dc89cf1adcce520c8c6042b1f5e5cb7abb9d90f9787a45f6cad25dbd2de153df

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d947a4ead01dd39341d5a02581589be.exe
Size

1.1MB
MD5

3d947a4ead01dd39341d5a02581589be
SHA1

8bbf76723e2ff9e488ec1ca69b42c0896ffceb4d
SHA256

dc89cf1adcce520c8c6042b1f5e5cb7abb9d90f9787a45f6cad25dbd2de153df
SHA512

1a4ac9a24d5944b9c5cbd417bbab15f27e547d18566c5aa0bb7d085905ac78cc4280225c7fb7f8f61ccd03f610eca7cc253cd45fb48bd9cfe66b10058c6583a9
SSDEEP

24576:+hr8CTOnUwGQqlEkWUGun4RGvyzh0MkicYgK2jwKvvOIleAGTdswzC:+hr8COnd9Ap+svYlsvxe0wzC

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	3d947a4ead01dd39341d5a02581589be.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	3d947a4ead01dd39341d5a02581589be.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	3d947a4ead01dd39341d5a02581589be.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe
2008	3d947a4ead01dd39341d5a02581589be.exe

C:\Users\Admin\AppData\Local\Temp\3d947a4ead01dd39341d5a02581589be.exe
"C:\Users\Admin\AppData\Local\Temp\3d947a4ead01dd39341d5a02581589be.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\FMsoft\HtmlView.fne

Filesize
37KB

MD5
a940339893859b9e2125ba2abd945b21

SHA1
a07e30c01c25e832e0a7d36a4c53ca91876c8793

SHA256
b9d1d02787bc0626616aa6c1a3bf6d6c5ea2563ac1c5cd90a3b81f2d54c044af

SHA512
27d4e6c7f58181e6982c2e85733e91ee5957cc6ecddf4dc20c96022554672793cfb2e18608fcce36b6d3692966a1f7f65978f8a160775bb915cff319b7bee52f

Download Submit
\Users\Admin\AppData\Local\Temp\FMsoft\iext2.fne

Filesize
460KB

MD5
6eb20bb6cafd6d31e871ed3abd65a59c

SHA1
ae6495ea4241bcde20e415f2940313785a4a10d2

SHA256
2b3fe250f07229eaa58d1bc0c4ac103ba69ad622c27410151ce1d6d46a174bae

SHA512
562edc1f058bc280333a6659fceb5a51b3a40bea7aca87db09b0cc1ca1966f26f2a7e4760b944e2502e20257544f85cf9c32f583f1dec06271a35dcfb8fa90f4

Download Submit
\Users\Admin\AppData\Local\Temp\FMsoft\krnln.fnr

Filesize
1.1MB

MD5
638e737b2293cf7b1f14c0b4fb1f3289

SHA1
f8e2223348433b992a8c42c4a7a9fb4b5c1158bc

SHA256
baad4798c3ab24dec8f0ac3cde48e2fee2e2dffa60d2b2497cd295cd6319fd5b

SHA512
4d714a0980238c49af10376ff26ec9e6415e7057925b32ec1c24780c3671047ac5b5670e46c1c6cf9f160519be8f37e1e57f05c30c6c4bda3b275b143aa0bf12

Download Submit
\Users\Admin\AppData\Local\Temp\FMsoft\xplib.fne

Filesize
48KB

MD5
37a58e1c5ce48e401ee8dd1d1da54814

SHA1
a87d00d78838c2d968b72330ee6f21f69b2caae5

SHA256
1c426928fb90bedb31fcffa0f3fbe7bdbca4259f93f5abdefed6a9a089f2982c

SHA512
e85052fc305040bdcaf47262e0ce6eef0848b319baac72a076dc94e7d20ea7ad8fbdd7d5381606a3154ab84fe81429bb339123ac1cd94551b1dc9cecfb7a08bf

Download Submit
memory/2008-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2008-10-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/2008-14-0x0000000004140000-0x00000000041C3000-memory.dmp

Filesize
524KB

Download
memory/2008-18-0x0000000002280000-0x000000000228D000-memory.dmp

Filesize
52KB

Download
memory/2008-49-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download