Overview

overview

8

Static

static

3

40e2fe1644...53.exe

windows7-x64

8

40e2fe1644...53.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    165s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/01/2024, 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40e2fe16444b41a74b756c9ddf46bd53.exe

  • Size

    663KB

  • MD5

    40e2fe16444b41a74b756c9ddf46bd53

  • SHA1

    77e04dfc73b53d25b769d64b5f040e5e561ce3d3

  • SHA256

    0b155a50377bd5144b342230c6984d9752b7be5378fe14ad797aa48e9d4fc94c

  • SHA512

    225af8219ca3a06bbdb22a99093f55d5f1e2edee9fd3c396f088fd32464e2205c345c8eb996425616d0b8497379b7403a35fc6f358664493383f813a9e33c9fb

  • SSDEEP

    12288:mJe0oVDdvW4dIy5Uzhqzzq+42QkutA3TgWRGo74X8wvbPAsxxM0k1/tkBOAojc/B:qRo84dIAUzhqzzqF2duC3TgloMX5vxxB

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 47 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Runs .reg file with regedit 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\40e2fe16444b41a74b756c9ddf46bd53.exe
    "C:\Users\Admin\AppData\Local\Temp\40e2fe16444b41a74b756c9ddf46bd53.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\windows\web\printers\125.bat
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2640
      • \??\c:\windows\web\printers\rar.exe
        "c:\windows\web\printers\Rar.exe" e -y -ping c:\windows\web\printers\usbhard.rar c:\windows\web\printers\
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:3120
      • C:\Windows\SysWOW64\attrib.exe
        attrib +R +A +S +H c:\windows\web\printers
        3⤵
        • Sets file to hidden
        • Drops file in Windows directory
        • Views/modifies file attributes
        PID:4520
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s c:\windows\web\printers\1.reg
        3⤵
        • Adds Run key to start application
        • Runs .reg file with regedit
        PID:3720
      • \??\c:\windows\web\printers\rar.exe
        "c:\windows\web\printers\Rar.exe" e -y -ping c:\windows\web\printers\zzz.rar c:\windows\dell\
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:548
      • \??\c:\windows\dell\lsess.exe
        c:\windows\dell\lsess.exe
        3⤵
        • Executes dropped EXE
        PID:2308
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 528
          4⤵
          • Program crash
          PID:3660
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s c:\windows\web\printers\5.reg
        3⤵
        • Runs .reg file with regedit
        PID:5100
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s c:\windows\web\printers\2.reg
        3⤵
        • Runs .reg file with regedit
        PID:5104
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\11a.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 3
        3⤵
        • Runs ping.exe
        PID:4480
      • C:\Windows\SysWOW64\attrib.exe
        attrib -S -H c:\ma.exe
        3⤵
        • Views/modifies file attributes
        PID:220
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2308 -ip 2308
    1⤵
      PID:4972

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\11a.bat
      Filesize

      226B

      MD5

      8121a35368da9b891169e23988b9a3ee

      SHA1

      32063ea16a5fd5b63222f037ef9e0a6cc68909c7

      SHA256

      a6305f3147c5fe79ee134bae2745bf3c77103e613bfdafec7f324725e335f458

      SHA512

      dee6eb95b395d51f3bdb21c7a4813ea6ffaed27e1caa1447d15f37929aae6600653e6ecb32a1cd4be64d760b46f7e799d9d615c4e3b458f94d5e032b8f5d64fe

      Download Submit

    • C:\Windows\Web\printers\rar.exe
      Filesize

      310KB

      MD5

      0a5680183c0089a64621e211917664d8

      SHA1

      8525d73c99e28413e97a094c99950e1806786246

      SHA256

      c7d6bfe9d26d1ecdd9f2e7f3f892a4d32030949937f86938edcb1995655c2814

      SHA512

      b843b8994c764c3761bef8d34eefb312c9d9567b3f4aadc38008caf42d0cdb82c33276203e4210adcc1e8c567268ebdf01a0a1e839694811932889ac971bb051

      Download Submit

    • C:\Windows\dell\lsess.exe
      Filesize

      55.6MB

      MD5

      af7fae405edb801555d1d738ec724b02

      SHA1

      d0acc6b96293eee5809cd6fc1e0211a252b69cb2

      SHA256

      a77bd85ba81022d39276e5fa6eedacc4b49c93990f711c6852a138782dcb2494

      SHA512

      395eed7eaa0b93e566a1e0ebb48f8c01994b56e6a0b6200006bb215148edc6a9b91a1e2006b65c9c393cff252f7789163a976ca5886572817c9ee86c0848d91f

      Download Submit

    • \??\c:\Windows\Web\printers\1.reg
      Filesize

      45KB

      MD5

      4ad724ba8346d8556e6e884727c0523e

      SHA1

      b53e2ec83b5b8441667b980fe6a53d69987fca89

      SHA256

      48c52c0934097cdd0aea155be18a2006f2dd6884d623a51b00baf3e5de3e1412

      SHA512

      fde2fb90a19fa00d040ade516fef8ca5f4463aee1a8af2fc85f41c3e818365086ff12491c330c8598bf071270bdbd863bbcdb5a5dde3d2523fbd1f6182eb33f3

