87d19e3bff436f6d204095917f7a2b1dd58d093d637b8cc0a6aa38b761832241

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ae7bb9d6119c991386fa9ed8149c33e.exe
Size

54KB
MD5

8ae7bb9d6119c991386fa9ed8149c33e
SHA1

2647ea011d14a51443c4e83c85e64124ab166d31
SHA256

87d19e3bff436f6d204095917f7a2b1dd58d093d637b8cc0a6aa38b761832241
SHA512

5239f922e773828896c6bfb98ec0cf1bc9688eadb3e858fa27cb71ed2f691d5e0ada63b8b14ab65139046d887d168f540e8062ff9fdea562cb0db980fc656a21
SSDEEP

1536:ts+Zgajv3kHK35Y0RKsZ1Ls3JcBHHx/KboFwbQp8X:tFC4kq35Yds/Ls3JcBnAFby8

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System Configuration = "C:\\Windows\\SYSCFG16.EXE"	8ae7bb9d6119c991386fa9ed8149c33e.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SYSCFG16.EXE	8ae7bb9d6119c991386fa9ed8149c33e.exe
File opened for modification	C:\Windows\SYSCFG16.EXE	8ae7bb9d6119c991386fa9ed8149c33e.exe
File created	C:\Windows\temp.bat	8ae7bb9d6119c991386fa9ed8149c33e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2724	2920	8ae7bb9d6119c991386fa9ed8149c33e.exe	28
PID 2920 wrote to memory of 2724	2920	8ae7bb9d6119c991386fa9ed8149c33e.exe	28
PID 2920 wrote to memory of 2724	2920	8ae7bb9d6119c991386fa9ed8149c33e.exe	28
PID 2920 wrote to memory of 2724	2920	8ae7bb9d6119c991386fa9ed8149c33e.exe	28
PID 2724 wrote to memory of 2728	2724	cmd.exe	30
PID 2724 wrote to memory of 2728	2724	cmd.exe	30
PID 2724 wrote to memory of 2728	2724	cmd.exe	30
PID 2724 wrote to memory of 2728	2724	cmd.exe	30
PID 2728 wrote to memory of 2824	2728	net.exe	31
PID 2728 wrote to memory of 2824	2728	net.exe	31
PID 2728 wrote to memory of 2824	2728	net.exe	31
PID 2728 wrote to memory of 2824	2728	net.exe	31
PID 2724 wrote to memory of 2620	2724	cmd.exe	32
PID 2724 wrote to memory of 2620	2724	cmd.exe	32
PID 2724 wrote to memory of 2620	2724	cmd.exe	32
PID 2724 wrote to memory of 2620	2724	cmd.exe	32
PID 2620 wrote to memory of 2564	2620	net.exe	33
PID 2620 wrote to memory of 2564	2620	net.exe	33
PID 2620 wrote to memory of 2564	2620	net.exe	33
PID 2620 wrote to memory of 2564	2620	net.exe	33

C:\Users\Admin\AppData\Local\Temp\8ae7bb9d6119c991386fa9ed8149c33e.exe
"C:\Users\Admin\AppData\Local\Temp\8ae7bb9d6119c991386fa9ed8149c33e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\temp.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\net.exe
    net user /add System hakt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user /add System hakt
      4⤵
      PID:2824
- - C:\Windows\SysWOW64\net.exe
    net localgroup /add Administrators System
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup /add Administrators System
      4⤵
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\temp.bat

Filesize
89B

MD5
dccbf9e7aa8e5e8a7d44c634aa4b3e8a

SHA1
a2e14c86d1a890f37afe11e0ef02f3b5f05cf3c3

SHA256
554c21f981ac2139afa84e5af335c54fce3e0b05db145abef9eb7b2c23612398

SHA512
8581f237ce5a9df85ebee9f23fe56f6f27d37c6ea66e9c40cd73b6b85487b6e915f83e5a2740eabed7cd2133c6dca46bd062c5429e2223904ffd9aaff09c8e28

Download Submit
memory/2920-0-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/2920-1-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2920-2-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2920-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2920-19-0x0000000074600000-0x0000000074604000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads