25a6bfac4391785c956934d4d0a5d1ac248bf2e3cd6923cfc2792675d2550931

Analysis

max time kernel
151s
max time network
172s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

446a62c394e577d3469bc569f193f5f1.exe
Size

88KB
MD5

446a62c394e577d3469bc569f193f5f1
SHA1

fc40485761413313141f138b6d8824e15b33783d
SHA256

25a6bfac4391785c956934d4d0a5d1ac248bf2e3cd6923cfc2792675d2550931
SHA512

ded19b80211b7895228ede8d45097fd20f9fe2f490ed71d2b823dc14703044d6407f567243df3d6aabace382b7b4eeb973c471be4ea91fc40cb4076d679bfe33
SSDEEP

1536:aMuFH+aKd/EsUzUVACD1LGLULKLdLaL7gW8ENVk4LBKa:W5+p/EsUAtNVX7

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rpter.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	rpter.exe

Loads dropped DLL 2 IoCs

pid	Process
2840	446a62c394e577d3469bc569f193f5f1.exe
2840	446a62c394e577d3469bc569f193f5f1.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /Q"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /V"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /g"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /E"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /h"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /a"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /w"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /D"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /L"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /y"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /x"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /G"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /f"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /F"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /z"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /H"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /R"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /B"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /l"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /i"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /K"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /s"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /r"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /M"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /c"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /C"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /U"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /I"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /N"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /u"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /J"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /o"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /Y"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /d"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /q"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /n"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /v"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /m"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /p"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /t"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /j"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /Z"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /W"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /T"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /e"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /O"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /b"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /P"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /k"	rpter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\rpter = "C:\\Users\\Admin\\rpter.exe /X"	rpter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe
2712	rpter.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2840	446a62c394e577d3469bc569f193f5f1.exe
2712	rpter.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2712	2840	446a62c394e577d3469bc569f193f5f1.exe	28
PID 2840 wrote to memory of 2712	2840	446a62c394e577d3469bc569f193f5f1.exe	28
PID 2840 wrote to memory of 2712	2840	446a62c394e577d3469bc569f193f5f1.exe	28
PID 2840 wrote to memory of 2712	2840	446a62c394e577d3469bc569f193f5f1.exe	28

C:\Users\Admin\AppData\Local\Temp\446a62c394e577d3469bc569f193f5f1.exe
"C:\Users\Admin\AppData\Local\Temp\446a62c394e577d3469bc569f193f5f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\rpter.exe
  "C:\Users\Admin\rpter.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\rpter.exe

Filesize
88KB

MD5
1e70e127e011684c323db8535332b7ff

SHA1
1ed618fbc23b7fd819bd8e963414b57e06f64c22

SHA256
7dce48262ee982b010319922e1721b64e4eebf6af0962c6bd8fb9c2a7485a325

SHA512
e322a7c3f12d4c949ef939caa0e601f754af86dce8dd8579133eb8eface06ecf5c2ed61b91e0878a140d5be79fda3a1fffbc498d54b86f9773d3a33456cccc7c

Download Submit