      Download Submit

    • \??\c:\Windows\Web\printers\5.reg
      Filesize

      22KB

      MD5

      3619b2192d1e0d4907f7d4702b4aa9e1

      SHA1

      1bb317bea13bb457d9ec71294e5c07c93cc9b8e6

      SHA256

      7da095327a1e11369d67d4f15d7c2e84cce9fb5d4cbac42d9b70bf0976300893

      SHA512

      8f2d8420dc2e92a4df42eab89bb612b2562ff6d152c4a6f651c64371089506673bf9f02a37ff1c3ad53a9ae0fe51aa9c47dcdb7e01a319df51306d58a601b7ff

      Download Submit

    • \??\c:\windows\dell\lsess.txt
      Filesize

      55.6MB

      MD5

      599c1057c0fee88667f749595acf5080

      SHA1

      12fd684230b6340e84eb00ab8f48b9f9f7391800

      SHA256

      712c92535f1df580bb4d26c59da2564ff24849250be714d51551db03a731ac2c

      SHA512

      4de26509aaa0eca3efcb18e3238e4bbf9dd4181ad1e851ea4c4662a37c9362ca4c0c5b0d75994a1e8931385df8c3f20a6f78a66709315f74612670ebaf15f4eb

      Download Submit

    • \??\c:\windows\web\printers\125.bat
      Filesize

      1KB

      MD5

      1af018ff177dfbae562ac429cff786cb

      SHA1

      81f09865306d8c91d59bbec8a11ac874816f102c

      SHA256

      dda4aa27c7fd4b793bcadbd94c47dc997d66e293f910af3826de893b0381914a

      SHA512

      a76fba548576d2c99dac7e040bb140e29a68f55ee024174018345c4236e2a7ebda96d5ed1b66da85ae60d20485847e3cd38d34262be6c45475938f8d2182ab22

      Download Submit

    • \??\c:\windows\web\printers\360s.txt
      Filesize

      33.7MB

      MD5

      d3c91ba79104275b8fc182c6e32a7cff

      SHA1

      094069eacd5d0fb117a40e310beb2b4aa4590420

      SHA256

      ceae80f544d3ec3ab1211773c601f1ca6eb8319a9e62960bb1fe98ddfbfe0553

      SHA512

      99cc0918b6029b35dd3a7fbcf8dd50b34c05364e7c4045c5dab7b206f510a95ac428a2fd59137ae1b0279d016f6d6bf0440ae8e5a063b1c32594c070b91a1241

      Download Submit

    • \??\c:\windows\web\printers\usbhard.rar
      Filesize

      236KB

      MD5

      a0f784ad499c07a7b7c3a48fab5afd0b

      SHA1

      8194f876410f89d3e4cc9ad1f86c89d1138b0d6c

      SHA256

      89c23b96ac3837d3ee68ff0684f57e14cee8fc3ac3171d65c173ba6417411335

      SHA512

      a13b015ec263073ddd2aa5ad116f65f7ae38dc592d6fba9ab2fc3dc034c483d53077c83005b9214cecbf8201a5cd50baea33824136903c0604c5cf6ade2f39de

      Download Submit

    • \??\c:\windows\web\printers\zzz.rar
      Filesize

      265KB

      MD5

      b6e7488813588c9f2d86d3f0f956fd42

      SHA1

      a61ba89c5b6a5962611680199667bb682a761074

      SHA256

      1e5e17c81e354de2172d1ab9b62a356b82037e3d64efda7b968ed07bbafc9742

      SHA512

      d33ebe2070d979a73cdf54e60bb6fe06bbfa25e906ddfbacac827378131922f53873bbb10856293f327e878364b16aea5097c49a03d86d3511351aaa79121b69

      Download Submit

    • memory/548-68-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2308-74-0x0000000000400000-0x00000000004FC000-memory.dmp

      Filesize

      1008KB

      Download

    • memory/2308-80-0x0000000000400000-0x00000000004FC000-memory.dmp

      Filesize

      1008KB

      Download

    • memory/2308-79-0x0000000002260000-0x0000000002261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-78-0x0000000000400000-0x00000000004FC000-memory.dmp

      Filesize

      1008KB

      Download

    • memory/2308-77-0x0000000002260000-0x0000000002261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2544-3-0x0000000000400000-0x00000000004D7000-memory.dmp

      Filesize

      860KB

      Download

    • memory/2544-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2544-5-0x00000000001C0000-0x00000000001C3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2544-6-0x0000000000400000-0x00000000004D7000-memory.dmp

      Filesize

      860KB

      Download

    • memory/2544-20-0x0000000000400000-0x00000000004D7000-memory.dmp

      Filesize

      860KB

      Download

    • memory/2544-0-0x0000000000400000-0x00000000004D7000-memory.dmp

      Filesize

      860KB

      Download

    • memory/3120-22-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3120-58-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download