d7187c375741d1797d56cc53ad890f87e48b405aa8db6951b4cbefa804884797

Analysis

max time kernel
184s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4eab4b1b1ceaa35db996ea96b6160547.exe
Size

144KB
MD5

4eab4b1b1ceaa35db996ea96b6160547
SHA1

6578f62c208cf672e6cb0c65534ef9e02e54b0d4
SHA256

d7187c375741d1797d56cc53ad890f87e48b405aa8db6951b4cbefa804884797
SHA512

11a9b880943fef10b48230cb70c1525eb5c0ed64119b9e30e26deac210b10c138ed64ea5821ee7ab85e88152ab0d5cf10d8565e21e2e64c295a0acf8b2363512
SSDEEP

3072:K+3SNwtzid5DkjScvN4/OLYMH8uqSDGghke8KVrB:riNwZjSqN4PDuqSDGgqel7

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2584	rotr.exe

Loads dropped DLL 2 IoCs

pid	Process
2832	4eab4b1b1ceaa35db996ea96b6160547.exe
2832	4eab4b1b1ceaa35db996ea96b6160547.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ieuu = "\"C:\\Program Files (x86)\\unue\\rotr.exe\" -vt ndrv"	rotr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ieuu = "\"C:\\Program Files (x86)\\unue\\rotr.exe\" -vt ndrv"	4eab4b1b1ceaa35db996ea96b6160547.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\unue\rotr.exe	4eab4b1b1ceaa35db996ea96b6160547.exe
File created	C:\Program Files (x86)\unue\rotr.exe	4eab4b1b1ceaa35db996ea96b6160547.exe
File opened for modification	C:\Program Files (x86)\unue\rotr.exe	rotr.exe
File created	C:\Program Files (x86)\unue\rotr.exe	rotr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2584	2832	4eab4b1b1ceaa35db996ea96b6160547.exe	30
PID 2832 wrote to memory of 2584	2832	4eab4b1b1ceaa35db996ea96b6160547.exe	30
PID 2832 wrote to memory of 2584	2832	4eab4b1b1ceaa35db996ea96b6160547.exe	30
PID 2832 wrote to memory of 2584	2832	4eab4b1b1ceaa35db996ea96b6160547.exe	30

C:\Users\Admin\AppData\Local\Temp\4eab4b1b1ceaa35db996ea96b6160547.exe
"C:\Users\Admin\AppData\Local\Temp\4eab4b1b1ceaa35db996ea96b6160547.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Program Files (x86)\unue\rotr.exe
  "C:\Program Files (x86)\unue\rotr.exe" -vt ndrv
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\unue\rotr.exe

Filesize
144KB

MD5
4eab4b1b1ceaa35db996ea96b6160547

SHA1
6578f62c208cf672e6cb0c65534ef9e02e54b0d4

SHA256
d7187c375741d1797d56cc53ad890f87e48b405aa8db6951b4cbefa804884797

SHA512
11a9b880943fef10b48230cb70c1525eb5c0ed64119b9e30e26deac210b10c138ed64ea5821ee7ab85e88152ab0d5cf10d8565e21e2e64c295a0acf8b2363512

Download Submit
memory/2584-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads