Analysis
-
max time kernel
165s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2024, 12:40
Static task
static1
Behavioral task
behavioral1
Sample
40e2fe16444b41a74b756c9ddf46bd53.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
40e2fe16444b41a74b756c9ddf46bd53.exe
Resource
win10v2004-20231215-en
General
-
Target
40e2fe16444b41a74b756c9ddf46bd53.exe
-
Size
663KB
-
MD5
40e2fe16444b41a74b756c9ddf46bd53
-
SHA1
77e04dfc73b53d25b769d64b5f040e5e561ce3d3
-
SHA256
0b155a50377bd5144b342230c6984d9752b7be5378fe14ad797aa48e9d4fc94c
-
SHA512
225af8219ca3a06bbdb22a99093f55d5f1e2edee9fd3c396f088fd32464e2205c345c8eb996425616d0b8497379b7403a35fc6f358664493383f813a9e33c9fb
-
SSDEEP
12288:mJe0oVDdvW4dIy5Uzhqzzq+42QkutA3TgWRGo74X8wvbPAsxxM0k1/tkBOAojc/B:qRo84dIAUzhqzzqF2duC3TgloMX5vxxB
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4520 attrib.exe -
Executes dropped EXE 3 IoCs
pid Process 3120 rar.exe 548 rar.exe 2308 lsess.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\windows\Entry1 = "c:\\windows\\web\\printers\\123.bat" regedit.exe -
Drops file in Windows directory 47 IoCs
description ioc Process File created \??\c:\windows\web\printers\125.bat 40e2fe16444b41a74b756c9ddf46bd53.exe File created \??\c:\windows\web\printers\1.reg rar.exe File opened for modification \??\c:\windows\web\printers\1.reg rar.exe File opened for modification \??\c:\windows\web\printers\124.bat rar.exe File created \??\c:\windows\web\printers\jin.vbs rar.exe File created \??\c:\windows\web\printers\k.bat rar.exe File created \??\c:\windows\dell\lsess.txt rar.exe File created \??\c:\windows\web\printers\5.reg rar.exe File created \??\c:\windows\web\printers\4.reg rar.exe File opened for modification \??\c:\windows\web\printers\123.bat rar.exe File opened for modification \??\c:\windows\web\printers\360s.txt rar.exe File opened for modification \??\c:\windows\web\printers\abc.vbs rar.exe File opened for modification \??\c:\windows\web\printers\bb.vbs rar.exe File opened for modification \??\c:\windows\web\printers\gl.txt rar.exe File opened for modification \??\c:\windows\web\printers\QQlog.exe rar.exe File opened for modification \??\c:\windows\intell\1.txt 40e2fe16444b41a74b756c9ddf46bd53.exe File created \??\c:\windows\web\printers\3.reg rar.exe File created \??\c:\windows\web\printers\123.bat rar.exe File opened for modification \??\c:\windows\web\printers\jin.vbs rar.exe File opened for modification \??\c:\windows\web\printers\SVCH0ST.EXE rar.exe File created \??\c:\windows\web\printers\SVCH0ST.ini rar.exe File created \??\c:\windows\web\printers\md5.txt cmd.exe File opened for modification \??\c:\windows\ztop\svchost.exe cmd.exe File created \??\c:\windows\dell\lsess.exe cmd.exe File opened for modification \??\c:\windows\web\printers\4.reg rar.exe File opened for modification \??\c:\windows\web\printers\jinshan.vbs rar.exe File created \??\c:\windows\web\printers\QQlog.exe rar.exe File opened for modification \??\c:\windows\dell\lsess.txt rar.exe File opened for modification \??\c:\windows\web\printers\usbhard.rar 40e2fe16444b41a74b756c9ddf46bd53.exe File opened for modification \??\c:\windows\web\printers\rar.exe 40e2fe16444b41a74b756c9ddf46bd53.exe File opened for modification \??\c:\windows\web\printers\5.reg rar.exe File created \??\c:\windows\web\printers\124.bat rar.exe File created \??\c:\windows\web\printers\360s.txt rar.exe File created \??\c:\windows\web\printers\bb.vbs rar.exe File created \??\c:\windows\web\printers\jinshan.vbs rar.exe File opened for modification \??\c:\windows\web\printers\SVCH0ST.ini rar.exe File created \??\c:\windows\web\printers\abc.vbs rar.exe File created \??\c:\windows\web\printers\gl.txt rar.exe File created \??\c:\windows\web\printers\svc.bat rar.exe File created \??\c:\windows\web\printers\SVCH0ST.EXE rar.exe File opened for modification C:\windows\web\printers attrib.exe File opened for modification \??\c:\windows\web\printers\k.bat rar.exe File opened for modification \??\c:\windows\web\printers\svc.bat rar.exe File created \??\c:\windows\ztop\svchost.exe cmd.exe File opened for modification \??\c:\windows\web\printers\zzz.rar 40e2fe16444b41a74b756c9ddf46bd53.exe File opened for modification \??\c:\windows\web\printers\3.reg rar.exe File opened for modification \??\c:\windows\dell\lsess.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3660 2308 WerFault.exe 109 -
Runs .reg file with regedit 3 IoCs
pid Process 3720 regedit.exe 5100 regedit.exe 5104 regedit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4480 PING.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2544 40e2fe16444b41a74b756c9ddf46bd53.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2544 wrote to memory of 2640 2544 40e2fe16444b41a74b756c9ddf46bd53.exe 96 PID 2544 wrote to memory of 2640 2544 40e2fe16444b41a74b756c9ddf46bd53.exe 96 PID 2544 wrote to memory of 2640 2544 40e2fe16444b41a74b756c9ddf46bd53.exe 96 PID 2640 wrote to memory of 3120 2640 cmd.exe 98 PID 2640 wrote to memory of 3120 2640 cmd.exe 98 PID 2640 wrote to memory of 3120 2640 cmd.exe 98 PID 2544 wrote to memory of 1832 2544 40e2fe16444b41a74b756c9ddf46bd53.exe 99 PID 2544 wrote to memory of 1832 2544 40e2fe16444b41a74b756c9ddf46bd53.exe 99 PID 2544 wrote to memory of 1832 2544 40e2fe16444b41a74b756c9ddf46bd53.exe 99 PID 1832 wrote to memory of 4480 1832 cmd.exe 101 PID 1832 wrote to memory of 4480 1832 cmd.exe 101 PID 1832 wrote to memory of 4480 1832 cmd.exe 101 PID 1832 wrote to memory of 220 1832 cmd.exe 102 PID 1832 wrote to memory of 220 1832 cmd.exe 102 PID 1832 wrote to memory of 220 1832 cmd.exe 102 PID 2640 wrote to memory of 4520 2640 cmd.exe 103 PID 2640 wrote to memory of 4520 2640 cmd.exe 103 PID 2640 wrote to memory of 4520 2640 cmd.exe 103 PID 2640 wrote to memory of 3720 2640 cmd.exe 104 PID 2640 wrote to memory of 3720 2640 cmd.exe 104 PID 2640 wrote to memory of 3720 2640 cmd.exe 104 PID 2640 wrote to memory of 548 2640 cmd.exe 105 PID 2640 wrote to memory of 548 2640 cmd.exe 105 PID 2640 wrote to memory of 548 2640 cmd.exe 105 PID 2640 wrote to memory of 2308 2640 cmd.exe 109 PID 2640 wrote to memory of 2308 2640 cmd.exe 109 PID 2640 wrote to memory of 2308 2640 cmd.exe 109 PID 2640 wrote to memory of 5100 2640 cmd.exe 110 PID 2640 wrote to memory of 5100 2640 cmd.exe 110 PID 2640 wrote to memory of 5100 2640 cmd.exe 110 PID 2640 wrote to memory of 5104 2640 cmd.exe 111 PID 2640 wrote to memory of 5104 2640 cmd.exe 111 PID 2640 wrote to memory of 5104 2640 cmd.exe 111 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4520 attrib.exe 220 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40e2fe16444b41a74b756c9ddf46bd53.exe"C:\Users\Admin\AppData\Local\Temp\40e2fe16444b41a74b756c9ddf46bd53.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\web\printers\125.bat2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\windows\web\printers\rar.exe"c:\windows\web\printers\Rar.exe" e -y -ping c:\windows\web\printers\usbhard.rar c:\windows\web\printers\3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3120
-
-
C:\Windows\SysWOW64\attrib.exeattrib +R +A +S +H c:\windows\web\printers3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4520
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s c:\windows\web\printers\1.reg3⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:3720
-
-
\??\c:\windows\web\printers\rar.exe"c:\windows\web\printers\Rar.exe" e -y -ping c:\windows\web\printers\zzz.rar c:\windows\dell\3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:548
-
-
