Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2024 15:21
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
53dfcaa40638683ee5c04f95673274ba.exe
Resource
win7-20231129-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
53dfcaa40638683ee5c04f95673274ba.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
53dfcaa40638683ee5c04f95673274ba.exe
-
Size
791KB
-
MD5
53dfcaa40638683ee5c04f95673274ba
-
SHA1
84dc1f5df8f719660ab016e30f13cfd1fb9e51ca
-
SHA256
39cb4858c187bac6fa4e874ca525328a84ad6ebef099dd0255c78da51fd65bbd
-
SHA512
64ca0454086ae7e6afe89e14d8da17d2a4adb7d9bef88cd5460cb4b4062d55e9ab3f525b65659535e0ad8ee85a3befd745ff7a3e0baad060f8ce58d3707a16c2
-
SSDEEP
6144:cpqoa8aLiC/2OLSAN7gNVpNleQUohBfGPOtQciXeL/XYqGlebojSP2pjNhcYYnCH:cpqiC/2OGAtkCP4cejGSOpRKPCnIi
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe system3_.exe" 53dfcaa40638683ee5c04f95673274ba.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Users\\Admin\\Desktop\\system3_.exe" 53dfcaa40638683ee5c04f95673274ba.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\x: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\a: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\b: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\m: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\p: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\r: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\s: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\u: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\i: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\k: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\v: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\y: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\h: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\j: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\o: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\t: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\w: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\z: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\e: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\g: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\l: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\n: 53dfcaa40638683ee5c04f95673274ba.exe File opened (read-only) \??\q: 53dfcaa40638683ee5c04f95673274ba.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/624-0-0x0000000000400000-0x00000000004DC000-memory.dmp autoit_exe behavioral2/files/0x000700000002320a-10.dat autoit_exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\d:\autorun.inf 53dfcaa40638683ee5c04f95673274ba.exe File created \??\f:\autorun.inf 53dfcaa40638683ee5c04f95673274ba.exe File opened for modification F:\\autorun.inf 53dfcaa40638683ee5c04f95673274ba.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main 53dfcaa40638683ee5c04f95673274ba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.mydreamworld.50webs.com" 53dfcaa40638683ee5c04f95673274ba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://www.mydreamworld.50webs.com" 53dfcaa40638683ee5c04f95673274ba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://www.mydreamworld.50webs.com" 53dfcaa40638683ee5c04f95673274ba.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main 53dfcaa40638683ee5c04f95673274ba.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.mydreamworld.50webs.com" 53dfcaa40638683ee5c04f95673274ba.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.mydreamworld.50webs.com" 53dfcaa40638683ee5c04f95673274ba.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe 624 53dfcaa40638683ee5c04f95673274ba.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 624 wrote to memory of 4108 624 53dfcaa40638683ee5c04f95673274ba.exe 31 PID 624 wrote to memory of 4108 624 53dfcaa40638683ee5c04f95673274ba.exe 31 PID 624 wrote to memory of 4108 624 53dfcaa40638683ee5c04f95673274ba.exe 31 PID 4108 wrote to memory of 2252 4108 cmd.exe 41 PID 4108 wrote to memory of 2252 4108 cmd.exe 41 PID 4108 wrote to memory of 2252 4108 cmd.exe 41 PID 624 wrote to memory of 4744 624 53dfcaa40638683ee5c04f95673274ba.exe 36 PID 624 wrote to memory of 4744 624 53dfcaa40638683ee5c04f95673274ba.exe 36 PID 624 wrote to memory of 4744 624 53dfcaa40638683ee5c04f95673274ba.exe 36 PID 4744 wrote to memory of 852 4744 cmd.exe 39 PID 4744 wrote to memory of 852 4744 cmd.exe 39 PID 4744 wrote to memory of 852 4744 cmd.exe 39 PID 624 wrote to memory of 4992 624 53dfcaa40638683ee5c04f95673274ba.exe 105 PID 624 wrote to memory of 4992 624 53dfcaa40638683ee5c04f95673274ba.exe 105 PID 624 wrote to memory of 4992 624 53dfcaa40638683ee5c04f95673274ba.exe 105 PID 4992 wrote to memory of 2976 4992 cmd.exe 107 PID 4992 wrote to memory of 2976 4992 cmd.exe 107 PID 4992 wrote to memory of 2976 4992 cmd.exe 107 PID 624 wrote to memory of 4356 624 53dfcaa40638683ee5c04f95673274ba.exe 108 PID 624 wrote to memory of 4356 624 53dfcaa40638683ee5c04f95673274ba.exe 108 PID 624 wrote to memory of 4356 624 53dfcaa40638683ee5c04f95673274ba.exe 108 PID 4356 wrote to memory of 3252 4356 cmd.exe 110 PID 4356 wrote to memory of 3252 4356 cmd.exe 110 PID 4356 wrote to memory of 3252 4356 cmd.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\53dfcaa40638683ee5c04f95673274ba.exe"C:\Users\Admin\AppData\Local\Temp\53dfcaa40638683ee5c04f95673274ba.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes2⤵
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\at.exeAT /delete /yes3⤵PID:2252
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\Admin\Desktop\system3_.exe3⤵PID:852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f2⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\cacls.execacls "C:\system volume information" /e /g "Admin":f3⤵PID:2976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Admin":f2⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\cacls.execacls "C:\system volume information" /e /g "Admin":f3⤵PID:3252
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5948c74cd98911b420ff89dac13399bcb
SHA176dfc73518f003953923b1b4f2b973f4bb56a411
SHA25694a1ac3d574425ec8a3cc01675e4d787373d2a190dddd4f8ba507c49ca3fd42a
SHA512b31d82ede9d48e390a50a9dcf5c4c607c62638e8bc56f473250f9a56b7967d5de948abed69bbb2c35eb0112288faa5c438316b06ccbb36d289e93952b30e2ede
-
Filesize
791KB
MD553dfcaa40638683ee5c04f95673274ba
SHA184dc1f5df8f719660ab016e30f13cfd1fb9e51ca
SHA25639cb4858c187bac6fa4e874ca525328a84ad6ebef099dd0255c78da51fd65bbd
SHA51264ca0454086ae7e6afe89e14d8da17d2a4adb7d9bef88cd5460cb4b4062d55e9ab3f525b65659535e0ad8ee85a3befd745ff7a3e0baad060f8ce58d3707a16c2