9839317c705932646b8c8880414ae2b25ff435969adbeb82e43da7f955a107c7 | Triage

Analysis

max time kernel
153s
max time network
163s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 11:34 UTC

Sharing

Report Analysis Logs

General

Target

86cadce9f014af74bcfd5d057d74a696.exe
Size

986KB
MD5

86cadce9f014af74bcfd5d057d74a696
SHA1

87716927c2b7b1f7619e550d8a284b5405e09cf0
SHA256

9839317c705932646b8c8880414ae2b25ff435969adbeb82e43da7f955a107c7
SHA512

89474f81bd0cfebf956939af679ac0dec53b68f6ce33dd408e8d9e643d2bea0a312eddb8ba948e994607e04245d84a15701559884464689bb58bb785c87e2a73
SSDEEP

24576:O3yR8AFPi9D3N9yyKSHYpDDD2u+fdXYl8H:n8Wi9p9yj5SIl8H

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3056	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2880	6692094.exe

Loads dropped DLL 4 IoCs

pid	Process
3056	cmd.exe
3056	cmd.exe
2880	6692094.exe
2880	6692094.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\86cadce9f014af74bcfd5d057d74a696 = "\"C:\\Users\\Admin\\AppData\\Local\\6692094.exe\" 0 28 "	86cadce9f014af74bcfd5d057d74a696.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\6692094 = "\"C:\\Users\\Admin\\AppData\\Local\\6692094.exe\" 0 45 "	6692094.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
2888	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2880	6692094.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2880	6692094.exe
2880	6692094.exe
2880	6692094.exe
2880	6692094.exe
2880	6692094.exe
2880	6692094.exe
2880	6692094.exe
2880	6692094.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2880	6692094.exe
2880	6692094.exe
2880	6692094.exe
2880	6692094.exe
2880	6692094.exe
2880	6692094.exe
2880	6692094.exe
2880	6692094.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 3056	2912	86cadce9f014af74bcfd5d057d74a696.exe	28
PID 2912 wrote to memory of 3056	2912	86cadce9f014af74bcfd5d057d74a696.exe	28
PID 2912 wrote to memory of 3056	2912	86cadce9f014af74bcfd5d057d74a696.exe	28
PID 2912 wrote to memory of 3056	2912	86cadce9f014af74bcfd5d057d74a696.exe	28
PID 3056 wrote to memory of 2888	3056	cmd.exe	30
PID 3056 wrote to memory of 2888	3056	cmd.exe	30
PID 3056 wrote to memory of 2888	3056	cmd.exe	30
PID 3056 wrote to memory of 2888	3056	cmd.exe	30
PID 3056 wrote to memory of 2880	3056	cmd.exe	31
PID 3056 wrote to memory of 2880	3056	cmd.exe	31
PID 3056 wrote to memory of 2880	3056	cmd.exe	31
PID 3056 wrote to memory of 2880	3056	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\86cadce9f014af74bcfd5d057d74a696.exe
"C:\Users\Admin\AppData\Local\Temp\86cadce9f014af74bcfd5d057d74a696.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\05299300.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v 86cadce9f014af74bcfd5d057d74a696 /f
    3⤵
    - Modifies registry key
    PID:2888
- - C:\Users\Admin\AppData\Local\6692094.exe
    C:\Users\Admin\AppData\Local\6692094.exe -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2880

Network

No results found

77.78.247.61:80

6692094.exe

152 B
3
77.78.247.61:80

6692094.exe

152 B
3
77.78.247.61:80

6692094.exe

152 B
3
77.78.247.61:80

6692094.exe

152 B
3
77.78.247.61:80

6692094.exe

152 B
3

No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6692094.exe

Filesize
694KB

MD5
5e1f3606ff56dec9ed33e0746e1b0e25

SHA1
a094c1d1da8f379bbdb4c42a97e6b34a418bac40

SHA256
90488c70c6c190166ae02642e4f385b657ffd4fd1e4af2f8e5120fb193959b31

SHA512
cf55c5fa09730ce3a26e3863cabd02e690d7ad1997f8ce706dfa2ef2927115dfd7e5dcf7299e9fdc1055dc46ec64e53969bb6067dd156d8cf402602b5cde5bc9

