16edb433726e296fd8f3cde2e89d6d937e6a06f789120786e0ed3d10e3f639f9

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dfa6cd18f872377c0e7f29e151c9d73.exe
Size

220KB
MD5

3dfa6cd18f872377c0e7f29e151c9d73
SHA1

14d73e863f3c4e7d0b301096f54d81413c045a87
SHA256

16edb433726e296fd8f3cde2e89d6d937e6a06f789120786e0ed3d10e3f639f9
SHA512

0deb2d9c39eca9b85f796af768418d51fa3fb85bae183dd68ad3f440c5b28a37083cdfbb791f4bef1e94ccf6e73cca1d69399c349078d366c884e1e716247f60
SSDEEP

3072:r5/2mS99vs6v5gVzaSCzJ0rJOz01JW69ZZ5qK:N2mS9l1gzRa0ryK

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3dfa6cd18f872377c0e7f29e151c9d73.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	paweb.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	paweb.exe

Loads dropped DLL 2 IoCs

pid	Process
2968	3dfa6cd18f872377c0e7f29e151c9d73.exe
2968	3dfa6cd18f872377c0e7f29e151c9d73.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /q"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /l"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /d"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /y"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /w"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /r"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /c"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /k"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /t"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /e"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /f"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /z"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /j"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /b"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /u"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /n"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /m"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /h"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /a"	3dfa6cd18f872377c0e7f29e151c9d73.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /g"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /a"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /x"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /o"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /i"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /s"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /p"	paweb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\paweb = "C:\\Users\\Admin\\paweb.exe /v"	paweb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2968	3dfa6cd18f872377c0e7f29e151c9d73.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe
2728	paweb.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2968	3dfa6cd18f872377c0e7f29e151c9d73.exe
2728	paweb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2728	2968	3dfa6cd18f872377c0e7f29e151c9d73.exe	28
PID 2968 wrote to memory of 2728	2968	3dfa6cd18f872377c0e7f29e151c9d73.exe	28
PID 2968 wrote to memory of 2728	2968	3dfa6cd18f872377c0e7f29e151c9d73.exe	28
PID 2968 wrote to memory of 2728	2968	3dfa6cd18f872377c0e7f29e151c9d73.exe	28

C:\Users\Admin\AppData\Local\Temp\3dfa6cd18f872377c0e7f29e151c9d73.exe
"C:\Users\Admin\AppData\Local\Temp\3dfa6cd18f872377c0e7f29e151c9d73.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\paweb.exe
  "C:\Users\Admin\paweb.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\paweb.exe

Filesize
48KB

MD5
f5183fdde77b591f136e88576cf3d15f

SHA1
1762edeb1e3292b10e5d408f27065b8acc46986c

SHA256
e6a00e5ffa612456a32d10263546e5c995206299d47953fc7ba318b3161c67c6

SHA512
d8cf89cf776d6f21adb2161904fdd95071ace08fb918792dd97aeaec8aac172346512ad8f68f5469e60b67f105d4ac392caff0d0159828acbbd1d069215b3c8b

Download Submit
C:\Users\Admin\paweb.exe

Filesize
19KB

MD5
a5120751a4d7b8c1b326bd2326792170

SHA1
6d66c7f7ced50d2064857338d2e08d873bd04579

SHA256
9b0f20d7afe3bd578502e35e62b145b8962e08de70440ca2b85e933c79f470c4

SHA512
ae17e0cff8d4ad79b2bc56d008bd5818eb4dbe7af2b80974f158b07907e4fad52c2864e0a514e297fd14edb946dcbeef99f8e56256711b247556c6291f77e36b

Download Submit
C:\Users\Admin\paweb.exe

Filesize
67KB

MD5
8194db4537ec4c36edb5f7393b8adcd1

SHA1
a07d58bd46da20a90065413724f9012091a4e949

SHA256
4c9e23068bf92743463a8eb90ed179482ac275f2f5381495c8520f2dbc222f95

SHA512
8a5fbe7e7ef6f996bb71da386477ede180c7f1e2b15935eb42de590cef301058da8f8e3af47d694d80f7dfc3f4dafaf18903cad257ac3d56fcadc8cc2ec7042c

Download Submit
\Users\Admin\paweb.exe

Filesize
93KB

MD5
19f8b0a03e6ca3344dfe11c30510d385

SHA1
f36623b4376554f27fa43755457d0d49f955f714

SHA256
2eaa09c30791710808e3b4867d9381aa98abbf9355fcbc29b839a08652c8c9f5

SHA512
b7ca3e341a5a5b774ac53df6c5a3d793ffff33b9c388a2c71f1285e211f96ca769c09d8b2361b462ed06716bbba842e00a6939a1cc11011d207d488a012d9a16

Download Submit
\Users\Admin\paweb.exe

Filesize
66KB

MD5
4941d4af717e0a0c8aef291df3ad10da

SHA1
c11120484655906f930c0cd514471d805bad45ae

SHA256
96ea22008d130d923474eb33f665f561f5408834ae083b1f2158264ff93029d2

SHA512
317076149f3ede7ee2849f6c914b5ec25090ef4316a3b1faf063021ed1b411d0be3ebdf383e3afd0791b65be27569e7c4117644f012b90aa8398a713e197d8e2

Download Submit