44ee695b532eb984e46de29569ce35854b37d409efaabb6bcf9f5316e2b0546d

Resubmissions

18-04-2024 18:50

240418-xha8wabh29 10

01-01-2024 15:12

240101-slnwxsfeh4 10

Analysis

max time kernel
17s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
Size

2.1MB
MD5

e4bf35b81bfaa0e789ad9461dbacb542
SHA1

dcf7b855b2c3516a6b88a410ef5b44a2c650f62d
SHA256

04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9
SHA512

6635342515a01acde48792cb362dc9e5bd7ffc4fe6a9b8b2fdb0d6c8758d79db847daf28e2fe700a898425214d95d2707337c900c695a47cfd9dada946adf64d
SSDEEP

49152:Iw80cTsjkWanAlfiebWlHcA+G6HYaqK3hUQrObmyPYjR+:Z8sjkrgWezG6lh73jR+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

yk7E131Y1C.exe

pid process

3756 yk7E131Y1C.exe

pid	process
3756	yk7E131Y1C.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\yk7E131Y1C.exe"	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4880 PING.EXE

pid	process
4880	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	53	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exeyk7E131Y1C.exe

pid	process
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
3756	yk7E131Y1C.exe
3756	yk7E131Y1C.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exeyk7E131Y1C.exe

pid	process
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
3756	yk7E131Y1C.exe
3756	yk7E131Y1C.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe

description	pid	process	target process
PID 1436 wrote to memory of 2312	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	cmd.exe
PID 1436 wrote to memory of 2312	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	cmd.exe
PID 1436 wrote to memory of 2312	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	cmd.exe
PID 1436 wrote to memory of 3756	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	yk7E131Y1C.exe
PID 1436 wrote to memory of 3756	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	yk7E131Y1C.exe
PID 1436 wrote to memory of 3756	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	yk7E131Y1C.exe
PID 1436 wrote to memory of 2240	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	cmd.exe
PID 1436 wrote to memory of 2240	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	cmd.exe
PID 1436 wrote to memory of 2240	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	cmd.exe
PID 2240 wrote to memory of 4880	2240		PING.EXE
PID 2240 wrote to memory of 4880	2240		PING.EXE
PID 2240 wrote to memory of 4880	2240		PING.EXE

C:\Users\Admin\AppData\Local\Temp\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
"C:\Users\Admin\AppData\Local\Temp\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.docx"
  2⤵
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 1 localhost > nul & del /f /q "C:\Users\Admin\AppData\Local\Temp\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe"
  2⤵
  PID:2240
- C:\Users\Admin\AppData\Roaming\yk7E131Y1C.exe
  C:\Users\Admin\AppData\Roaming\yk7E131Y1C.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3756

C:\Windows\SysWOW64\PING.EXE
ping -n 1 localhost
1⤵
- Runs ping.exe
PID:4880

C:\Windows\SysWOW64\whoami.exe
whoami /all
1⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c whoami /all
1⤵
PID:3560

C:\Users\Admin\AppData\Roaming\yk7E131Y1C.exe
"C:\Users\Admin\AppData\Roaming\yk7E131Y1C.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Roaming\yk7E131Y1C.tmp"
1⤵
PID:3576
- C:\Windows\System32\eventvwr.exe
  "C:\Windows\System32\eventvwr.exe"
  2⤵
  PID:1368
- C:\Users\Admin\AppData\Roaming\yk7E131Y1C.exe
  /scomma C:\Users\Admin\AppData\Roaming\~mED216D4A93FF.tmp
  2⤵
  PID:4884
- C:\Users\Admin\AppData\Roaming\yk7E131Y1C.exe
  /scomma C:\Users\Admin\AppData\Roaming\~pED216D4A93FF.tmp
  2⤵
  PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c whoami /all
  2⤵
  PID:4132

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
1⤵
PID:2696

C:\Windows\SysWOW64\whoami.exe
whoami /all
1⤵
PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2696-17-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-178-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-14-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-13-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-15-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-16-0x00007FF4E1ED0000-0x00007FF4E1EE0000-memory.dmp

Filesize
64KB

Download
memory/2696-11-0x00007FF817E40000-0x00007FF818901000-memory.dmp

Filesize
10.8MB

Download
memory/2696-175-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-165-0x00007FF817E40000-0x00007FF818901000-memory.dmp

Filesize
10.8MB

Download
memory/2696-179-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-18-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-176-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-12-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-177-0x00007FF4E1ED0000-0x00007FF4E1EE0000-memory.dmp

Filesize
64KB

Download
memory/3576-36-0x0000000000940000-0x000000000094B000-memory.dmp

Filesize
44KB

Download
memory/4344-166-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4344-162-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4344-173-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4344-159-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4344-155-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4884-164-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4884-163-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4884-171-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4884-167-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4884-158-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download