21dc6d16d60e4dcabaa02ed1c3d8ceb4f3c7de1e17d1cfb4a58de0f9d427835b

Analysis

max time kernel
146s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21c5614aed7ad2133010443badb8c3f5.exe
Size

90KB
MD5

21c5614aed7ad2133010443badb8c3f5
SHA1

43d581bd07cf4d25476b296b02e52f123a6f483b
SHA256

21dc6d16d60e4dcabaa02ed1c3d8ceb4f3c7de1e17d1cfb4a58de0f9d427835b
SHA512

1fc3153302e1fe567d36164d8ba3599a82950f4fde7752c816b33fec6a0bf5704004c7fca9671be0f19c0fcb91fac5900b0c6d4ea55ea4b64712d221bacdc168
SSDEEP

1536:PAqu2a0GQ4B7dCWBks2GWzynRHN8x20HSJu0aetLPKLbZmSZJo3RQ9SV/NuWZ6GW:AT7kIkKWz8ybHSJPKL0GJoXNuWIO6n

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H16VOLC3-X6B3-42WI-QT57-C16WJPEA1IGP}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H16VOLC3-X6B3-42WI-QT57-C16WJPEA1IGP}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\""	Server.exe

Executes dropped EXE 1 IoCs

pid	Process
2948	Server.exe

Loads dropped DLL 2 IoCs

pid	Process
2884	21c5614aed7ad2133010443badb8c3f5.exe
2884	21c5614aed7ad2133010443badb8c3f5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fotos = "C:\\Users\\Admin\\AppData\\Roaming\\Server.exe"	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2148	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2148	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2948	2884	21c5614aed7ad2133010443badb8c3f5.exe	28
PID 2884 wrote to memory of 2948	2884	21c5614aed7ad2133010443badb8c3f5.exe	28
PID 2884 wrote to memory of 2948	2884	21c5614aed7ad2133010443badb8c3f5.exe	28
PID 2884 wrote to memory of 2948	2884	21c5614aed7ad2133010443badb8c3f5.exe	28
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29
PID 2948 wrote to memory of 2148	2948	Server.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\21c5614aed7ad2133010443badb8c3f5.exe
  "C:\Users\Admin\AppData\Local\Temp\21c5614aed7ad2133010443badb8c3f5.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Roaming\Server.exe
    "C:\Users\Admin\AppData\Roaming\Server.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Roaming\Server.exe"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Server.exe

Filesize
90KB

MD5
21c5614aed7ad2133010443badb8c3f5

SHA1
43d581bd07cf4d25476b296b02e52f123a6f483b

SHA256
21dc6d16d60e4dcabaa02ed1c3d8ceb4f3c7de1e17d1cfb4a58de0f9d427835b

SHA512
1fc3153302e1fe567d36164d8ba3599a82950f4fde7752c816b33fec6a0bf5704004c7fca9671be0f19c0fcb91fac5900b0c6d4ea55ea4b64712d221bacdc168

Download Submit
memory/1380-20-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/2884-10-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2948-13-0x0000000010410000-0x0000000010438000-memory.dmp

Filesize
160KB

Download
memory/2948-19-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads