9e0eda25e9cfb2ee8e7f5e11fccc8fa2c86ed5ee8515cfc5ce166f27a9f22e94

Analysis

max time kernel
1s
max time network
7s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

038a9d178b34111fe57ab57f802d8546.exe
Size

578KB
MD5

038a9d178b34111fe57ab57f802d8546
SHA1

7859ac4a85f6add3cace2e57d30ad0acb33dded2
SHA256

9e0eda25e9cfb2ee8e7f5e11fccc8fa2c86ed5ee8515cfc5ce166f27a9f22e94
SHA512

ff0514487e1e33735ecd0ddadc41617db91668d53800c2cd009863d4c72de3ddc17b0d1156a8c73a344cec90ca2612a98b4f3ac0c770eddc786c21ce905008aa
SSDEEP

6144:rFKTotgQSF9opZ4QdQcPatxoZQi/wCVmWNbbEnoLgsIsQzI5nLn9DWZOx:QUgHF9o/7OQrZQ7smEbFMj7cJnT

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeSafe = "C:\\WINDOWS\\system32\\taskmgr.exe"	038a9d178b34111fe57ab57f802d8546.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PROTTPLN = "c:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLN.exe"	038a9d178b34111fe57ab57f802d8546.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PROTTPLV = "c:\\Program Files\\Microsoft Office\\root\\Office16\\1033\\PROTTPLV.exe"	038a9d178b34111fe57ab57f802d8546.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SOLVSAMP = "c:\\Program Files\\Microsoft Office\\root\\Office16\\SAMPLES\\SOLVSAMP.exe"	038a9d178b34111fe57ab57f802d8546.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EXCEL12 = "c:\\Program Files\\Microsoft Office\\root\\vfs\\Windows\\SHELLNEW\\EXCEL12.exe"	038a9d178b34111fe57ab57f802d8546.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\taskmgr.exe	038a9d178b34111fe57ab57f802d8546.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX	038a9d178b34111fe57ab57f802d8546.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT	038a9d178b34111fe57ab57f802d8546.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS	038a9d178b34111fe57ab57f802d8546.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC	038a9d178b34111fe57ab57f802d8546.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT	038a9d178b34111fe57ab57f802d8546.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS	038a9d178b34111fe57ab57f802d8546.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS	038a9d178b34111fe57ab57f802d8546.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC	038a9d178b34111fe57ab57f802d8546.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.exe	038a9d178b34111fe57ab57f802d8546.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.exe	038a9d178b34111fe57ab57f802d8546.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.exe	038a9d178b34111fe57ab57f802d8546.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.exe	038a9d178b34111fe57ab57f802d8546.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2464	038a9d178b34111fe57ab57f802d8546.exe

C:\Users\Admin\AppData\Local\Temp\038a9d178b34111fe57ab57f802d8546.exe
"C:\Users\Admin\AppData\Local\Temp\038a9d178b34111fe57ab57f802d8546.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.exe

Filesize
597KB

MD5
e810e1234194cf1c4948c24758673fa7

SHA1
edc04b6be8e767cd1a4d37a6e0adca6f27312539

SHA256
b2e8ce4271cdcb6483b38c5ea471c86a6aba9e69f32259c44c4a21bcea87097d

SHA512
864c48ae90510c688c300c59648d3ec812f474869c7723f2a8832860bc36c5bec69c6dac1241df293ccb886c5aa1a5e6e06d19d81705f2df488bbef1d7daf7db

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads