bdeb1037e795b667e1b0f0b0136a34a7c0d5fab25c5d5935b182dd8886cd10d5

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03898b462c7e29a415cdd67c4a4bced4.exe
Size

755KB
MD5

03898b462c7e29a415cdd67c4a4bced4
SHA1

9f4e817867c4d753e418a2cb84b04c773f4560a8
SHA256

bdeb1037e795b667e1b0f0b0136a34a7c0d5fab25c5d5935b182dd8886cd10d5
SHA512

c905a4c7d48eeb27a4da37271865f5a8e2fbfcd784c82d924e94ab559c2feae69130cee985f6a21ba4abaf4d6bbedf40a0524e92a1eef04d4f916b96f10c91aa
SSDEEP

12288:ypq6C/2OGAtkCP4cejGSOpRK3CnIiv78:yp8/2+ttPJLfpRK3CnHD8

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe system3_.exe"	03898b462c7e29a415cdd67c4a4bced4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Users\\Admin\\Desktop\\system3_.exe"	03898b462c7e29a415cdd67c4a4bced4.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\b:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\h:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\n:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\x:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\u:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\v:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\y:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\a:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\p:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\r:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\t:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\k:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\q:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\s:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\e:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\g:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\i:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\j:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\z:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\l:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\m:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\o:	03898b462c7e29a415cdd67c4a4bced4.exe
File opened (read-only)	\??\w:	03898b462c7e29a415cdd67c4a4bced4.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2212-0-0x0000000000400000-0x00000000004D5000-memory.dmp	autoit_exe
behavioral1/files/0x000a000000012243-36.dat	autoit_exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\d:\autorun.inf	03898b462c7e29a415cdd67c4a4bced4.exe
File created	\??\f:\autorun.inf	03898b462c7e29a415cdd67c4a4bced4.exe
File opened for modification	F:\\autorun.inf	03898b462c7e29a415cdd67c4a4bced4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main	03898b462c7e29a415cdd67c4a4bced4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.mydreamworld.50webs.com"	03898b462c7e29a415cdd67c4a4bced4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://www.mydreamworld.50webs.com"	03898b462c7e29a415cdd67c4a4bced4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://www.mydreamworld.50webs.com"	03898b462c7e29a415cdd67c4a4bced4.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	03898b462c7e29a415cdd67c4a4bced4.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.mydreamworld.50webs.com"	03898b462c7e29a415cdd67c4a4bced4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.mydreamworld.50webs.com"	03898b462c7e29a415cdd67c4a4bced4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe
2212	03898b462c7e29a415cdd67c4a4bced4.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2796	2212	03898b462c7e29a415cdd67c4a4bced4.exe	28
PID 2212 wrote to memory of 2796	2212	03898b462c7e29a415cdd67c4a4bced4.exe	28
PID 2212 wrote to memory of 2796	2212	03898b462c7e29a415cdd67c4a4bced4.exe	28
PID 2212 wrote to memory of 2796	2212	03898b462c7e29a415cdd67c4a4bced4.exe	28
PID 2796 wrote to memory of 1724	2796	cmd.exe	30
PID 2796 wrote to memory of 1724	2796	cmd.exe	30
PID 2796 wrote to memory of 1724	2796	cmd.exe	30
PID 2796 wrote to memory of 1724	2796	cmd.exe	30
PID 2212 wrote to memory of 2756	2212	03898b462c7e29a415cdd67c4a4bced4.exe	31
PID 2212 wrote to memory of 2756	2212	03898b462c7e29a415cdd67c4a4bced4.exe	31
PID 2212 wrote to memory of 2756	2212	03898b462c7e29a415cdd67c4a4bced4.exe	31
PID 2212 wrote to memory of 2756	2212	03898b462c7e29a415cdd67c4a4bced4.exe	31
PID 2756 wrote to memory of 2816	2756	cmd.exe	33
PID 2756 wrote to memory of 2816	2756	cmd.exe	33
PID 2756 wrote to memory of 2816	2756	cmd.exe	33
PID 2756 wrote to memory of 2816	2756	cmd.exe	33
PID 2212 wrote to memory of 1660	2212	03898b462c7e29a415cdd67c4a4bced4.exe	38
PID 2212 wrote to memory of 1660	2212	03898b462c7e29a415cdd67c4a4bced4.exe	38
PID 2212 wrote to memory of 1660	2212	03898b462c7e29a415cdd67c4a4bced4.exe	38
PID 2212 wrote to memory of 1660	2212	03898b462c7e29a415cdd67c4a4bced4.exe	38
PID 1660 wrote to memory of 696	1660	cmd.exe	40
PID 1660 wrote to memory of 696	1660	cmd.exe	40
PID 1660 wrote to memory of 696	1660	cmd.exe	40
PID 1660 wrote to memory of 696	1660	cmd.exe	40
PID 2212 wrote to memory of 488	2212	03898b462c7e29a415cdd67c4a4bced4.exe	41
PID 2212 wrote to memory of 488	2212	03898b462c7e29a415cdd67c4a4bced4.exe	41
PID 2212 wrote to memory of 488	2212	03898b462c7e29a415cdd67c4a4bced4.exe	41
PID 2212 wrote to memory of 488	2212	03898b462c7e29a415cdd67c4a4bced4.exe	41
PID 488 wrote to memory of 1516	488	cmd.exe	43
PID 488 wrote to memory of 1516	488	cmd.exe	43
PID 488 wrote to memory of 1516	488	cmd.exe	43
PID 488 wrote to memory of 1516	488	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\03898b462c7e29a415cdd67c4a4bced4.exe
"C:\Users\Admin\AppData\Local\Temp\03898b462c7e29a415cdd67c4a4bced4.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT /delete /yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\at.exe
    AT /delete /yes
    3⤵
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\at.exe
    AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe
    3⤵
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\system volume information" /e /g "Admin":f
    3⤵
    PID:696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:488
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\system volume information" /e /g "Admin":f
    3⤵
    PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\autorun.ini

Filesize
102B

MD5
948c74cd98911b420ff89dac13399bcb

SHA1
76dfc73518f003953923b1b4f2b973f4bb56a411

SHA256
94a1ac3d574425ec8a3cc01675e4d787373d2a190dddd4f8ba507c49ca3fd42a

SHA512
b31d82ede9d48e390a50a9dcf5c4c607c62638e8bc56f473250f9a56b7967d5de948abed69bbb2c35eb0112288faa5c438316b06ccbb36d289e93952b30e2ede

Download Submit
C:\Users\Admin\Desktop\system3_.exe

Filesize
755KB

MD5
03898b462c7e29a415cdd67c4a4bced4

SHA1
9f4e817867c4d753e418a2cb84b04c773f4560a8

SHA256
bdeb1037e795b667e1b0f0b0136a34a7c0d5fab25c5d5935b182dd8886cd10d5

SHA512
c905a4c7d48eeb27a4da37271865f5a8e2fbfcd784c82d924e94ab559c2feae69130cee985f6a21ba4abaf4d6bbedf40a0524e92a1eef04d4f916b96f10c91aa

Download Submit
memory/2212-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download