\??\c:\windows\dell\lsess.exec:\windows\dell\lsess.exe3⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 5284⤵
- Program crash
PID:3660
-
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s c:\windows\web\printers\5.reg3⤵
- Runs .reg file with regedit
PID:5100
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s c:\windows\web\printers\2.reg3⤵
- Runs .reg file with regedit
PID:5104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\11a.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
PID:4480
-
-
C:\Windows\SysWOW64\attrib.exeattrib -S -H c:\ma.exe3⤵
- Views/modifies file attributes
PID:220
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2308 -ip 23081⤵PID:4972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD58121a35368da9b891169e23988b9a3ee
SHA132063ea16a5fd5b63222f037ef9e0a6cc68909c7
SHA256a6305f3147c5fe79ee134bae2745bf3c77103e613bfdafec7f324725e335f458
SHA512dee6eb95b395d51f3bdb21c7a4813ea6ffaed27e1caa1447d15f37929aae6600653e6ecb32a1cd4be64d760b46f7e799d9d615c4e3b458f94d5e032b8f5d64fe
-
Filesize
310KB
MD50a5680183c0089a64621e211917664d8
SHA18525d73c99e28413e97a094c99950e1806786246
SHA256c7d6bfe9d26d1ecdd9f2e7f3f892a4d32030949937f86938edcb1995655c2814
SHA512b843b8994c764c3761bef8d34eefb312c9d9567b3f4aadc38008caf42d0cdb82c33276203e4210adcc1e8c567268ebdf01a0a1e839694811932889ac971bb051
-
Filesize
55.6MB
MD5af7fae405edb801555d1d738ec724b02
SHA1d0acc6b96293eee5809cd6fc1e0211a252b69cb2
SHA256a77bd85ba81022d39276e5fa6eedacc4b49c93990f711c6852a138782dcb2494
SHA512395eed7eaa0b93e566a1e0ebb48f8c01994b56e6a0b6200006bb215148edc6a9b91a1e2006b65c9c393cff252f7789163a976ca5886572817c9ee86c0848d91f
-
Filesize
45KB
MD54ad724ba8346d8556e6e884727c0523e
SHA1b53e2ec83b5b8441667b980fe6a53d69987fca89
SHA25648c52c0934097cdd0aea155be18a2006f2dd6884d623a51b00baf3e5de3e1412
SHA512fde2fb90a19fa00d040ade516fef8ca5f4463aee1a8af2fc85f41c3e818365086ff12491c330c8598bf071270bdbd863bbcdb5a5dde3d2523fbd1f6182eb33f3
-
Filesize
22KB
MD53619b2192d1e0d4907f7d4702b4aa9e1
SHA11bb317bea13bb457d9ec71294e5c07c93cc9b8e6
SHA2567da095327a1e11369d67d4f15d7c2e84cce9fb5d4cbac42d9b70bf0976300893
SHA5128f2d8420dc2e92a4df42eab89bb612b2562ff6d152c4a6f651c64371089506673bf9f02a37ff1c3ad53a9ae0fe51aa9c47dcdb7e01a319df51306d58a601b7ff
-
Filesize
55.6MB
MD5599c1057c0fee88667f749595acf5080
SHA112fd684230b6340e84eb00ab8f48b9f9f7391800
SHA256712c92535f1df580bb4d26c59da2564ff24849250be714d51551db03a731ac2c
SHA5124de26509aaa0eca3efcb18e3238e4bbf9dd4181ad1e851ea4c4662a37c9362ca4c0c5b0d75994a1e8931385df8c3f20a6f78a66709315f74612670ebaf15f4eb
-
Filesize
1KB
MD51af018ff177dfbae562ac429cff786cb
SHA181f09865306d8c91d59bbec8a11ac874816f102c
SHA256dda4aa27c7fd4b793bcadbd94c47dc997d66e293f910af3826de893b0381914a
SHA512a76fba548576d2c99dac7e040bb140e29a68f55ee024174018345c4236e2a7ebda96d5ed1b66da85ae60d20485847e3cd38d34262be6c45475938f8d2182ab22
-
Filesize
33.7MB
MD5d3c91ba79104275b8fc182c6e32a7cff
SHA1094069eacd5d0fb117a40e310beb2b4aa4590420
SHA256ceae80f544d3ec3ab1211773c601f1ca6eb8319a9e62960bb1fe98ddfbfe0553
SHA51299cc0918b6029b35dd3a7fbcf8dd50b34c05364e7c4045c5dab7b206f510a95ac428a2fd59137ae1b0279d016f6d6bf0440ae8e5a063b1c32594c070b91a1241
-
Filesize
236KB
MD5a0f784ad499c07a7b7c3a48fab5afd0b
SHA18194f876410f89d3e4cc9ad1f86c89d1138b0d6c
SHA25689c23b96ac3837d3ee68ff0684f57e14cee8fc3ac3171d65c173ba6417411335
SHA512a13b015ec263073ddd2aa5ad116f65f7ae38dc592d6fba9ab2fc3dc034c483d53077c83005b9214cecbf8201a5cd50baea33824136903c0604c5cf6ade2f39de
-
Filesize
265KB
MD5b6e7488813588c9f2d86d3f0f956fd42
SHA1a61ba89c5b6a5962611680199667bb682a761074
SHA2561e5e17c81e354de2172d1ab9b62a356b82037e3d64efda7b968ed07bbafc9742
SHA512d33ebe2070d979a73cdf54e60bb6fe06bbfa25e906ddfbacac827378131922f53873bbb10856293f327e878364b16aea5097c49a03d86d3511351aaa79121b69