Analysis
-
max time kernel
5s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
ae3bf46e7d8a23bcb652d4c401bd2faa.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ae3bf46e7d8a23bcb652d4c401bd2faa.exe
Resource
win10v2004-20231222-en
General
-
Target
ae3bf46e7d8a23bcb652d4c401bd2faa.exe
-
Size
54KB
-
MD5
ae3bf46e7d8a23bcb652d4c401bd2faa
-
SHA1
f1f2ce1e55425042e4a435de5756cdb3779cb285
-
SHA256
b795c753801bab817e22cb80e681ea0a327040f9c160a3f69751ff09967609ce
-
SHA512
fc5022ff54f3e76dfa7124447a8fd832c620c556a7ea2885f11afe3e0c764a7936f177a7e3311345a13e3bb0f183c4de3581d4c53c88c7fa5ef7b5cbd8a0e238
-
SSDEEP
1536:ON7kU6dcFjfUXhXAXzXkkcUcks98kMEi7W:K7kR0ykcUcks98kMEj
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kfxueb.exe -
Executes dropped EXE 1 IoCs
pid Process 3044 kfxueb.exe -
Loads dropped DLL 2 IoCs
pid Process 2928 ae3bf46e7d8a23bcb652d4c401bd2faa.exe 2928 ae3bf46e7d8a23bcb652d4c401bd2faa.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\kfxueb = "C:\\Users\\Admin\\kfxueb.exe" kfxueb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3044 kfxueb.exe 3044 kfxueb.exe 3044 kfxueb.exe 3044 kfxueb.exe 3044 kfxueb.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2928 ae3bf46e7d8a23bcb652d4c401bd2faa.exe 3044 kfxueb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2928 wrote to memory of 3044 2928 ae3bf46e7d8a23bcb652d4c401bd2faa.exe 28 PID 2928 wrote to memory of 3044 2928 ae3bf46e7d8a23bcb652d4c401bd2faa.exe 28 PID 2928 wrote to memory of 3044 2928 ae3bf46e7d8a23bcb652d4c401bd2faa.exe 28 PID 2928 wrote to memory of 3044 2928 ae3bf46e7d8a23bcb652d4c401bd2faa.exe 28 PID 3044 wrote to memory of 2928 3044 kfxueb.exe 6 PID 3044 wrote to memory of 2928 3044 kfxueb.exe 6 PID 3044 wrote to memory of 2928 3044 kfxueb.exe 6 PID 3044 wrote to memory of 2928 3044 kfxueb.exe 6 PID 3044 wrote to memory of 2928 3044 kfxueb.exe 6 PID 3044 wrote to memory of 2928 3044 kfxueb.exe 6 PID 3044 wrote to memory of 2928 3044 kfxueb.exe 6 PID 3044 wrote to memory of 2928 3044 kfxueb.exe 6
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae3bf46e7d8a23bcb652d4c401bd2faa.exe"C:\Users\Admin\AppData\Local\Temp\ae3bf46e7d8a23bcb652d4c401bd2faa.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\kfxueb.exe"C:\Users\Admin\kfxueb.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5ae9623bb0aec9580a214f143c3f5e304
SHA1751e5946d9f6418cac50baeb6068abad12842c78
SHA256bdff796c39cbc01b3fb5166a2e15a670d1f542cbba66a3fcb163b42012a1e043
SHA51263c286751dea65788adc7837da6c7f9be6afdf567ceb50c6063fe8ab7cc3f1f79932b4cbf33e78bcc750373b7af6f6c08e0ed2270e7f5d3165f50c329b8328bc