0c04de9951a3657020bc0599f1a984c5708b0701c7461a030d81d4f0db768579

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d3505e13b97336d111d46a65cd3f5a8.exe
Size

220KB
MD5

0d3505e13b97336d111d46a65cd3f5a8
SHA1

0f57f31a6a19349c7532266fd1a66d977f49b5f5
SHA256

0c04de9951a3657020bc0599f1a984c5708b0701c7461a030d81d4f0db768579
SHA512

c5bd76deda613e7aa7146cf310e8c1e64b32b24bc14977fe5b8afee84cbf6d3e689bde92ec1f3a81b72aea4472397a4a71b20ea98c18cf0569fd1d3d0541b693
SSDEEP

768:jZKM11gG4ChfiPO0rfz0shcUypMC5/VKhZyg3ini2L2o277r2MIBBehUw:gMDgG4ChfiPOefgsOUqQwgH

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System applets = "C:\\Windows\\System\\applets.exe"	0d3505e13b97336d111d46a65cd3f5a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Syssrc32 = "C:\\Windows\\Syssrc32.exe"	0d3505e13b97336d111d46a65cd3f5a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fndfst32 = "C:\\Windows\\System\\fndfst32.exe"	0d3505e13b97336d111d46a65cd3f5a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer Shell = "C:\\Windows\\System\\Explorer.exe"	0d3505e13b97336d111d46a65cd3f5a8.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System\Sysexp32.exe	0d3505e13b97336d111d46a65cd3f5a8.exe
File created	C:\Windows\System\Sysexp32.exe	0d3505e13b97336d111d46a65cd3f5a8.exe
File created	C:\Windows\System\mplayerw.exe	0d3505e13b97336d111d46a65cd3f5a8.exe
File opened for modification	C:\Windows\System\applets.exe	0d3505e13b97336d111d46a65cd3f5a8.exe
File created	C:\Windows\System\applets.exe	0d3505e13b97336d111d46a65cd3f5a8.exe
File opened for modification	C:\Windows\Help\intret.cnt	0d3505e13b97336d111d46a65cd3f5a8.exe
File created	C:\Windows\Syssrc32.exe	0d3505e13b97336d111d46a65cd3f5a8.exe
File opened for modification	C:\Windows\System\Explorer.exe	0d3505e13b97336d111d46a65cd3f5a8.exe
File created	C:\Windows\Help\intret.cnt	0d3505e13b97336d111d46a65cd3f5a8.exe
File opened for modification	C:\Windows\System\mplayerw.exe	0d3505e13b97336d111d46a65cd3f5a8.exe
File opened for modification	C:\Windows\Syssrc32.exe	0d3505e13b97336d111d46a65cd3f5a8.exe
File created	C:\Windows\System\fndfst32.exe	0d3505e13b97336d111d46a65cd3f5a8.exe
File opened for modification	C:\Windows\System\fndfst32.exe	0d3505e13b97336d111d46a65cd3f5a8.exe
File created	C:\Windows\System\Explorer.exe	0d3505e13b97336d111d46a65cd3f5a8.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4700	3668	WerFault.exe	86

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	0d3505e13b97336d111d46a65cd3f5a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\Explore = "%SystemRoot%\\SysWow64\\NOTEPAD.EXE %1"	0d3505e13b97336d111d46a65cd3f5a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\System\\Sysexp32.exe %1"	0d3505e13b97336d111d46a65cd3f5a8.exe

C:\Users\Admin\AppData\Local\Temp\0d3505e13b97336d111d46a65cd3f5a8.exe
"C:\Users\Admin\AppData\Local\Temp\0d3505e13b97336d111d46a65cd3f5a8.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
PID:3668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 336
  2⤵
  - Program crash
  PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3668 -ip 3668
1⤵
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\Sysexp32.exe

Filesize
232KB

MD5
5926643c3f6105d90665e626d5e4981a

SHA1
7f781705b7524a0fe624c2d458b0bbcf1d19bffb

SHA256
5671ffb9200619d41e0e2913bc3b59aa3693e1161b14a7529018c867ca8f2491

SHA512
0c93b26ebf37d6db4165358211004439fa6d310f456b7a11602645dd3bbebc882780a001737824ed4a91e67a4cf07ba318d4990839acc2f169440d14fe2619de

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads