e33b6a53aa28828436a46bd806b55111bc885f5da603d04da558aa3f11f77a2a

Analysis

max time kernel
127s
max time network
166s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

07e084fb851f428105df2f8fb081c215.exe
Size

173KB
MD5

07e084fb851f428105df2f8fb081c215
SHA1

f7c5254f5edc717c941f7a730f99f5bbdf602748
SHA256

e33b6a53aa28828436a46bd806b55111bc885f5da603d04da558aa3f11f77a2a
SHA512

e3782609ee19e87930d8568c4bcc93ac51961d29980028cc76bfe23e7dffe4819245a3dcaa0093280ee3930f15357c47b7167c0fbae5493dfd575f46fa10506e
SSDEEP

3072:NCSrypcQfS80RGzcfkwQUhSkQ7rawejT3XpqMvvttaxbMDGzn:brxginQUh8fa9T3gMHjWsQ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2340	es7rk07m.exe

Loads dropped DLL 1 IoCs

pid	Process
2860	07e084fb851f428105df2f8fb081c215.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\es7rk07m.exe = "C:\\Users\\Admin\\AppData\\Roaming\\es7rk07m.exe"	07e084fb851f428105df2f8fb081c215.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	es7rk07m.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	es7rk07m.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	es7rk07m.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe
2340	es7rk07m.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2340	es7rk07m.exe
2340	es7rk07m.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2340	2860	07e084fb851f428105df2f8fb081c215.exe	28
PID 2860 wrote to memory of 2340	2860	07e084fb851f428105df2f8fb081c215.exe	28
PID 2860 wrote to memory of 2340	2860	07e084fb851f428105df2f8fb081c215.exe	28
PID 2860 wrote to memory of 2340	2860	07e084fb851f428105df2f8fb081c215.exe	28

C:\Users\Admin\AppData\Local\Temp\07e084fb851f428105df2f8fb081c215.exe
"C:\Users\Admin\AppData\Local\Temp\07e084fb851f428105df2f8fb081c215.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Roaming\es7rk07m.exe
  "C:\Users\Admin\AppData\Roaming\es7rk07m.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LSNXCBKV\ib2[1].htm

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
C:\Users\Admin\AppData\Roaming\5a96s0jao7ahg2hx.dat

Filesize
8B

MD5
cfb34f28c31cc2813915cc501a7649cf

SHA1
87cd4dcd216b991be3a4610e34f7544a19bfcec1

SHA256
8d749d3b347d484ccb910e2cbc6f725eb4b992c259472b1e6e31a204a2985201

SHA512
8950fd6800c778b48f86b86ff41314d520138dccea3526a53fd71b6d72467535f222ea96d9f327fd2c307f59cefd88ba6ce28fe25680b4cdb3a43368954e2c76

Download Submit
C:\Users\Admin\AppData\Roaming\es7rk07m.exe

Filesize
65KB

MD5
e281a801596032d3ee1a58c58f701722

SHA1
4c21f7af6d83b191c6d4b320544d61b3bd4e251c

SHA256
b13a36b9df5265b2c6a6448209d7e1286216d606f4484aeb6d4f9bbe3d7ec1ba

SHA512
7b6a0ae662d59ec9287a14d027c1804049d90f613d2395f75cac023a6e8ef6576befe9f4835975a806d05678e91694d0fac1d83f082f78a6bf9721c49567cc03

Download Submit
C:\Users\Admin\AppData\Roaming\es7rk07m.exe

Filesize
106KB

MD5
9016974dc33c534aaea9ce579551ee4f

SHA1
1afe7d93910358fa2af65cd5dbcd54882aec6c3c

SHA256
44e81c8360bb479dde2e2bf2c29997f93cfcb0d8a29f4bdbac0bafdda21f1b54

SHA512
b3cd3c386a9f0eaf7cc831fe820e71bccc080c8d73ac5a2017f94dd8b5993220d0303ec03116c4eeeabde17ab2d7cb89c33321fca81323df10a86f26e7433432

Download Submit
\Users\Admin\AppData\Roaming\es7rk07m.exe

Filesize
100KB

MD5
96c206742ceca4aac25104e491c0b2ee

SHA1
b2af8170dd4aae8958012561882370ef8d1351c4

SHA256
911a32eb46f89e281b41502a48c505d3a008310072b0b1c7732fba23c73f7b2b

SHA512
72c991df44d643ff55ebace68fd59e2fc0ad9fda4b86ea752a848148e9a9d0513ebe79231840eb5808b4ef0c8cb8587f55f5dfab9e4cc99086427581a3b43fc6

Download Submit
memory/2340-54-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2340-46-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2340-14-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2340-15-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2340-86-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2340-82-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2340-33-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2340-78-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2340-38-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2340-40-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2340-42-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2340-73-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2340-50-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2340-70-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2340-58-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2340-62-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2340-65-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2860-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2860-10-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2860-3-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2860-2-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2860-12-0x00000000004F0000-0x0000000000564000-memory.dmp

Filesize
464KB

Download