9b275b16dba4f8714d8618da965daec8af9c1e3be6ebc2d0285b079471cf2550

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c603ad1f3386aefa20c302b18e8af6f.exe
Size

60KB
MD5

7c603ad1f3386aefa20c302b18e8af6f
SHA1

3b515541d91f763a34ce548943011a6dddb7c91d
SHA256

9b275b16dba4f8714d8618da965daec8af9c1e3be6ebc2d0285b079471cf2550
SHA512

39bd36d92473057f45f212fe6a94906ba5391e0e6a820d8dd10099590783a04f3215e2928edc1bacb3dbd06e5f47f5f12adb23fc68441992925c717ea1e81290
SSDEEP

768:/ZFSQpwJn0afaJgY9rl4ujLDtY/uVLq+BpfldFNR1IAY:/ZFqY9rl4ujLD+/uVq6lDIAY

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Program Files\\Microsoft IExplorer\\D_Microsoft IExplorer\\7c603ad1f3386aefa20c302b18e8af6f.exe"	Reg.exe

Deletes itself 1 IoCs

pid	Process
2764	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2856	7c603ad1f3386aefa20c302b18e8af6f.exe

Loads dropped DLL 2 IoCs

pid	Process
2764	cmd.exe
2764	cmd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft IExplorer\S_Microsoft IExplorer\7c603ad1f3386aefa20c302b18e8af6f.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft IExplorer\S_Microsoft IExplorer\7c603ad1f3386aefa20c302b18e8af6f.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\ = "Internet Explorer"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\Shell\????(&H)\Command\ = "c:\\program files\\internet explorer\\iexplore.exe www.9688.la/?1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\ShellFolder	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\Shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\Shell\????(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\Shell\????(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\Shell\????(&H)\ = "????(&H)"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\ShellFolder\Attributes = "89"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\DefaultIcon\ = "c:\\program files\\internet explorer\\iexplore.exe"	reg.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2864	PING.EXE
2940	PING.EXE
2648	PING.EXE
2672	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1300	7c603ad1f3386aefa20c302b18e8af6f.exe
2856	7c603ad1f3386aefa20c302b18e8af6f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	7c603ad1f3386aefa20c302b18e8af6f.exe
Token: SeDebugPrivilege	2856	7c603ad1f3386aefa20c302b18e8af6f.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2856	7c603ad1f3386aefa20c302b18e8af6f.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2856	7c603ad1f3386aefa20c302b18e8af6f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1300	7c603ad1f3386aefa20c302b18e8af6f.exe
2856	7c603ad1f3386aefa20c302b18e8af6f.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2764	1300	7c603ad1f3386aefa20c302b18e8af6f.exe	28
PID 1300 wrote to memory of 2764	1300	7c603ad1f3386aefa20c302b18e8af6f.exe	28
PID 1300 wrote to memory of 2764	1300	7c603ad1f3386aefa20c302b18e8af6f.exe	28
PID 1300 wrote to memory of 2764	1300	7c603ad1f3386aefa20c302b18e8af6f.exe	28
PID 2764 wrote to memory of 2864	2764	cmd.exe	30
PID 2764 wrote to memory of 2864	2764	cmd.exe	30
PID 2764 wrote to memory of 2864	2764	cmd.exe	30
PID 2764 wrote to memory of 2864	2764	cmd.exe	30
PID 2764 wrote to memory of 2856	2764	cmd.exe	31
PID 2764 wrote to memory of 2856	2764	cmd.exe	31
PID 2764 wrote to memory of 2856	2764	cmd.exe	31
PID 2764 wrote to memory of 2856	2764	cmd.exe	31
PID 2764 wrote to memory of 2940	2764	cmd.exe	32
PID 2764 wrote to memory of 2940	2764	cmd.exe	32
PID 2764 wrote to memory of 2940	2764	cmd.exe	32
PID 2764 wrote to memory of 2940	2764	cmd.exe	32
PID 2856 wrote to memory of 2916	2856	7c603ad1f3386aefa20c302b18e8af6f.exe	33
PID 2856 wrote to memory of 2916	2856	7c603ad1f3386aefa20c302b18e8af6f.exe	33
PID 2856 wrote to memory of 2916	2856	7c603ad1f3386aefa20c302b18e8af6f.exe	33
PID 2856 wrote to memory of 2916	2856	7c603ad1f3386aefa20c302b18e8af6f.exe	33
PID 2856 wrote to memory of 2584	2856	7c603ad1f3386aefa20c302b18e8af6f.exe	35
PID 2856 wrote to memory of 2584	2856	7c603ad1f3386aefa20c302b18e8af6f.exe	35
PID 2856 wrote to memory of 2584	2856	7c603ad1f3386aefa20c302b18e8af6f.exe	35
PID 2856 wrote to memory of 2584	2856	7c603ad1f3386aefa20c302b18e8af6f.exe	35
PID 2856 wrote to memory of 2584	2856	7c603ad1f3386aefa20c302b18e8af6f.exe	35
PID 2856 wrote to memory of 2584	2856	7c603ad1f3386aefa20c302b18e8af6f.exe	35
PID 2856 wrote to memory of 2584	2856	7c603ad1f3386aefa20c302b18e8af6f.exe	35
PID 2584 wrote to memory of 2648	2584	cmd.exe	37
PID 2584 wrote to memory of 2648	2584	cmd.exe	37
PID 2584 wrote to memory of 2648	2584	cmd.exe	37
PID 2584 wrote to memory of 2648	2584	cmd.exe	37
PID 2584 wrote to memory of 2144	2584	cmd.exe	39
PID 2584 wrote to memory of 2144	2584	cmd.exe	39
PID 2584 wrote to memory of 2144	2584	cmd.exe	39
PID 2584 wrote to memory of 2144	2584	cmd.exe	39
PID 2584 wrote to memory of 1672	2584	cmd.exe	40
PID 2584 wrote to memory of 1672	2584	cmd.exe	40
PID 2584 wrote to memory of 1672	2584	cmd.exe	40
PID 2584 wrote to memory of 1672	2584	cmd.exe	40
PID 2584 wrote to memory of 1608	2584	cmd.exe	41
PID 2584 wrote to memory of 1608	2584	cmd.exe	41
PID 2584 wrote to memory of 1608	2584	cmd.exe	41
PID 2584 wrote to memory of 1608	2584	cmd.exe	41
PID 2584 wrote to memory of 1044	2584	cmd.exe	42
PID 2584 wrote to memory of 1044	2584	cmd.exe	42
PID 2584 wrote to memory of 1044	2584	cmd.exe	42
PID 2584 wrote to memory of 1044	2584	cmd.exe	42
PID 2584 wrote to memory of 1616	2584	cmd.exe	43
PID 2584 wrote to memory of 1616	2584	cmd.exe	43
PID 2584 wrote to memory of 1616	2584	cmd.exe	43
PID 2584 wrote to memory of 1616	2584	cmd.exe	43
PID 2584 wrote to memory of 2560	2584	cmd.exe	44
PID 2584 wrote to memory of 2560	2584	cmd.exe	44
PID 2584 wrote to memory of 2560	2584	cmd.exe	44
PID 2584 wrote to memory of 2560	2584	cmd.exe	44
PID 2584 wrote to memory of 2820	2584	cmd.exe	45
PID 2584 wrote to memory of 2820	2584	cmd.exe	45
PID 2584 wrote to memory of 2820	2584	cmd.exe	45
PID 2584 wrote to memory of 2820	2584	cmd.exe	45
PID 2584 wrote to memory of 2672	2584	cmd.exe	46
PID 2584 wrote to memory of 2672	2584	cmd.exe	46
PID 2584 wrote to memory of 2672	2584	cmd.exe	46
PID 2584 wrote to memory of 2672	2584	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\7c603ad1f3386aefa20c302b18e8af6f.exe
"C:\Users\Admin\AppData\Local\Temp\7c603ad1f3386aefa20c302b18e8af6f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\\nResurrection.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\PING.EXE
    ping -a 127.1
    3⤵
    - Runs ping.exe
    PID:2864
- - C:\Program Files\Microsoft IExplorer\S_Microsoft IExplorer\7c603ad1f3386aefa20c302b18e8af6f.exe
    "C:\Program Files\Microsoft IExplorer\S_Microsoft IExplorer\7c603ad1f3386aefa20c302b18e8af6f.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\Reg.exe
      Reg Add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t "REG_SZ" /d "explorer.exe,C:\Program Files\Microsoft IExplorer\D_Microsoft IExplorer\7c603ad1f3386aefa20c302b18e8af6f.exe" /f
      4⤵
      Modifies WinLogon for persistence
      PID:2916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\\SetupShortcut.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -a 127.1
        5⤵
        Runs ping.exe
        