Download Submit
C:\Users\Admin\AppData\Local\6692094.exe

Filesize
725KB

MD5
ef7a4fced851757beca3deba7a006466

SHA1
c8b9ae6538bca57d337b475d0e7f6080ec3611d9

SHA256
4a8b582957db41d65ced9ae0171a5eb326317076f09eabdc88fdaadb54f6e31b

SHA512
7af87eb7c699bd076d530a0d290d0c7eab5e6a8bc892a647fe86dfb92ae7b672e96e6a29be3ff0c82ebc2d27c1b28e18d1b4b698d13e0f837fbd794450938422

Download Submit
C:\Users\Admin\AppData\Local\Temp\05299300.bat

Filesize
425B

MD5
c1e8c90618dc66a346f9bb328f0132b2

SHA1
e3a383803a6601468e32651c1f2fbdb6f97b0111

SHA256
878a6a6889e31450b175f1cc4512823925ca76780f32109d5b1333d015aab418

SHA512
734301c85b6729c817a7818e8d49d3f5d6d55ab6e2ac54b7b8ebc72079e6dcf0a265b1bb8dfb187aa2113328b25770972dd3febe5e98ae9bc98591e2bde7bd6d

Download Submit
\Users\Admin\AppData\Local\6692094.exe

Filesize
819KB

MD5
236c3228c6299d79f0ef500c6faf1570

SHA1
3386a096a592e03046307e373c332025025e17b9

SHA256
417170969090351c3048fe374ba4cf282a523c966041c730fe5db14dd5f43d12

SHA512
1da63bd44eb89309e4db84236dce7644855dccc4dd53d7a27ae70799e136ae08f7b60870141970af872e59630e4fd8a50f9e3515107756696e60fe310d787e97

Download Submit
\Users\Admin\AppData\Local\6692094.exe

Filesize
986KB

MD5
86cadce9f014af74bcfd5d057d74a696

SHA1
87716927c2b7b1f7619e550d8a284b5405e09cf0

SHA256
9839317c705932646b8c8880414ae2b25ff435969adbeb82e43da7f955a107c7

SHA512
89474f81bd0cfebf956939af679ac0dec53b68f6ce33dd408e8d9e643d2bea0a312eddb8ba948e994607e04245d84a15701559884464689bb58bb785c87e2a73

Download Submit
memory/2880-24-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2880-30-0x0000000000550000-0x0000000000750000-memory.dmp

Filesize
2.0MB

Download
memory/2880-45-0x0000000001000000-0x000000000143AFF3-memory.dmp

Filesize
4.2MB

Download
memory/2880-44-0x0000000001000000-0x000000000143AFF3-memory.dmp

Filesize
4.2MB

Download
memory/2880-39-0x0000000001000000-0x000000000143AFF3-memory.dmp

Filesize
4.2MB

Download
memory/2880-21-0x0000000001000000-0x000000000143AFF3-memory.dmp

Filesize
4.2MB

Download
memory/2880-22-0x0000000000550000-0x0000000000750000-memory.dmp

Filesize
2.0MB

Download
memory/2880-38-0x0000000001000000-0x000000000143AFF3-memory.dmp

Filesize
4.2MB

Download
memory/2880-27-0x0000000001000000-0x000000000143AFF3-memory.dmp

Filesize
4.2MB

Download
memory/2880-29-0x0000000001000000-0x000000000143AFF3-memory.dmp

Filesize
4.2MB

Download
memory/2880-28-0x0000000001000000-0x000000000143AFF3-memory.dmp

Filesize
4.2MB

Download
memory/2880-37-0x0000000001000000-0x000000000143AFF3-memory.dmp

Filesize
4.2MB

Download
memory/2880-31-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2880-32-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2880-33-0x0000000001000000-0x000000000143AFF3-memory.dmp

Filesize
4.2MB

Download
memory/2880-34-0x0000000001000000-0x000000000143AFF3-memory.dmp

Filesize
4.2MB

Download
memory/2880-35-0x0000000001000000-0x000000000143AFF3-memory.dmp

Filesize
4.2MB

Download
memory/2912-14-0x0000000001000000-0x000000000143AFF3-memory.dmp

Filesize
4.2MB

Download
memory/2912-1-0x0000000001000000-0x000000000143AFF3-memory.dmp

Filesize
4.2MB

Download
memory/2912-2-0x0000000000530000-0x0000000000730000-memory.dmp

Filesize
2.0MB

Download
memory/2912-3-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2912-4-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download