Analysis
-
max time kernel
7s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04/01/2024, 12:40
Static task
static1
Behavioral task
behavioral1
Sample
40e2fe16444b41a74b756c9ddf46bd53.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
40e2fe16444b41a74b756c9ddf46bd53.exe
Resource
win10v2004-20231215-en
General
-
Target
40e2fe16444b41a74b756c9ddf46bd53.exe
-
Size
663KB
-
MD5
40e2fe16444b41a74b756c9ddf46bd53
-
SHA1
77e04dfc73b53d25b769d64b5f040e5e561ce3d3
-
SHA256
0b155a50377bd5144b342230c6984d9752b7be5378fe14ad797aa48e9d4fc94c
-
SHA512
225af8219ca3a06bbdb22a99093f55d5f1e2edee9fd3c396f088fd32464e2205c345c8eb996425616d0b8497379b7403a35fc6f358664493383f813a9e33c9fb
-
SSDEEP
12288:mJe0oVDdvW4dIy5Uzhqzzq+42QkutA3TgWRGo74X8wvbPAsxxM0k1/tkBOAojc/B:qRo84dIAUzhqzzqF2duC3TgloMX5vxxB
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2496 attrib.exe -
Executes dropped EXE 3 IoCs
pid Process 2584 rar.exe 2504 rar.exe 2124 lsess.exe -
Loads dropped DLL 5 IoCs
pid Process 2292 cmd.exe 2292 cmd.exe 2292 cmd.exe 2292 cmd.exe 2292 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\windows\Entry1 = "c:\\windows\\web\\printers\\123.bat" regedit.exe -
Drops file in Windows directory 47 IoCs
description ioc Process File opened for modification \??\c:\windows\web\printers\usbhard.rar 40e2fe16444b41a74b756c9ddf46bd53.exe File created \??\c:\windows\web\printers\123.bat rar.exe File opened for modification \??\c:\windows\web\printers\123.bat rar.exe File created \??\c:\windows\web\printers\gl.txt rar.exe File opened for modification \??\c:\windows\web\printers\gl.txt rar.exe File created \??\c:\windows\web\printers\k.bat rar.exe File created \??\c:\windows\web\printers\1.reg rar.exe File opened for modification \??\c:\windows\web\printers\jin.vbs rar.exe File created \??\c:\windows\web\printers\QQlog.exe rar.exe File opened for modification \??\c:\windows\web\printers\SVCH0ST.ini rar.exe File created \??\c:\windows\web\printers\md5.txt cmd.exe File opened for modification \??\c:\windows\ztop\svchost.exe cmd.exe File opened for modification \??\c:\windows\web\printers\rar.exe 40e2fe16444b41a74b756c9ddf46bd53.exe File opened for modification \??\c:\windows\web\printers\3.reg rar.exe File opened for modification \??\c:\windows\web\printers\bb.vbs rar.exe File created \??\c:\windows\web\printers\125.bat 40e2fe16444b41a74b756c9ddf46bd53.exe File created \??\c:\windows\web\printers\5.reg rar.exe File created \??\c:\windows\web\printers\4.reg rar.exe File created \??\c:\windows\web\printers\jin.vbs rar.exe File opened for modification \??\c:\windows\web\printers\svc.bat rar.exe File opened for modification \??\c:\windows\web\printers\1.reg rar.exe File created \??\c:\windows\web\printers\124.bat rar.exe File opened for modification \??\c:\windows\web\printers\k.bat rar.exe File opened for modification \??\c:\windows\web\printers\QQlog.exe rar.exe File created \??\c:\windows\web\printers\svc.bat rar.exe File created \??\c:\windows\web\printers\SVCH0ST.EXE rar.exe File created \??\c:\windows\web\printers\SVCH0ST.ini rar.exe File opened for modification C:\windows\web\printers attrib.exe File opened for modification \??\c:\windows\web\printers\zzz.rar 40e2fe16444b41a74b756c9ddf46bd53.exe File opened for modification \??\c:\windows\intell\1.txt 40e2fe16444b41a74b756c9ddf46bd53.exe File created \??\c:\windows\web\printers\abc.vbs rar.exe File created \??\c:\windows\web\printers\bb.vbs rar.exe File created \??\c:\windows\ztop\svchost.exe cmd.exe File created \??\c:\windows\dell\lsess.txt rar.exe File created \??\c:\windows\dell\lsess.exe cmd.exe File created \??\c:\windows\web\printers\360s.txt rar.exe File opened for modification \??\c:\windows\web\printers\360s.txt rar.exe File opened for modification \??\c:\windows\web\printers\SVCH0ST.EXE rar.exe File created \??\c:\windows\web\printers\3.reg rar.exe File opened for modification \??\c:\windows\web\printers\5.reg rar.exe File opened for modification \??\c:\windows\web\printers\4.reg rar.exe File opened for modification \??\c:\windows\web\printers\124.bat rar.exe File opened for modification \??\c:\windows\web\printers\abc.vbs rar.exe File created \??\c:\windows\web\printers\jinshan.vbs rar.exe File opened for modification \??\c:\windows\web\printers\jinshan.vbs rar.exe File opened for modification \??\c:\windows\dell\lsess.txt rar.exe File opened for modification \??\c:\windows\dell\lsess.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs .reg file with regedit 3 IoCs
pid Process 2440 regedit.exe 2996 regedit.exe 1440 regedit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2336 PING.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2940 40e2fe16444b41a74b756c9ddf46bd53.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2940 wrote to memory of 2292 2940 40e2fe16444b41a74b756c9ddf46bd53.exe 29 PID 2940 wrote to memory of 2292 2940 40e2fe16444b41a74b756c9ddf46bd53.exe 29 PID 2940 wrote to memory of 2292 2940 40e2fe16444b41a74b756c9ddf46bd53.exe 29 PID 2940 wrote to memory of 2292 2940 40e2fe16444b41a74b756c9ddf46bd53.exe 29 PID 2292 wrote to memory of 2584 2292 cmd.exe 31 PID 2292 wrote to memory of 2584 2292 cmd.exe 31 PID 2292 wrote to memory of 2584 2292 cmd.exe 31 PID 2292 wrote to memory of 2584 2292 cmd.exe 31 PID 2292 wrote to memory of 2496 2292 cmd.exe 32 PID 2292 wrote to memory of 2496 2292 cmd.exe 32 PID 2292 wrote to memory of 2496 2292 cmd.exe 32 PID 2292 wrote to memory of 2496 2292 cmd.exe 32 PID 2292 wrote to memory of 2440 2292 cmd.exe 33 PID 2292 wrote to memory of 2440 2292 cmd.exe 33 PID 2292 wrote to memory of 2440 2292 cmd.exe 33 PID 2292 wrote to memory of 2440 2292 cmd.exe 33 PID 2292 wrote to memory of 2504 2292 cmd.exe 34 PID 2292 wrote to memory of 2504 2292 cmd.exe 34 PID 2292 wrote to memory of 2504 2292 cmd.exe 34 PID 2292 wrote to memory of 2504 2292 cmd.exe 34 PID 2292 wrote to memory of 2124 2292 cmd.exe 40 PID 2292 wrote to memory of 2124 2292 cmd.exe 40 PID 2292 wrote to memory of 2124 2292 cmd.exe 40 PID 2292 wrote to memory of 2124 2292 cmd.exe 40 PID 2292 wrote to memory of 1440 2292 cmd.exe 39 PID 2292 wrote to memory of 1440 2292 cmd.exe 39 PID 2292 wrote to memory of 1440 2292 cmd.exe 39 PID 2292 wrote to memory of 1440 2292 cmd.exe 39 PID 2940 wrote to memory of 2616 2940 40e2fe16444b41a74b756c9ddf46bd53.exe 38 PID 2940 wrote to memory of 2616 2940 40e2fe16444b41a74b756c9ddf46bd53.exe 38 PID 2940 wrote to