Overview

overview

10

Static

static

3

2c0536c619...26.exe

windows7-x64

10

2c0536c619...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    10s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 06:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c0536c6191956d742bd83ec2a017a26.exe

  • Size

    260KB

  • MD5

    2c0536c6191956d742bd83ec2a017a26

  • SHA1

    4272f57c64a28ebbb52f38a4342c90fda7197048

  • SHA256

    c4195076b966e8146f07b8eb21e273ea3addf2dc18cd66f424810e726693a953

  • SHA512

    2da5be68bcb1c84c4af1a7e89bf8f5c1ed651399707264279b2eeff66f2649a3d965afe2bf66d64ce8c24a4bc89390dd3eea93ae85bc8454552ee97738e979fc

  • SSDEEP

    3072:s3dHL73TexvQnuQvz2iU4MTu0dyK3SDrLT7eodz:GbeZDUrLT7

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 1 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • System policy modification 1 TTPs 5 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c0536c6191956d742bd83ec2a017a26.exe
    "C:\Users\Admin\AppData\Local\Temp\2c0536c6191956d742bd83ec2a017a26.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • System policy modification
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Autorun.inf
    Filesize

    99B

    MD5

    63577320caf54ce293c63232ae04fa45

    SHA1

    ab5bcde099947c5fdfbe75d9c0f6fd64577c1ed5

    SHA256

    67b606e45f8e2b09aaf421306193f99a94b9ca8b619695ea39b21ee6166dd195

    SHA512

    edefa5ecd6e6b598373da9fdfe221378f528843d27842e69e1c22210b5072ccd2825ef3899361e8fdeb6a69304612e64032812f884ff100a2314eef5360b302d

    Download Submit

  • C:\Windows\winxp.exe
    Filesize

    260KB

    MD5

    2c0536c6191956d742bd83ec2a017a26

    SHA1

    4272f57c64a28ebbb52f38a4342c90fda7197048

    SHA256

    c4195076b966e8146f07b8eb21e273ea3addf2dc18cd66f424810e726693a953

    SHA512

    2da5be68bcb1c84c4af1a7e89bf8f5c1ed651399707264279b2eeff66f2649a3d965afe2bf66d64ce8c24a4bc89390dd3eea93ae85bc8454552ee97738e979fc

    Download Submit