Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 01:44
Behavioral task
behavioral1
Sample
ad608ab178c9a8c65cab94afee5c0d4b.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
ad608ab178c9a8c65cab94afee5c0d4b.exe
Resource
win10v2004-20240226-en
General
-
Target
ad608ab178c9a8c65cab94afee5c0d4b.exe
-
Size
216KB
-
MD5
ad608ab178c9a8c65cab94afee5c0d4b
-
SHA1
7d7fc641574f82c6cd83a1fa52fcffe29169889b
-
SHA256
c1b321e20412cb39fecc341752b686333c4afc0847d4506da546a1e8435d48df
-
SHA512
652dbfeebbd3f497981847c4bce3cf078cf218fe340874a63858804830d13be8691f90227293d42c79a1fd172dc3dd3ee2031649fd4d7d05b6c5b7f2293ecfd6
-
SSDEEP
6144:qb9iXkv6DOSCyJFDVhtc9HZlXqBLLXP1MxH:qb9EkKFFXtIHCje
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x00340000000149e1-11.dat aspack_v212_v242 behavioral1/files/0x00070000000153c7-18.dat aspack_v212_v242 -
Loads dropped DLL 1 IoCs
pid Process 2124 Regsvr32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FDWWZF.EXE = "C:\\Users\\svchost.exe" ad608ab178c9a8c65cab94afee5c0d4b.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\P: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\R: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\T: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\G: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\J: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\L: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\I: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\K: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\E: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\H: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\M: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\O: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\Q: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\S: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\U: ad608ab178c9a8c65cab94afee5c0d4b.exe File opened (read-only) \??\V: ad608ab178c9a8c65cab94afee5c0d4b.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\FDWWZF.EXE ad608ab178c9a8c65cab94afee5c0d4b.exe File created C:\Windows\SysWOW64\Ms7002.dll ad608ab178c9a8c65cab94afee5c0d4b.exe -
Modifies registry class 25 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile ad608ab178c9a8c65cab94afee5c0d4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command ad608ab178c9a8c65cab94afee5c0d4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Users\\FDWWZF.EXE \"%1\"" ad608ab178c9a8c65cab94afee5c0d4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Users\\FDWWZF.EXE \"%1\"" ad608ab178c9a8c65cab94afee5c0d4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\FDWWZF.EXE" ad608ab178c9a8c65cab94afee5c0d4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file ad608ab178c9a8c65cab94afee5c0d4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command ad608ab178c9a8c65cab94afee5c0d4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell ad608ab178c9a8c65cab94afee5c0d4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open ad608ab178c9a8c65cab94afee5c0d4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\PerfLogs\\UAUW.EXE %1" ad608ab178c9a8c65cab94afee5c0d4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command ad608ab178c9a8c65cab94afee5c0d4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\FDWWZF.EXE %1" ad608ab178c9a8c65cab94afee5c0d4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command ad608ab178c9a8c65cab94afee5c0d4b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command ad608ab178c9a8c65cab94afee5c0d4b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" Regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2620 ad608ab178c9a8c65cab94afee5c0d4b.exe 2620 ad608ab178c9a8c65cab94afee5c0d4b.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2620 wrote to memory of 2124 2620 ad608ab178c9a8c65cab94afee5c0d4b.exe 28 PID 2620 wrote to memory of 2124 2620 ad608ab178c9a8c65cab94afee5c0d4b.exe 28 PID 2620 wrote to memory of 2124 2620 ad608ab178c9a8c65cab94afee5c0d4b.exe 28 PID 2620 wrote to memory of 2124 2620 ad608ab178c9a8c65cab94afee5c0d4b.exe 28 PID 2620 wrote to memory of 2124 2620 ad608ab178c9a8c65cab94afee5c0d4b.exe 28 PID 2620 wrote to memory of 2124 2620 ad608ab178c9a8c65cab94afee5c0d4b.exe 28 PID 2620 wrote to memory of 2124 2620 ad608ab178c9a8c65cab94afee5c0d4b.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe"C:\Users\Admin\AppData\Local\Temp\ad608ab178c9a8c65cab94afee5c0d4b.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Regsvr32.exeRegsvr32.exe C:\Windows\system32\Ms7002.dll /s2⤵
- Loads dropped DLL
- Modifies registry class
PID:2124
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217KB
MD5b034b7e210d854c426fef9630b142738
SHA158334b34fc07d8c7367d353e7a5d0657d8fee57d
SHA2568994327d4bea6e722ded97bccfe96ba552de6988f1ea18b2762eea046c9f8ac7
SHA51220e29c821a32261fa842f79481a84c16b43d7b08479ad8d4ca8fce8d9269cbb812633191357e760b1c06c989709210a550dce32bc64df8e4840b1c590eba17e4
-
Filesize
52KB
MD5876a2a99b81968f5b26e3cbe12063d2b
SHA17afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1