f0263624c0bba08a7c392c7d511672c58ba94ecdfacce0bf94f0e67148646b28

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4293267390bab3bbfec9a2d4ef0be010.exe
Size

653KB
MD5

4293267390bab3bbfec9a2d4ef0be010
SHA1

07a9392fdf768e8c0ec49000cfa4049ef0a83fda
SHA256

f0263624c0bba08a7c392c7d511672c58ba94ecdfacce0bf94f0e67148646b28
SHA512

e5577593be3bf3abfe9c03fed6215257eeb649577965eeffc708e04faeaa1b534183b4de0dd6e507b4fb3a8e2e09f612b84dba440286c45319a057588310af99
SSDEEP

12288:uhbvnM36BIyhph8hjRO+meBMbm6kx+n92dMxznqvXPI0zagCI:uRE36Cyhph0jRORbPkxm0MS8I

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1892	seekdns.exe
1904	seekdns.exe
2576	seekdns147.exe
2472	seekdns.exe

Loads dropped DLL 9 IoCs

pid	Process
2336	4293267390bab3bbfec9a2d4ef0be010.exe
2336	4293267390bab3bbfec9a2d4ef0be010.exe
2336	4293267390bab3bbfec9a2d4ef0be010.exe
2336	4293267390bab3bbfec9a2d4ef0be010.exe
1904	seekdns.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2472	seekdns.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	seekdns147.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Seekdns\seekdns.dll	seekdns.exe
File created	C:\Program Files (x86)\Seekdns\seekdns.exe	seekdns.exe
File created	C:\Program Files (x86)\Seekdns\uninstall.exe	4293267390bab3bbfec9a2d4ef0be010.exe
File created	C:\Program Files (x86)\Seekdns\seekdns.dll	seekdns.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000014b50-45.dat	nsis_installer_1

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	seekdns147.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	seekdns147.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	seekdns147.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	seekdns147.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B70D5C02-A5C7-4996-AE89-281A8897D8D8}	seekdns147.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B70D5C02-A5C7-4996-AE89-281A8897D8D8}\WpadDecisionTime = 801e422c823fda01	seekdns147.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B70D5C02-A5C7-4996-AE89-281A8897D8D8}\3e-de-f8-5d-ca-e8	seekdns147.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-de-f8-5d-ca-e8\WpadDecision = "0"	seekdns147.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	seekdns147.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	seekdns147.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-de-f8-5d-ca-e8\WpadDecisionTime = 801e422c823fda01	seekdns147.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	seekdns147.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	seekdns147.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	seekdns147.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	seekdns147.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B70D5C02-A5C7-4996-AE89-281A8897D8D8}\WpadDecisionReason = "1"	seekdns147.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B70D5C02-A5C7-4996-AE89-281A8897D8D8}\WpadDecision = "0"	seekdns147.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-de-f8-5d-ca-e8	seekdns147.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-de-f8-5d-ca-e8\WpadDecisionReason = "1"	seekdns147.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	seekdns147.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	seekdns147.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	seekdns147.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	seekdns147.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B70D5C02-A5C7-4996-AE89-281A8897D8D8}\WpadNetworkName = "Network 3"	seekdns147.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe
2576	seekdns147.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2472	seekdns.exe
2472	seekdns.exe
2472	seekdns.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1892	2336	4293267390bab3bbfec9a2d4ef0be010.exe	28
PID 2336 wrote to memory of 1892	2336	4293267390bab3bbfec9a2d4ef0be010.exe	28
PID 2336 wrote to memory of 1892	2336	4293267390bab3bbfec9a2d4ef0be010.exe	28
PID 2336 wrote to memory of 1892	2336	4293267390bab3bbfec9a2d4ef0be010.exe	28
PID 2336 wrote to memory of 1904	2336	4293267390bab3bbfec9a2d4ef0be010.exe	29
PID 2336 wrote to memory of 1904	2336	4293267390bab3bbfec9a2d4ef0be010.exe	29
PID 2336 wrote to memory of 1904	2336	4293267390bab3bbfec9a2d4ef0be010.exe	29
PID 2336 wrote to memory of 1904	2336	4293267390bab3bbfec9a2d4ef0be010.exe	29
PID 2576 wrote to memory of 2472	2576	seekdns147.exe	31
PID 2576 wrote to memory of 2472	2576	seekdns147.exe	31
PID 2576 wrote to memory of 2472	2576	seekdns147.exe	31
PID 2576 wrote to memory of 2472	2576	seekdns147.exe	31

C:\Users\Admin\AppData\Local\Temp\4293267390bab3bbfec9a2d4ef0be010.exe
"C:\Users\Admin\AppData\Local\Temp\4293267390bab3bbfec9a2d4ef0be010.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\nst9771.tmp\seekdns.exe
  "C:\Users\Admin\AppData\Local\Temp\nst9771.tmp\seekdns.exe" "C:\Users\Admin\AppData\Local\Temp\nst9771.tmp\seekdns.dll" -r
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\nst9771.tmp\seekdns.exe
  "C:\Users\Admin\AppData\Local\Temp\nst9771.tmp\seekdns.exe" "C:\Users\Admin\AppData\Local\Temp\nst9771.tmp\seekdns.dll" amecpccj ""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:1904

C:\ProgramData\Seekdns\seekdns147.exe
"C:\ProgramData\Seekdns\seekdns147.exe" "C:\Program Files (x86)\Seekdns\seekdns.dll" xvwfnuxf
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files (x86)\Seekdns\seekdns.exe
  "C:\Program Files (x86)\Seekdns\seekdns.exe" "C:\Program Files (x86)\Seekdns\seekdns.dll" qzygttqz
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst9771.tmp\seekdns.dll

Filesize
584KB

MD5
1f49ac73a56be2b7582e0234e695482d

SHA1
e036ca3fcbb867b4a8b9183847c0c74c95fc0899

SHA256
453783e51e15ce08e383e4fe44f6b579dde1c8e144e2df6dfd63971316ddef3f

SHA512
c21f17d6e7fd36c723ca5da232a2e097b48d35ed78365d44e9e1d10297f0b9ae8acf84a4a3f1ae6c08904c6a307bf35c10db5baf7feca3677b1b36c3cf7f5d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst9771.tmp\uninstall.exe

Filesize
82KB

MD5
e1348b87c9e541c1a959b122cc2b12f9

SHA1
768cc443f3de7727e2709cb2cac9835c90a03079

SHA256
9e5f74c04627b84b29ac9c229fc01c9f43d26e1e06501fce361b5c540552b7f5

SHA512
744f3256a451b2b676f69f54e0a24ac347a24fe30f007c068941073439443f0c811e1ce260f7f1a297e515d82c8bdf5973509964b50abf9ad5c664be16628223

Download Submit
\Users\Admin\AppData\Local\Temp\nst9771.tmp\seekdns.exe

Filesize
60KB

MD5
242855464cb563e26f7191b71de5a292

SHA1
b89c0ade9c46041e34b88fd023be867549acdabb

SHA256
f9ba01d75b80ed54fc21ca7d90a157bbb2bf07bd8f895a9da788483ff8bcbcaa

SHA512
f76d6402530481ca67ecd23637e8aa9cfad37c82b1a764362c9c01b6f5e7e9f452f66e63b20bcb63ceaf30bfb144cef68d029687c37757a188321abf98ec4a1e

Download Submit
memory/1904-24-0x0000000000350000-0x00000000003D1000-memory.dmp

Filesize
516KB

Download
memory/2472-56-0x0000000000220000-0x00000000002A1000-memory.dmp

Filesize
516KB

Download
memory/2576-35-0x0000000000340000-0x00000000003C1000-memory.dmp

Filesize
516KB

Download