Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
31-12-2023 06:35
General
-
Target
2be023437c9ac2ee5cf5ff59f2755695.exe
-
Size
121KB
-
MD5
2be023437c9ac2ee5cf5ff59f2755695
-
SHA1
fce23cea7072b64f26e93c4d22e110313e373c45
-
SHA256
95b9b425ba1ba1a3033854240482ebafbe574717fe656b6642e13a29acdf683b
-
SHA512
3a0a6c0a88466eed5facb3ff19e33fc302e7c0e7d09595001df7261a63bb3507eb70b98c2ba1d5aea6c23d4fa4146b5daf0292954550093146f072822c553cf5
-
SSDEEP
3072:QCbOc4Mx4WckUmgAsOxIYcNmqr5pHkDdKblcd8A5RxfF70H5:Q9qxf+ArxIYgrHgKRcN5RxN70H5
Malware Config
Signatures
-
Sets file execution options in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 29 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks for any installed AV software in registry 1 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 14 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 37 IoCs
-
Modifies registry class 64 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2be023437c9ac2ee5cf5ff59f2755695.exe"C:\Users\Admin\AppData\Local\Temp\2be023437c9ac2ee5cf5ff59f2755695.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F3⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Admin:F3⤵
-
-
C:\ntfsus.exeC:\ntfsus.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s4⤵
- Loads dropped DLL
- Modifies registry class
-
-
C:\Windows\SysWOW64\net.exenet start4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\ntfsus.exe.bat4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -a -r -s -h "C:\ntfsus.exe"5⤵
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\netcfg.000"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\netcfg.dll"3⤵
-
-
C:\Windows\SysWOW64\com\LSASS.EXE"C:\Windows\system32\com\LSASS.EXE"3⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\ntfsus.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\bak"4⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|E:\pagefile.pif"4⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|D:\pagefile.pif"4⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE^|C:\pagefile.pif"4⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\ping.exeping.exe -f -n 1 www.baidu.com4⤵
- Runs ping.exe
-
-
\??\c:\program files\internet explorer\iexplore.exehttp://w.c0mo.com/r.htm4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:292 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\LSASS.EXE /e /t /g Admin:F1⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\netcfg.dll"1⤵
-
C:\Windows\SysWOW64\com\SMSS.EXEC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\netcfg.000"1⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\ntfsus.exe"1⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c rd /s /q "C:\Windows\system32\com\SMSS.EXE"1⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\SMSS.EXE /e /t /g Admin:F1⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F1⤵
-
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|E:\pagefile.pif1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|D:\pagefile.pif1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\com\SMSS.EXEC:\Windows\system32\com\SMSS.EXE C:\Windows\system32\com\LSASS.EXE|C:\pagefile.pif1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD584b87060efae06f32823b33c64082a20
SHA1d8a6994b756d8ec6f566e8b118aea1caaa9d1694
SHA256fee1a9a9473033a459cd2c1e1a716fb069deac222da959b744f99a828700c845
SHA51279c2bbb92b2e52e833881b34e1336f411cf393e3007436d96598949792150bbf38a4a74eda09406604b6cc0d1a45dfae6221063f7395a7c12cce2b0b12ef6513
-
Filesize
344B
MD5d890b069adc9fe90cd731fb42a8acd5d
SHA121c68a2fd2f0377de3e87ff0e25a4304de026ec1
SHA256f0e3eee383a3b99f342b49f6d63017b56b5a6952b543b17ff1fc22db18671618
SHA512245d2312aa480176c03a8dc3a45707598bb9b2446c4bd017a535ca344eb821303c7cd1afe4b0aa90e86b256495ea6405ace5732661a16b726cfc1f34ecae95eb
-
Filesize
344B
MD5fdbbb5b1a5b26f45955910ced69928fb
SHA196808dce53746e0704eeac1a6f47cd1a717e2f7e
SHA2561e9860334b98226f7512ac12d9f216957c677b7269c5d0501b1ebef6b14a2ec0
SHA5129926321ec2689602719d2d45d53d0ea2ac6a6a9662cd8891349cf13e1feb70df5b3b2ca8674fedc67dda093cb509d958ae43ba735c3ac7c2222922975dd45436
-
Filesize
344B
MD5415584c92ac2c632fc28776f1060f3ca
SHA1c07478b33e6f333722e8badaff9f1b0c070878c2
SHA256f06045e253ec8608357b51c5fabac6dcf9a0368b6f8773bb99728b539e425c4f
SHA5123a6b3e4899e8c56fc35ecbd6504b34d25c70519abbd178aebc00fa9c403d7798937f6fce937376273d5411a815077033ba95c7610536a5122adfa9af3a9201fc
-
Filesize
344B
MD592ee763be6f9cea9337cbca0b12c8873
SHA1d0ff76fdab5a77f05a9a193600bf655131e3d472
SHA25617c6e77fa14352a230e8dda2ce6d7eaf9d4034bd4add1843c2d7269aea1def27
SHA512d1201b7c5e22965d0ad580db32db086d80f48a4a5c834fdedf206eaf33a4ee33cb54bca6e8d125f609df2572bb9208aa390c0d9d77ad591691b6c63e3b9ab2c8
-
Filesize
344B
MD553778beb20bae9cc1294d825ec84b34a
SHA1971ad43ab7c190275a5b73742cfb072b0a44fc85
SHA25620e866e2baa0138f8da99668ad222a0898bd39ad0779d45919b96e75741fc566
SHA512499d5bed3124930f2096bbfa094fe5772db0baaa2cdb3ecbc0206249ddf80400d431bf2bdfe684314af5bf058d5af7d0f3fa6af64b0fabbd25869b139882f3f7
-
Filesize
344B
MD512e2c45b79604477d1f59fc421902d1f
SHA18e77a8f4bf678e3f120009ceb5e4150e6c8aff26
SHA256586871b06b3c0bfcac482ded9396fa77990c3e95a5e6636c65c75fed0de9d26a
SHA512850621aa091d3ac28e4cab6b41f1ad8fa901125616311b4ab69e3c81948de63f594293b65f41c40468df680e7e2f86676bf139613e16ca5734aae2aec23323d8
-
Filesize
344B
MD5b4a8a112449a749b3bbded6991a7273e
SHA1d445a129ac284f7bc8a5d4fc7a3e8f3a3a6449a8
SHA2561acebb665c4eb1b21e687af2b8857cda80a03473463bcf3d65bd2a1592213432
SHA512062a41683fa9245ad2c8d86bcdbc2da1ecb09d45b3d8a643a75c260de87b4555c4cadeda45051709da8150b6163f03a9ae16ff5a718d97858c17cf0520a5e3a1
-
Filesize
344B
MD57533300365319ba9690d6e9717515fb4
SHA1a318d4ce89230e80e9864acb2227f303f897ed23
SHA2560b6e14e22e0d622232121f232852e48aeaa3e44a2695f38b99a822abd5b56344
SHA512af64a22d8f78deb28e01a884f07c53ffc87a90f9de01ea68c2439b403a6077c4bf52b51f92369ee47b0554b4b2fc9cbdc99ba1335aa8c9350e19a6db911aeba7
-
Filesize
344B
MD52659120061ec2c12a0ad25cafebe1987
SHA167e82049ac734a12e327b57ea43a900d09da1673
SHA256de6796677cae27554d8c9ed6ed7b6008583c0eeff224f065ee3b4247e1b61111
SHA51216463ae93a35d294b351e7b99b3cd146fcf0874a2211bd69034225f07df3ac1d860205c022333a0e1ce60c1f668e1b4293cf0936ce72be8be48f875e8f216449
-
Filesize
344B
MD5d4d7fd2e7843d2c3ac0f21292a62a39e
SHA1d15325507db2dccc3335e3dad68ff0efb8073c91
SHA256d0d413643a15eb449116cc3182fb259f919d8dcb1b32edf42854caed62a38195
SHA5127ce15c99fae67ff4b8860c29379be63ddb28d4f27f57ea5e0dd6257f09121da8faf08cefa9c48c8987a92ec6f2243300bb4d53b133514bcf4d884a234e82948d
-
Filesize
344B
MD52ba70492875d9300692369871c8719b5
SHA112d6ab1901e49c0a5686e25882fae0bae2b75b1c
SHA2564a0674f0ee6f13da3dc25d1c87c385c1ceddfbd7be8078374c4881e697148a3d
SHA5126123eea801b70df6ee5832e664d7b6790c049cd8b1e131043028d1d999512f2ff3f5c4f9dff5569698d4eec98f2ebf5aa1d6a884ead9dd861510dc611ff45b35
-
Filesize
344B
MD52947cabd9bf37c87869dbb9e8ebe75dc
SHA19278cb55cf6bcac20c0a14df22c4a734d2e177c8
SHA256d7c294b8e1826607173ffd675665c9d0cf00246137ff5aabe01fff26d10a591f
SHA512d8210450d37a02483b3a77b921f1de18da03c1e2e42d0453cefab170cb1855a46e3a30d62a2e371deba0b34ba00600f8420c4dbbc5044c3cf3294c5163b5be33
-
Filesize
344B
MD5fd92c2da6f2bc93f5d9138fd763495e6
SHA11e15f42a482fd826e3b26a835cabb1a4b42288d1
SHA25697e704d38593215f854d2dc27f12ee262403fac44f4b53a37fd6c7417f340d46
SHA51276c31c774f2061b398b558421af882d1b6cb25db919d33d0c9d29dc860c31823518f646bdfccef63b41fe7112dbbde1f4d069899bed6126ca62b51d22176de9f
-
Filesize
346B
MD5f84f931c0dd37448e03f0dabf4e4ca9f
SHA19c2c50edcf576453ccc07bf65668bd23c76e8663
SHA2565c1d5fd46a88611c31ecbb8ffc1142a7e74ec7fb7d72bd3891131c880ef3f584
SHA512afc3089d932fb030e932bf6414ac05681771051dd51d164f09635ca09cbd8525a52879524b6aa24e972e7766ddf529484cc1ec416de8b61255435a89ba781f8c
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
92KB
MD560b46c60c90e04b78788bd459609d4fa
SHA15ce0804df09e653dbc80ac0611a38ec66559cbde
SHA2568656c09f7010e608be4c25f71f0bdfdc7bb6096c07488e3bb1671a6f9f0b6e7b
SHA512d315771d291f689e04f2e3ce1c5e649ab903aa5edf997d652409a87bd38a40b6fd308bffd401ae67e06988d28f1705141f22e7f7f19ade110d2b80e77ec6ef6a
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
4KB
MD59fe4e127b4572f06e841a89c628bd0c3
SHA18a2ebf107a5e8c1643186e822f195f1bb2fa592e
SHA256754d752c265f25b3a7400434885547fc6bdc24de28560153a4481da68c4db94d
SHA51299f03eb1ac540a71d1c61c35638ec7cebbdfd4c1bdb071d3056b7aef4470e01b5697cd14f421349eb0ffcb3732eabe07eab1d84f003c07c564cfc57bbe66137d
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
44KB
-
Filesize
184KB