c26de313755d31e46e4514305f904225d2f3468a166e5a8c9f684952e9093c9b

Analysis

max time kernel
137s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56027bc4627bb9dbcd6a5cd2ef56dd86.exe
Size

593KB
MD5

56027bc4627bb9dbcd6a5cd2ef56dd86
SHA1

119c42a51bca9c3e515e32d148fc8bf39f4edd08
SHA256

c26de313755d31e46e4514305f904225d2f3468a166e5a8c9f684952e9093c9b
SHA512

b453e56e2c9488ceac60f5a4a91f2cd2ccb6d73d7ad2c4dcdfdebcf7def385721f2295e90a478e1c2bda0f47522ed344c8ef6fbb20078e3bef9e0ac8c5b8b044
SSDEEP

12288:kHWYg1ieQ7NfOKn2NkBjm1q0BbTgoWTHQo30veJTv3PdEOgT:kHtf7/nsamY0BgoNRGJTpc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2376	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2596	8.com.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	8.com.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\UNINSTAL.BAT	56027bc4627bb9dbcd6a5cd2ef56dd86.exe
File created	C:\Windows\8.com.exe	56027bc4627bb9dbcd6a5cd2ef56dd86.exe
File opened for modification	C:\Windows\8.com.exe	56027bc4627bb9dbcd6a5cd2ef56dd86.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	8.com.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1C691FFA-DBFA-4A9B-BB53-BB82737E1147}\12-a0-b2-48-c4-8e	8.com.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	8.com.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1C691FFA-DBFA-4A9B-BB53-BB82737E1147}\WpadNetworkName = "Network 3"	8.com.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-a0-b2-48-c4-8e\WpadDecisionReason = "1"	8.com.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-a0-b2-48-c4-8e\WpadDecision = "0"	8.com.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	8.com.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1C691FFA-DBFA-4A9B-BB53-BB82737E1147}\WpadDecisionTime = f0767a503445da01	8.com.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	8.com.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	8.com.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-a0-b2-48-c4-8e	8.com.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-a0-b2-48-c4-8e\WpadDetectedUrl	8.com.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	8.com.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	8.com.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1C691FFA-DBFA-4A9B-BB53-BB82737E1147}\WpadDecisionReason = "1"	8.com.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1C691FFA-DBFA-4A9B-BB53-BB82737E1147}\WpadDecision = "0"	8.com.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	8.com.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-a0-b2-48-c4-8e\WpadDecisionTime = 903b0f1b3445da01	8.com.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	8.com.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	8.com.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	8.com.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	8.com.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	8.com.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1C691FFA-DBFA-4A9B-BB53-BB82737E1147}	8.com.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	8.com.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	8.com.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1C691FFA-DBFA-4A9B-BB53-BB82737E1147}\WpadDecisionTime = 903b0f1b3445da01	8.com.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-a0-b2-48-c4-8e\WpadDecisionTime = f0767a503445da01	8.com.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	56027bc4627bb9dbcd6a5cd2ef56dd86.exe
Token: SeDebugPrivilege	2596	8.com.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2596	8.com.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2376	2912	56027bc4627bb9dbcd6a5cd2ef56dd86.exe	29
PID 2912 wrote to memory of 2376	2912	56027bc4627bb9dbcd6a5cd2ef56dd86.exe	29
PID 2912 wrote to memory of 2376	2912	56027bc4627bb9dbcd6a5cd2ef56dd86.exe	29
PID 2912 wrote to memory of 2376	2912	56027bc4627bb9dbcd6a5cd2ef56dd86.exe	29
PID 2912 wrote to memory of 2376	2912	56027bc4627bb9dbcd6a5cd2ef56dd86.exe	29
PID 2912 wrote to memory of 2376	2912	56027bc4627bb9dbcd6a5cd2ef56dd86.exe	29
PID 2912 wrote to memory of 2376	2912	56027bc4627bb9dbcd6a5cd2ef56dd86.exe	29
PID 2596 wrote to memory of 2212	2596	8.com.exe	30
PID 2596 wrote to memory of 2212	2596	8.com.exe	30
PID 2596 wrote to memory of 2212	2596	8.com.exe	30
PID 2596 wrote to memory of 2212	2596	8.com.exe	30

C:\Users\Admin\AppData\Local\Temp\56027bc4627bb9dbcd6a5cd2ef56dd86.exe
"C:\Users\Admin\AppData\Local\Temp\56027bc4627bb9dbcd6a5cd2ef56dd86.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\UNINSTAL.BAT
  2⤵
  - Deletes itself
  PID:2376

C:\Windows\8.com.exe
C:\Windows\8.com.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\8.com.exe

Filesize
593KB

MD5
56027bc4627bb9dbcd6a5cd2ef56dd86

SHA1
119c42a51bca9c3e515e32d148fc8bf39f4edd08

SHA256
c26de313755d31e46e4514305f904225d2f3468a166e5a8c9f684952e9093c9b

SHA512
b453e56e2c9488ceac60f5a4a91f2cd2ccb6d73d7ad2c4dcdfdebcf7def385721f2295e90a478e1c2bda0f47522ed344c8ef6fbb20078e3bef9e0ac8c5b8b044

Download Submit
C:\Windows\UNINSTAL.BAT

Filesize
186B

MD5
404b3eab3b564f74ef8665e7bce4e3ed

SHA1
daef2da3f13798ed15c5e12c1b2ec6828b8d2752

SHA256
867998cd3a54b42a89f9d32838e7ae9e146c6bfe7584b1ac854362bd650e084d

SHA512
9bb610111876179a0c6a666c14688403970a366a981daa8d3b9e9ce9fed56eee4b1973d42fbada8600afc205689ca1992c52677d1404d86626568b9d461fe84f

Download Submit
memory/2912-0-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2912-1-0x0000000000350000-0x000000000039B000-memory.dmp

Filesize
300KB

Download
memory/2912-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2912-46-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/2912-65-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/2912-64-0x00000000036F0000-0x00000000036F1000-memory.dmp

Filesize
4KB

Download
memory/2912-63-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/2912-62-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/2912-61-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/2912-60-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/2912-59-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2912-58-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/2912-57-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/2912-56-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/2912-55-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/2912-54-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2912-53-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2912-52-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/2912-51-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2912-48-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2912-47-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/2912-45-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/2912-44-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/2912-43-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/2912-42-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2912-41-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/2912-40-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/2912-39-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/2912-38-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/2912-37-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/2912-36-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/2912-35-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2912-34-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/2912-33-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2912-32-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2912-31-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2912-30-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2912-29-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/2912-28-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/2912-27-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2912-26-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/2912-25-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2912-24-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/2912-23-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2912-22-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2912-21-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/2912-20-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/2912-19-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/2912-18-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2912-17-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/2912-16-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2912-15-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2912-14-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/2912-12-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2912-11-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2912-10-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2912-9-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2912-8-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2912-7-0x0000000002800000-0x0000000002803000-memory.dmp

Filesize
12KB

Download
memory/2912-6-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2912-5-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2912-4-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2912-2-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2912-3-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2912-100-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download