1a3251b585358632d72952b6429a9698f2df4f5d363f94c1c5467927520a3d4e

Analysis

max time kernel
1s
max time network
16s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5203288731bfe32aad1c3a4b9f016747.exe
Size

19KB
MD5

5203288731bfe32aad1c3a4b9f016747
SHA1

c95df23cb9a4cfffbb9683e2a2e1b05c12b72665
SHA256

1a3251b585358632d72952b6429a9698f2df4f5d363f94c1c5467927520a3d4e
SHA512

8d7da9c55a6cb6771f8cbb2e94985ab1390b41b1d1e24aa2c3f2617a34c0bb84f6ffd1b86d5fa31bbf6e0a67dcbf283d002ac246d184485e78c482783e222cc1
SSDEEP

384:S0Ro5AyrgPsMCLXKGZkLvbtWiYwWKUN6hYU2hW20Bioah+xJKnxEj1kYqrU:tRoq1SLZZkLvbEiEKKU2huR68UnaS

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2060	5203288731bfe32aad1c3a4b9f016747.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\cufnpaar = "C:\\Windows\\unarknas.exe"	5203288731bfe32aad1c3a4b9f016747.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ofeandfn.dll	5203288731bfe32aad1c3a4b9f016747.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\unarknas.exe	5203288731bfe32aad1c3a4b9f016747.exe
File opened for modification	C:\Windows\unarknas.exe	5203288731bfe32aad1c3a4b9f016747.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2060	5203288731bfe32aad1c3a4b9f016747.exe
2060	5203288731bfe32aad1c3a4b9f016747.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2060	5203288731bfe32aad1c3a4b9f016747.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1076	2060	5203288731bfe32aad1c3a4b9f016747.exe	9
PID 2060 wrote to memory of 1076	2060	5203288731bfe32aad1c3a4b9f016747.exe	9

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1076
- C:\Users\Admin\AppData\Local\Temp\5203288731bfe32aad1c3a4b9f016747.exe
  "C:\Users\Admin\AppData\Local\Temp\5203288731bfe32aad1c3a4b9f016747.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ofeandfn.dll

Filesize
32KB

MD5
e71c2b4b519f68a3048cbc2e5a7aacb8

SHA1
da811341a8e3ee877d0d1bfc8f3f6fe8570d371d

SHA256
91dee01ba6f0a6ea09a359c218dfdc1c91ee70ad3ba4105a18a6ca0f135a226e

SHA512
d0068780dcd1188e593e09fb2f9a7565d07e983505482a30bd859bfbe01c599d47f198129e4289b73a61c995706fd75b204792f584370ee21e3ec0b3d720c6dc

Download Submit
memory/1076-3-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/2060-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2060-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2060-12-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download