66046a0ec08

SHA256
e0cd389ad6c80b4a7e78aa44459ebcfc7265843c7da2710e7c3d6d72a62e2cf8

SHA512
da01ff0fca84f59d0b79658186ffdff753d9e6a05116c48bbaa930f276382ca07adb77330e9d241d3ad72ce584cdbd30b2cb5c00f65bd78ae3804665dbf237f6

Download Submit
C:\Windows\SysWOW64\8EE2FCD6.EXE

Filesize
43KB

MD5
7c47eb858d002666fd953332bae19766

SHA1
3f62f5a2042ad0f1f70ad38eb735fa853946963b

SHA256
6c8fc6ba0d8f2093638ec2e3c515f8b2a8c2b068ec5bb120f8cad72d4f9ec6e1

SHA512
829654bf7dc1279d639a0d534a2a924bfd184781938d37aa7929a4386a99eba00c9dc862f8896bfc7e94ef4c254edfda713639d8a1624d3e4715b50d9b4b1095

Download Submit
C:\Windows\SysWOW64\8EE2FCD6T.EXE

Filesize
51KB

MD5
54e186d48b38e0343a5382b72c09a91d

SHA1
af65d92c0d383a80cc0e2a1c4e8054fa3098d920

SHA256
b027f794758e2de4a63f0db7caef5c816de0b1d93e818ca4f962e2eccf00412d

SHA512
30a31b11f7ebd39b1303bfb2a5a6144cfd47df082950250617c38bad446f2ee79596f08b91eb13acfe4fd9beb9a135ee8260084403e368b3d0c64096f6e51b02

Download Submit
C:\Windows\SysWOW64\delme.bat

Filesize
211B

MD5
51adc398f9b13fb57ab264661567773c

SHA1
1497d8f986599988b4e37c726c40742b330e5b1d

SHA256
fd4e423cc72a416a189eaae3ca138100c3ed677fd104b827bd63b633638f1f5e

SHA512
62511cee8b0a6bfd9baf5134264000fbfdd341b4f6e318f210b8ff466637ae97d7b03df1ffad2be01df1333b255323dc252ebfa7f199550ed2c9d4f4c9e01033

Download Submit
memory/2032-4-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2032-17-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2240-2-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download