3f982d68462b35f96edcfea27dff125fe31b4c1569aa4ab783eb54bb6d15ecec

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 06:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2bddd2adaf587b782b457a2f22c4ec13.exe
Size

380KB
MD5

2bddd2adaf587b782b457a2f22c4ec13
SHA1

29c5ea894c2a85596b5b3a8c04b4e935b68b0344
SHA256

3f982d68462b35f96edcfea27dff125fe31b4c1569aa4ab783eb54bb6d15ecec
SHA512

b181a29709c4acd30f8e2fea0f47341965c8c3959ef16722cc5c8acad508fca8a7769c207774bc2bd5351c685f973c63ccc225d59c886fe186d1560a98a025d1
SSDEEP

6144:ohySMK1Zc/jWhvd0yTNxjT0M1zWyjYd/dG:6y/KQeV0C30IzWfc

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2bddd2adaf587b782b457a2f22c4ec13.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	poeun.exe

Executes dropped EXE 1 IoCs

pid	Process
1704	poeun.exe

Loads dropped DLL 2 IoCs

pid	Process
2084	2bddd2adaf587b782b457a2f22c4ec13.exe
2084	2bddd2adaf587b782b457a2f22c4ec13.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /q"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /t"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /w"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /r"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /d"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /i"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /b"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /n"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /y"	2bddd2adaf587b782b457a2f22c4ec13.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /o"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /l"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /g"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /c"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /u"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /s"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /y"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /j"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /f"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /e"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /x"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /a"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /h"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /k"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /z"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /m"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /v"	poeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeun = "C:\\Users\\Admin\\poeun.exe /p"	poeun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	2bddd2adaf587b782b457a2f22c4ec13.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe
1704	poeun.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2084	2bddd2adaf587b782b457a2f22c4ec13.exe
1704	poeun.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1704	2084	2bddd2adaf587b782b457a2f22c4ec13.exe	28
PID 2084 wrote to memory of 1704	2084	2bddd2adaf587b782b457a2f22c4ec13.exe	28
PID 2084 wrote to memory of 1704	2084	2bddd2adaf587b782b457a2f22c4ec13.exe	28
PID 2084 wrote to memory of 1704	2084	2bddd2adaf587b782b457a2f22c4ec13.exe	28

C:\Users\Admin\AppData\Local\Temp\2bddd2adaf587b782b457a2f22c4ec13.exe
"C:\Users\Admin\AppData\Local\Temp\2bddd2adaf587b782b457a2f22c4ec13.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\poeun.exe
  "C:\Users\Admin\poeun.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\poeun.exe

Filesize
380KB

MD5
237fea11881078993977cf103ee3d1e3

SHA1
417f577d32668a622321c448b35332485dcf6c5b

SHA256
c992dd86135a461bb7a01a4bd9d1aaaa66fa1fd1340dd610fcae415831b28be9

SHA512
6ac961a9207c1afc85b7e56cee3bbc31cbce3de6e2877274bebbbec5124dd088a85b6fd72de3b38903a498ff1377b28bdfb10e4d3a6038a4af616383bbd7a34e

Download Submit