d18003c9c800febb319c24f67dbcd8341718c876336d36ed71374c23eb9cdceb

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

742e052ce45c55b33217e988450b1fd0.exe
Size

17KB
MD5

742e052ce45c55b33217e988450b1fd0
SHA1

1366e5a6a8bf2ec4fddd373f0cccc9b7be2da850
SHA256

d18003c9c800febb319c24f67dbcd8341718c876336d36ed71374c23eb9cdceb
SHA512

48895dcf433fa76dbb0133a513361837198b7ffab4bc46b785f47718b42e2d84122b8721046fbba0cd5b497c98bbee383e1599b792f171315f41ffe50b85705f
SSDEEP

384:l6EIiY2WHOv6zgMYt1XWOyP93QOuW2tj9YKKSduu:l6EdH4zBYt1XWOGQOIe1u

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1736	742e052ce45c55b33217e988450b1fd0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\WINSvr64 = "C:\\Windows\\WINSvr64.exe"	742e052ce45c55b33217e988450b1fd0.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WINSvr64.dll	742e052ce45c55b33217e988450b1fd0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\WINSvr64.exe	742e052ce45c55b33217e988450b1fd0.exe
File opened for modification	C:\Windows\WINSvr64.exe	742e052ce45c55b33217e988450b1fd0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1736	742e052ce45c55b33217e988450b1fd0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1736	742e052ce45c55b33217e988450b1fd0.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1376	1736	742e052ce45c55b33217e988450b1fd0.exe	6
PID 1736 wrote to memory of 1376	1736	742e052ce45c55b33217e988450b1fd0.exe	6

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1376
- C:\Users\Admin\AppData\Local\Temp\742e052ce45c55b33217e988450b1fd0.exe
  "C:\Users\Admin\AppData\Local\Temp\742e052ce45c55b33217e988450b1fd0.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\WINSvr64.dll

Filesize
27KB

MD5
ea79788375ea2f550abf7864fef6b573

SHA1
56ba6a4ea7eb5b6e5ae1574423231d63230e21df

SHA256
6a36aafff421081a0125a90e60d41bb7f73a6624ee0137f07822a04d6bf1f23b

SHA512
da2f576e69d20870e658602f3b3da1eb0df8429328e803e6abaca8aa6a5510d25289891655ef75fbc8115941c5215bd1173057dbab768115ee703911d670e397

Download Submit
memory/1376-2-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/1736-15-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1736-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1736-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download