1af1327bb31f2a65f778c4ed1ee66a1ca36f5a5d10d4d68814bc6dec87837d84

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/01/2024, 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b9a230c646f7fe9eb829170aa60b1be.exe
Size

14KB
MD5

5b9a230c646f7fe9eb829170aa60b1be
SHA1

7efd8df58888b822af6a807694646333bafe3ba9
SHA256

1af1327bb31f2a65f778c4ed1ee66a1ca36f5a5d10d4d68814bc6dec87837d84
SHA512

930c2d18ad4bc5a6e8479e1417bf43a778ad2e93c814eeca65bbfc6423a036cda567c7c5047bfffb86648afb2edd88dfaadead494dce0a3cb6597bcc6cef044a
SSDEEP

384:nt9RdeAsF1YgntJj8/TzSJfNCHc8Gw0nitaYzeR9sNehO:t9iXFnSLINSGwYfT

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\\\WINNT\\\\system32\\\\userinit.exe,C:\\Windows\\System32\\acrldrer.exe"	5b9a230c646f7fe9eb829170aa60b1be.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\acrldrer = "C:\\Windows\\System32\\acrldrer.exe"	5b9a230c646f7fe9eb829170aa60b1be.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B83FC273-3522-4CC6-92EC-75CC86678DA4}	5b9a230c646f7fe9eb829170aa60b1be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\Compatibility Flags = "1024"	5b9a230c646f7fe9eb829170aa60b1be.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	5b9a230c646f7fe9eb829170aa60b1be.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1684	5b9a230c646f7fe9eb829170aa60b1be.exe
1684	5b9a230c646f7fe9eb829170aa60b1be.exe
1684	5b9a230c646f7fe9eb829170aa60b1be.exe

C:\Users\Admin\AppData\Local\Temp\5b9a230c646f7fe9eb829170aa60b1be.exe
"C:\Users\Admin\AppData\Local\Temp\5b9a230c646f7fe9eb829170aa60b1be.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1684-3-0x0000000004F10000-0x0000000005043000-memory.dmp

Filesize
1.2MB

Download
memory/1684-4-0x0000000005BB0000-0x0000000005EF7000-memory.dmp

Filesize
3.3MB

Download
memory/1684-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1684-14-0x00000000057C0000-0x00000000058F0000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads