839df8607556ddaa7e1c678811e19b4f2b52fb00294eb135c9c4587d79f7b386

Analysis

max time kernel
138s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f6d7d02023c33f3396eb96d9602acff.exe
Size

602KB
MD5

7f6d7d02023c33f3396eb96d9602acff
SHA1

a5d4a7afbae81ca76c41f7ea1f7bbf17831f39ba
SHA256

839df8607556ddaa7e1c678811e19b4f2b52fb00294eb135c9c4587d79f7b386
SHA512

64cf110e85e8019bdc46348a5d2f6acb82e294492a9b3a81e608461dc2d43d4fec58a634e51f002e7a8a80894ee87c0a0193d138cf9f11d5092a5d8115ec794a
SSDEEP

12288:m1wIZl1Vz0+41dx1d9Bh2VKpFG2NUtzXWzRsO22XHgWQw:m1HZl1Vz03x1dBTkuXHgk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2912	systen32

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	systen32

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\systen32	7f6d7d02023c33f3396eb96d9602acff.exe
File opened for modification	C:\Windows\systen32	7f6d7d02023c33f3396eb96d9602acff.exe
File created	C:\Windows\uninstal.bat	7f6d7d02023c33f3396eb96d9602acff.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	systen32
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	systen32
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	systen32
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{998A322E-DCB6-4626-A567-E5BC378BF18A}\WpadDecisionTime = f0ad2a689152da01	systen32
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	systen32
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	systen32
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0106000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	systen32
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{998A322E-DCB6-4626-A567-E5BC378BF18A}\WpadDecision = "0"	systen32
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	systen32
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{998A322E-DCB6-4626-A567-E5BC378BF18A}\WpadDecisionTime = d079b29d9152da01	systen32
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	systen32
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	systen32
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	systen32
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{998A322E-DCB6-4626-A567-E5BC378BF18A}\02-b7-ec-7c-f5-7b	systen32
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-b7-ec-7c-f5-7b\WpadDecisionTime = f0ad2a689152da01	systen32
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	systen32
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	systen32
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{998A322E-DCB6-4626-A567-E5BC378BF18A}	systen32
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-b7-ec-7c-f5-7b\WpadDecisionTime = d079b29d9152da01	systen32
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	systen32
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-b7-ec-7c-f5-7b\WpadDecisionReason = "1"	systen32
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-b7-ec-7c-f5-7b\WpadDecision = "0"	systen32
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-b7-ec-7c-f5-7b	systen32
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	systen32
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-b7-ec-7c-f5-7b\WpadDetectedUrl	systen32
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0106000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	systen32
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{998A322E-DCB6-4626-A567-E5BC378BF18A}\WpadDecisionReason = "1"	systen32
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{998A322E-DCB6-4626-A567-E5BC378BF18A}\WpadNetworkName = "Network 3"	systen32

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	7f6d7d02023c33f3396eb96d9602acff.exe
Token: SeDebugPrivilege	2912	systen32

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2912	systen32

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2664	2912	systen32	29
PID 2912 wrote to memory of 2664	2912	systen32	29
PID 2912 wrote to memory of 2664	2912	systen32	29
PID 2912 wrote to memory of 2664	2912	systen32	29
PID 3004 wrote to memory of 2712	3004	7f6d7d02023c33f3396eb96d9602acff.exe	30
PID 3004 wrote to memory of 2712	3004	7f6d7d02023c33f3396eb96d9602acff.exe	30
PID 3004 wrote to memory of 2712	3004	7f6d7d02023c33f3396eb96d9602acff.exe	30
PID 3004 wrote to memory of 2712	3004	7f6d7d02023c33f3396eb96d9602acff.exe	30
PID 3004 wrote to memory of 2712	3004	7f6d7d02023c33f3396eb96d9602acff.exe	30
PID 3004 wrote to memory of 2712	3004	7f6d7d02023c33f3396eb96d9602acff.exe	30
PID 3004 wrote to memory of 2712	3004	7f6d7d02023c33f3396eb96d9602acff.exe	30

C:\Users\Admin\AppData\Local\Temp\7f6d7d02023c33f3396eb96d9602acff.exe
"C:\Users\Admin\AppData\Local\Temp\7f6d7d02023c33f3396eb96d9602acff.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2712

C:\Windows\systen32
C:\Windows\systen32
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Program Files\Internet EXPLORER\IexplOrE.ExE
  "C:\Program Files\Internet EXPLORER\IexplOrE.ExE"
  2⤵
  PID:2664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\systen32

Filesize
602KB

MD5
7f6d7d02023c33f3396eb96d9602acff

SHA1
a5d4a7afbae81ca76c41f7ea1f7bbf17831f39ba

SHA256
839df8607556ddaa7e1c678811e19b4f2b52fb00294eb135c9c4587d79f7b386

SHA512
64cf110e85e8019bdc46348a5d2f6acb82e294492a9b3a81e608461dc2d43d4fec58a634e51f002e7a8a80894ee87c0a0193d138cf9f11d5092a5d8115ec794a

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
9b953dd133edde943649a34179363bbe

SHA1
f6b0fe8bacd93fadb332b86a94b5727139ab0d0b

SHA256
1d61f8ca9c805e7b45d35c432ca3123ad76d9e4d6814883833dd054075a7ea6f

SHA512
4b87d40609f769f2111022c41592b9fbeb2d70bb9e179cfbe86e7008f25746fc28207037bc404315ff7e9a3693a77c954a8d705237853238e1a31db6c9f18af9

Download Submit
memory/2912-34-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/2912-33-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/2912-38-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/2912-39-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/2912-36-0x0000000000400000-0x000000000056593C-memory.dmp

Filesize
1.4MB

Download
memory/2912-35-0x0000000000400000-0x000000000056593C-memory.dmp

Filesize
1.4MB

Download
memory/2912-49-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/2912-48-0x0000000000400000-0x000000000056593C-memory.dmp

Filesize
1.4MB

Download
memory/2912-27-0x0000000000400000-0x000000000056593C-memory.dmp

Filesize
1.4MB

Download
memory/2912-32-0x0000000000400000-0x000000000056593C-memory.dmp

Filesize
1.4MB

Download
memory/2912-31-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2912-29-0x0000000000330000-0x0000000000384000-memory.dmp

Filesize
336KB

Download
memory/2912-30-0x0000000000400000-0x000000000056593C-memory.dmp

Filesize
1.4MB

Download
memory/2912-28-0x0000000000400000-0x000000000056593C-memory.dmp

Filesize
1.4MB

Download
memory/3004-13-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/3004-16-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/3004-18-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/3004-19-0x0000000000400000-0x000000000056593C-memory.dmp

Filesize
1.4MB

Download
memory/3004-22-0x0000000000400000-0x000000000056593C-memory.dmp

Filesize
1.4MB

Download
memory/3004-25-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/3004-24-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/3004-23-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3004-14-0x0000000000400000-0x000000000056593C-memory.dmp

Filesize
1.4MB

Download
memory/3004-15-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3004-17-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3004-9-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3004-10-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/3004-12-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/3004-0-0x0000000000400000-0x000000000056593C-memory.dmp

Filesize
1.4MB

Download
memory/3004-11-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/3004-3-0x0000000000400000-0x000000000056593C-memory.dmp

Filesize
1.4MB

Download
memory/3004-4-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/3004-6-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3004-8-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/3004-7-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3004-5-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/3004-1-0x0000000000400000-0x000000000056593C-memory.dmp

Filesize
1.4MB

Download
memory/3004-2-0x0000000000350000-0x00000000003A4000-memory.dmp

Filesize
336KB

Download