Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
05/02/2024, 16:05
Behavioral task
behavioral1
Sample
926c7852a627e66288bdeec0f2844994.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
926c7852a627e66288bdeec0f2844994.exe
Resource
win10v2004-20231222-en
General
-
Target
926c7852a627e66288bdeec0f2844994.exe
-
Size
420KB
-
MD5
926c7852a627e66288bdeec0f2844994
-
SHA1
ebf419139f84580f75c1855e47f4006dd845823e
-
SHA256
2e23d557ca1abae7de953d6dcde430e629c206698f3fa0618abb2f9cd8066dbc
-
SHA512
ea02eef55549c8cfba93bb16c4203aa838dfe3f8410ebca73a635eab4ade09c9632b5d605f4f9cbff166df48393392e67a90314b3009243595cb5eb87b8e6194
-
SSDEEP
6144:P4u/+HW5XX7OpslFlqnhdBCkWYxuukP1pjSKSNVkq/MVJbD:wSUW5XX7wsloTBd47GLRMTbD
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\install\\server.exe" server.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{608PF74F-O1LX-0N1N-J47L-NVGHHRYJFY4J} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{608PF74F-O1LX-0N1N-J47L-NVGHHRYJFY4J}\StubPath = "C:\\Windows\\install\\server.exe Restart" server.exe -
Executes dropped EXE 2 IoCs
pid Process 2828 stub.exe 2284 server.exe -
Loads dropped DLL 4 IoCs
pid Process 2140 926c7852a627e66288bdeec0f2844994.exe 2140 926c7852a627e66288bdeec0f2844994.exe 2140 926c7852a627e66288bdeec0f2844994.exe 2140 926c7852a627e66288bdeec0f2844994.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\install\\server.exe" server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\install\\server.exe" server.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\install\server.exe server.exe File opened for modification C:\Windows\install\server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2284 server.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2140 926c7852a627e66288bdeec0f2844994.exe 2828 stub.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2828 2140 926c7852a627e66288bdeec0f2844994.exe 28 PID 2140 wrote to memory of 2828 2140 926c7852a627e66288bdeec0f2844994.exe 28 PID 2140 wrote to memory of 2828 2140 926c7852a627e66288bdeec0f2844994.exe 28 PID 2140 wrote to memory of 2828 2140 926c7852a627e66288bdeec0f2844994.exe 28 PID 2140 wrote to memory of 2284 2140 926c7852a627e66288bdeec0f2844994.exe 29 PID 2140 wrote to memory of 2284 2140 926c7852a627e66288bdeec0f2844994.exe 29 PID 2140 wrote to memory of 2284 2140 926c7852a627e66288bdeec0f2844994.exe 29 PID 2140 wrote to memory of 2284 2140 926c7852a627e66288bdeec0f2844994.exe 29 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21 PID 2284 wrote to memory of 1200 2284 server.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\926c7852a627e66288bdeec0f2844994.exe"C:\Users\Admin\AppData\Local\Temp\926c7852a627e66288bdeec0f2844994.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\stub.exe"C:\Users\Admin\AppData\Local\Temp\stub.exe" 03⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe" 03⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵PID:588
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD573420b862037b8d694a11a44fbd2f749
SHA135dabe230d746acc2c3a44e0083d3fbad57ada43
SHA256e3e6567036bf1a801e503aa940396973c5df7a3e74b965639001b6e1dac24022
SHA51285caa50180c4bb6ec57767f1fa73108065d39c978e4d9745d9ab2466668b35631a950a50b8c162ad1073706dfbcceeb66dd3fcb15b9fcbca3da99c2f9cc6dc3a
-
Filesize
112KB
MD5a73f36b8d1e46d3e7e04391b8c4f41b5
SHA194eaa799819eba8ff3d0acf49995daf36bb5bb59
SHA256a7608ca53777d47e2a77971c62e0d71ab0bf6c1b4abbbd28843601e74c088075
SHA51232571f1d50e9f72148e55a971c3164533da275beb84591fa04802f74611083306a4fd576e2eb8a0172c933d9cafe4031fbbf31bf565f9d78b9cfd11f10aee85f