3a82f074f584d169d59df209e62c0a5e5e7432f52f9d209784fe160c104a552d

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 03:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aad4cbcbe14f9fa3af2a2236af76360a.exe
Size

23KB
MD5

aad4cbcbe14f9fa3af2a2236af76360a
SHA1

3abda8339b171e3fc7a1d287846b9ce8281063d8
SHA256

3a82f074f584d169d59df209e62c0a5e5e7432f52f9d209784fe160c104a552d
SHA512

27249eb1e93e96cf1b407e3a12aaa5586efc9de605f89eebbeb191fac635802c1c6ef2922bc28f3c822d708cbf4d77a98f9055fe2a261e093085fec8e007b568
SSDEEP

384:euAxTcEggKljVPFrIA++B135RizUBYkkjuv1hkNLdbaLa4CwUJuUCSFCJWe8EDEh:B8VokA++/3iIBxkjuv7wbaLa4PU48IM

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safebank.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safebank.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorMain.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.EXE\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPPMain.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rising.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\esafe.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravstub.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtask.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qqkav.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinDbg.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qqdoctor.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kaccore.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger = "ntsd -d"	aad4cbcbe14f9fa3af2a2236af76360a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe
332	aad4cbcbe14f9fa3af2a2236af76360a.exe

C:\Users\Admin\AppData\Local\Temp\aad4cbcbe14f9fa3af2a2236af76360a.exe
"C:\Users\Admin\AppData\Local\Temp\aad4cbcbe14f9fa3af2a2236af76360a.exe"
1⤵
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
PID:332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads