acf797b15ce985351a3f652739faf7515478f2eee824e02c8b78fedc34a756dc

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 05:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7676721620b07f6f5771109103e30b75.exe
Size

436KB
MD5

7676721620b07f6f5771109103e30b75
SHA1

ee20ab95de265f092a6f0c8c97b1b653a2583796
SHA256

acf797b15ce985351a3f652739faf7515478f2eee824e02c8b78fedc34a756dc
SHA512

c9d4731395dccfc7535bdec78ffa7e1fc4b74a393a3ee4403981a2df7d08c478e742e1ddb464aee7cb6603b42801b6671a1e7656c9f516c7c52575fbd7ccadb0
SSDEEP

6144:npUqMbsFS9IpMgsuk15EOCtrabCntJtetmerRZWp1TS5QybF/Q2I:7nFyIeuk7ETtWentgme6pG5/

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2128	farErWOHlXkPpQP.exe

Loads dropped DLL 2 IoCs

pid	Process
1648	7676721620b07f6f5771109103e30b75.exe
1648	7676721620b07f6f5771109103e30b75.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\farErWOHlXkPpQP = "C:\\ProgramData\\farErWOHlXkPpQP.exe"	7676721620b07f6f5771109103e30b75.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	7676721620b07f6f5771109103e30b75.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	7676721620b07f6f5771109103e30b75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	farErWOHlXkPpQP.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	farErWOHlXkPpQP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Download	7676721620b07f6f5771109103e30b75.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	7676721620b07f6f5771109103e30b75.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1648	7676721620b07f6f5771109103e30b75.exe
2128	farErWOHlXkPpQP.exe
1648	7676721620b07f6f5771109103e30b75.exe
2128	farErWOHlXkPpQP.exe
1648	7676721620b07f6f5771109103e30b75.exe
2128	farErWOHlXkPpQP.exe
1648	7676721620b07f6f5771109103e30b75.exe
2128	farErWOHlXkPpQP.exe
1648	7676721620b07f6f5771109103e30b75.exe
2128	farErWOHlXkPpQP.exe
1648	7676721620b07f6f5771109103e30b75.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe
2128	farErWOHlXkPpQP.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1648	7676721620b07f6f5771109103e30b75.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2128	1648	7676721620b07f6f5771109103e30b75.exe	28
PID 1648 wrote to memory of 2128	1648	7676721620b07f6f5771109103e30b75.exe	28
PID 1648 wrote to memory of 2128	1648	7676721620b07f6f5771109103e30b75.exe	28
PID 1648 wrote to memory of 2128	1648	7676721620b07f6f5771109103e30b75.exe	28

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	7676721620b07f6f5771109103e30b75.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	7676721620b07f6f5771109103e30b75.exe

C:\Users\Admin\AppData\Local\Temp\7676721620b07f6f5771109103e30b75.exe
"C:\Users\Admin\AppData\Local\Temp\7676721620b07f6f5771109103e30b75.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1648
- C:\ProgramData\farErWOHlXkPpQP.exe
  "C:\ProgramData\farErWOHlXkPpQP.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\farErWOHlXkPpQP.exe

Filesize
151KB

MD5
43ab58132b04321480cbeb065919f324

SHA1
5be0d5c2a4594f32493ba67b27f0245492f75b28

SHA256
9965cb7150cc231cc1319cdc5858fc6019be84ef1df8734b55042336e4bab2fc

SHA512
d1725ffa02348cd58695d3a9be87c516875fc9a2f9263969241ed0d6db80a06933f8754217563303be608d791a56f0cf8bdd1ace4f1103ef3a783e5f5501b944

Download Submit
C:\ProgramData\farErWOHlXkPpQP.exe

Filesize
149KB

MD5
b034815483fa95367ae9c88c574e7d1d

SHA1
d2342c80559a79b7c36f4fc2042ff95f92f79eb5

SHA256
d2c318e437bb7da3d1081f53079c17dce783eadd96960b94a65e14a5d9f51507

SHA512
40815047d72ccaf1037daadb825090bf348dc82a1ab22ad17ebeda502e22d9107ebdea92be2d3af705e0b331c3e4017caaa9eacc5cf7b65bf4acaef2f6c060e4

Download Submit
\ProgramData\farErWOHlXkPpQP.exe

Filesize
155KB

MD5
09110ccf191d12bbcc3d206acc5a5dc6

SHA1
e6488f2b01ba8993779335a1a35c496818691e8c

SHA256
9773f4696dc7855f3315b6fb7cb983ac669b004f2071b43a5254369c17a20a44

SHA512
9b292fd9f4fd0fca211872fa332ed0b0798569309b65ec1f2fe062b973718b7b2843263c3fe6867b7203d7643620c733a7e50d1fdb50f91f5efd385fa7716062

Download Submit
\ProgramData\farErWOHlXkPpQP.exe

Filesize
97KB

MD5
e841047bdbb89fff917c8e3adf46e65e

SHA1
81792d05e00762343538a3f39a5c9ba4b2488c04

SHA256
5625c4a7b3ca2dfb9f931e798f5356244882f9ca494968eabf605b37f7912d90

SHA512
f310761191183e628b7d73c9acbc628885e83259b44d2260a4e51ecc7cbaa7f53f2d39a8c84dcc10a7b58d1e0d1d1ec28beb3887e821d97788066f8634694c83

Download Submit
memory/1648-0-0x0000000000600000-0x000000000067E000-memory.dmp

Filesize
504KB

Download
memory/1648-1-0x0000000000420000-0x000000000047A000-memory.dmp

Filesize
360KB

Download
memory/1648-3-0x0000000000600000-0x000000000067E000-memory.dmp

Filesize
504KB

Download
memory/1648-16-0x0000000000420000-0x000000000047A000-memory.dmp

Filesize
360KB

Download
memory/2128-13-0x0000000001C90000-0x0000000001CEA000-memory.dmp

Filesize
360KB

Download
memory/2128-17-0x0000000001C90000-0x0000000001CEA000-memory.dmp

Filesize
360KB

Download