44ee695b532eb984e46de29569ce35854b37d409efaabb6bcf9f5316e2b0546d

Resubmissions

18-04-2024 18:50

240418-xha8wabh29 10

01-01-2024 15:12

240101-slnwxsfeh4 10

Analysis

max time kernel
17s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
Size

2.1MB
MD5

e4bf35b81bfaa0e789ad9461dbacb542
SHA1

dcf7b855b2c3516a6b88a410ef5b44a2c650f62d
SHA256

04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9
SHA512

6635342515a01acde48792cb362dc9e5bd7ffc4fe6a9b8b2fdb0d6c8758d79db847daf28e2fe700a898425214d95d2707337c900c695a47cfd9dada946adf64d
SSDEEP

49152:Iw80cTsjkWanAlfiebWlHcA+G6HYaqK3hUQrObmyPYjR+:Z8sjkrgWezG6lh73jR+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

yk7E131Y1C.exe

pid process

3756 yk7E131Y1C.exe

pid	process
3756	yk7E131Y1C.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\yk7E131Y1C.exe"	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4880 PING.EXE

pid	process
4880	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	53	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exeyk7E131Y1C.exe

pid	process
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
3756	yk7E131Y1C.exe
3756	yk7E131Y1C.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exeyk7E131Y1C.exe

pid	process
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
3756	yk7E131Y1C.exe
3756	yk7E131Y1C.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe

description	pid	process	target process
PID 1436 wrote to memory of 2312	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	cmd.exe
PID 1436 wrote to memory of 2312	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	cmd.exe
PID 1436 wrote to memory of 2312	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	cmd.exe
PID 1436 wrote to memory of 3756	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	yk7E131Y1C.exe
PID 1436 wrote to memory of 3756	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	yk7E131Y1C.exe
PID 1436 wrote to memory of 3756	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	yk7E131Y1C.exe
PID 1436 wrote to memory of 2240	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	cmd.exe
PID 1436 wrote to memory of 2240	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	cmd.exe
PID 1436 wrote to memory of 2240	1436	04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe	cmd.exe
PID 2240 wrote to memory of 4880	2240		PING.EXE
PID 2240 wrote to memory of 4880	2240		PING.EXE
PID 2240 wrote to memory of 4880	2240		PING.EXE

C:\Users\Admin\AppData\Local\Temp\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
"C:\Users\Admin\AppData\Local\Temp\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.docx"
2⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 1 localhost > nul & del /f /q "C:\Users\Admin\AppData\Local\Temp\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe"
2⤵
PID:2240

C:\Users\Admin\AppData\Roaming\yk7E131Y1C.exe
C:\Users\Admin\AppData\Roaming\yk7E131Y1C.exe
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3756

C:\Windows\SysWOW64\PING.EXE
ping -n 1 localhost
1⤵
- Runs ping.exe
PID:4880

C:\Windows\SysWOW64\whoami.exe
whoami /all
1⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c whoami /all
1⤵
PID:3560

C:\Users\Admin\AppData\Roaming\yk7E131Y1C.exe
"C:\Users\Admin\AppData\Roaming\yk7E131Y1C.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Roaming\yk7E131Y1C.tmp"
1⤵
PID:3576

C:\Windows\System32\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
2⤵
PID:1368

C:\Users\Admin\AppData\Roaming\yk7E131Y1C.exe
/scomma C:\Users\Admin\AppData\Roaming\~mED216D4A93FF.tmp
2⤵
PID:4884

C:\Users\Admin\AppData\Roaming\yk7E131Y1C.exe
/scomma C:\Users\Admin\AppData\Roaming\~pED216D4A93FF.tmp
2⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c whoami /all
2⤵
PID:4132

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
1⤵
PID:2696

C:\Windows\SysWOW64\whoami.exe
whoami /all
1⤵
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2696-17-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-178-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-14-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-13-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-15-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-16-0x00007FF4E1ED0000-0x00007FF4E1EE0000-memory.dmp

Filesize
64KB

Download
memory/2696-11-0x00007FF817E40000-0x00007FF818901000-memory.dmp

Filesize
10.8MB

Download
memory/2696-175-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-165-0x00007FF817E40000-0x00007FF818901000-memory.dmp

Filesize
10.8MB

Download
memory/2696-179-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-18-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-176-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-12-0x000000001CC20000-0x000000001CC30000-memory.dmp

Filesize
64KB

Download
memory/2696-177-0x00007FF4E1ED0000-0x00007FF4E1EE0000-memory.dmp

Filesize
64KB

Download
memory/3576-36-0x0000000000940000-0x000000000094B000-memory.dmp

Filesize
44KB

Download
memory/4344-166-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4344-162-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4344-173-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4344-159-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4344-155-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4884-164-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4884-163-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4884-171-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4884-167-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4884-158-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download