        PID:2648
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t REG_DWORD /d "00000001" /f
        5⤵
        
        PID:2144
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}" /ve /d "Internet Explorer" /f
        5⤵
        
        PID:1672
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}" /ve /d "Internet Explorer" /f
        5⤵
        Modifies registry class
        
        PID:1608
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\DefaultIcon" /ve /d "c:\program files\internet explorer\iexplore.exe" /f
        5⤵
        Modifies registry class
        
        PID:1044
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\Shell\????(&H)" /ve /d "????(&H)" /f
        5⤵
        Modifies registry class
        
        PID:1616
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\Shell\????(&H)\Command" /ve /d "c:\program files\internet explorer\iexplore.exe www.9688.la/?1" /f
        5⤵
        Modifies registry class
        
        PID:2560
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\CLSID\{A10AFF8B-F60D-4E71-89A0-522EAF8B676E}\ShellFolder" /v "Attributes" /t REG_DWORD /d 00000089 /f
        5⤵
        Modifies registry class
        
        PID:2820
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        5⤵
        Runs ping.exe
        
        PID:2672
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1
    3⤵
    - Runs ping.exe
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SetupShortcut.bat

Filesize
1KB

MD5
7a24a84b0c610b80359064bb45203725

SHA1
7b3a09217ee42330473ed1d2ab6fb6a0e2f72394

SHA256
3ce21d90aebfa1b56cb1fd89f6ef7f6f7e24ab89a5375e1fd0a42cb74d09975d

SHA512
557e574229c5de21ccd08f2fcece7a329798d699af7f95e636d87cc8e4089f38382c197d71289ff478607f4b84b7f712bb3f901b104681166793a63620af32b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nResurrection.bat

Filesize
391B

MD5
f83ef7dd8b66afa290509623e6647363

SHA1
b76da4cbe6243cd090cb4d67a896da2b031bd89e

SHA256
4763101db3d86033f6bf00f6e91cb6f52c9975d01bd2c7544b02f08c156595ff

SHA512
7bbd451064aea05ade7a73c25fcab231c33c4ebc33ef371686fb92484b0f14fb51c5025453291678857fe8b33474387eb8f8fafda4b14e49781e3ce78eeb63a5

Download Submit
\Program Files\Microsoft IExplorer\S_Microsoft IExplorer\7c603ad1f3386aefa20c302b18e8af6f.exe

Filesize
60KB

MD5
7c603ad1f3386aefa20c302b18e8af6f

SHA1
3b515541d91f763a34ce548943011a6dddb7c91d

SHA256
9b275b16dba4f8714d8618da965daec8af9c1e3be6ebc2d0285b079471cf2550

SHA512
39bd36d92473057f45f212fe6a94906ba5391e0e6a820d8dd10099590783a04f3215e2928edc1bacb3dbd06e5f47f5f12adb23fc68441992925c717ea1e81290

Download Submit
memory/1300-3-0x0000000076FA0000-0x0000000076FA1000-memory.dmp

Filesize
4KB

Download
memory/1300-2-0x0000000076F9F000-0x0000000076FA0000-memory.dmp

Filesize
4KB

Download
memory/2856-33-0x0000000076F9F000-0x0000000076FA0000-memory.dmp

Filesize
4KB

Download
memory/2856-32-0x0000000076FA0000-0x0000000076FA1000-memory.dmp

Filesize
4KB

Download