memory of 2616 2940 40e2fe16444b41a74b756c9ddf46bd53.exe 38 PID 2940 wrote to memory of 2616 2940 40e2fe16444b41a74b756c9ddf46bd53.exe 38 PID 2292 wrote to memory of 2996 2292 cmd.exe 37 PID 2292 wrote to memory of 2996 2292 cmd.exe 37 PID 2292 wrote to memory of 2996 2292 cmd.exe 37 PID 2292 wrote to memory of 2996 2292 cmd.exe 37 PID 2616 wrote to memory of 2336 2616 cmd.exe 35 PID 2616 wrote to memory of 2336 2616 cmd.exe 35 PID 2616 wrote to memory of 2336 2616 cmd.exe 35 PID 2616 wrote to memory of 2336 2616 cmd.exe 35 -
Views/modifies file attributes 1 TTPs 12 IoCs
pid Process 2496 attrib.exe 2776 attrib.exe 3016 attrib.exe 2964 attrib.exe 3000 attrib.exe 2816 attrib.exe 2696 attrib.exe 2936 attrib.exe 3008 attrib.exe 2836 attrib.exe 2820 attrib.exe 2852 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40e2fe16444b41a74b756c9ddf46bd53.exe"C:\Users\Admin\AppData\Local\Temp\40e2fe16444b41a74b756c9ddf46bd53.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\web\printers\125.bat2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\windows\web\printers\rar.exe"c:\windows\web\printers\Rar.exe" e -y -ping c:\windows\web\printers\usbhard.rar c:\windows\web\printers\3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2584
-
-
C:\Windows\SysWOW64\attrib.exeattrib +R +A +S +H c:\windows\web\printers3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2496
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s c:\windows\web\printers\1.reg3⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2440
-
-
\??\c:\windows\web\printers\rar.exe"c:\windows\web\printers\Rar.exe" e -y -ping c:\windows\web\printers\zzz.rar c:\windows\dell\3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2504
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s c:\windows\web\printers\2.reg3⤵
- Runs .reg file with regedit
PID:2996
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s c:\windows\web\printers\5.reg3⤵
- Runs .reg file with regedit
PID:1440
-
-
\??\c:\windows\dell\lsess.exec:\windows\dell\lsess.exe3⤵
- Executes dropped EXE
PID:2124
-
-
C:\Windows\SysWOW64\attrib.exeattrib +H +R d:\setprter3⤵
- Views/modifies file attributes
PID:2696
-
-
C:\Windows\SysWOW64\attrib.exeattrib +H +R f:\setprter3⤵
- Views/modifies file attributes
PID:3016
-
-
C:\Windows\SysWOW64\attrib.exeattrib +H +R h:\setprter3⤵
- Views/modifies file attributes
PID:2964
-
-
C:\Windows\SysWOW64\attrib.exeattrib -H -R h:\~13⤵
- Views/modifies file attributes
PID:3000
-
-
C:\Windows\SysWOW64\attrib.exeattrib +H +R g:\setprter3⤵
- Views/modifies file attributes
PID:2936
-
-
C:\Windows\SysWOW64\attrib.exeattrib -H -R g:\~13⤵
- Views/modifies file attributes
PID:3008
-
-
C:\Windows\SysWOW64\attrib.exeattrib -H -R f:\~13⤵
- Views/modifies file attributes
PID:2836
-
-
C:\Windows\SysWOW64\attrib.exeattrib +H +R e:\setprter3⤵
- Views/modifies file attributes
PID:2820
-
-
C:\Windows\SysWOW64\attrib.exeattrib -H -R e:\~13⤵
- Views/modifies file attributes
PID:2816
-
-
C:\Windows\SysWOW64\attrib.exeattrib -H -R d:\~13⤵
- Views/modifies file attributes
PID:2852
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\11a.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\attrib.exeattrib -S -H c:\ma.exe3⤵
- Views/modifies file attributes
PID:2776
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 31⤵
- Runs ping.exe
PID:2336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51af018ff177dfbae562ac429cff786cb
SHA181f09865306d8c91d59bbec8a11ac874816f102c
SHA256dda4aa27c7fd4b793bcadbd94c47dc997d66e293f910af3826de893b0381914a
SHA512a76fba548576d2c99dac7e040bb140e29a68f55ee024174018345c4236e2a7ebda96d5ed1b66da85ae60d20485847e3cd38d34262be6c45475938f8d2182ab22
-
Filesize
92KB
MD5d29c72915dd318b24909b5d56b78f98c
SHA1494b91c4650758aec1992fc941d0bf864e0f3e9c
SHA256308fd963f233af18d52860366cd5eba1083c737792ac0ff3122fe88168385cff
SHA512c680fed9fb3e6a1118cbdb52c9c7384322cb9e5c5b525ebc51773ce13b3df97151d505a9f897bae420a0514101e28796c119970fe77e027403611a5f0fe2f466
-
Filesize
381KB
MD5ed59cd47ca16a8345bba9be3959e0de5
SHA147e9a173858d3773a68ad759de30ca0098fbc9ff
SHA256c18e8d3ffcd56dcdb09f33fc820008794f3570afb74e76a3100f6a3c456a28bf
SHA512fa6486b0e7e93d821d2feaf4a7f492d6d044d00e36bf05e1bc25db49df7526a76e20e4a2ce9b947d5ebbeb78ec62b9ae39ce50af4cf30544eac2e05993ea395d
-
Filesize
45KB
MD54ad724ba8346d8556e6e884727c0523e
SHA1b53e2ec83b5b8441667b980fe6a53d69987fca89
SHA25648c52c0934097cdd0aea155be18a2006f2dd6884d623a51b00baf3e5de3e1412
SHA512fde2fb90a19fa00d040ade516fef8ca5f4463aee1a8af2fc85f41c3e818365086ff12491c330c8598bf071270bdbd863bbcdb5a5dde3d2523fbd1f6182eb33f3
-
Filesize
99KB
MD52252b17e6ef56c39bfa75f97e3471570
SHA10d1516cb82c9adc9bb570000be12b849c7bdcf55
SHA2569fd2ca5aadd16fecaebb4929d8cda96652147c36316a39ddcce0e92bd5eb4ebc
SHA5126ac58688c8169ddba89458c0f3de1ba2e3727809beacb1e0a094db4985b1e21484ad23324085d19f2a107dbac3ef5f8fc6dd2c4f5c7202fd1be170060434927f
-
Filesize
2.2MB
MD50e7f4b97ddb5a938d6c18df6a656de21
SHA1429f12411299723a52a7e912fd834b77830d7b86
SHA256c378f6033bcd4cc5b8c73be2601b776706297b844110864dfd45269161e628c1
SHA512008cb5d35f8476084b29b6f03d329c3ca1002a7b5fc82f6cc29ef29b86311833d2372aa8cc27835804b0248b9d3de37f61c9f24a37ff2d6a42eb3fb386a94633
-
Filesize
236KB
MD5a0f784ad499c07a7b7c3a48fab5afd0b
SHA18194f876410f89d3e4cc9ad1f86c89d1138b0d6c
SHA25689c23b96ac3837d3ee68ff0684f57e14cee8fc3ac3171d65c173ba6417411335
SHA512a13b015ec263073ddd2aa5ad116f65f7ae38dc592d6fba9ab2fc3dc034c483d53077c83005b9214cecbf8201a5cd50baea33824136903c0604c5cf6ade2f39de
-
Filesize
265KB
MD5b6e7488813588c9f2d86d3f0f956fd42
SHA1a61ba89c5b6a5962611680199667bb682a761074
SHA2561e5e17c81e354de2172d1ab9b62a356b82037e3d64efda7b968ed07bbafc9742
SHA512d33ebe2070d979a73cdf54e60bb6fe06bbfa25e906ddfbacac827378131922f53873bbb10856293f327e878364b16aea5097c49a03d86d3511351aaa79121b69
-
Filesize
310KB
MD50a5680183c0089a64621e211917664d8
SHA18525d73c99e28413e97a094c99950e1806786246
SHA256c7d6bfe9d26d1ecdd9f2e7f3f892a4d32030949937f86938edcb1995655c2814
SHA512b843b8994c764c3761bef8d34eefb312c9d9567b3f4aadc38008caf42d0cdb82c33276203e4210adcc1e8c567268ebdf01a0a1e839694811932889ac971bb051
-
Filesize
382KB
MD51ee80266391ae68e21d33150a7f51f2f
SHA1b01acf8c941921c39d17862f00acf1144e717124
SHA2569304b5c55d8fe9cfa3d14480e36b88aa1e626f48117bf614954a2a75dbb728ab
SHA5125b2f56ed5ea4308919664b71c5a4343751f7395a1f769be8a4245af03894544b8c0b86b2836d2b0306898b652e3356e42b14d8b92f148f38cfb5e268efccde08