a717e7cdf06ad08d77b0e9db114e8c0f3a7b73d68f63cf418ad74835a8e3769a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5fed68b6b6bc0e25d25e8b591d6708b.exe
Size

15KB
MD5

b5fed68b6b6bc0e25d25e8b591d6708b
SHA1

33d8f8cbdffadaa1ed67fb5c8db40925df937ddc
SHA256

a717e7cdf06ad08d77b0e9db114e8c0f3a7b73d68f63cf418ad74835a8e3769a
SHA512

3fb2ce244dc2b4ec111daa0e7a088b5c3ad66fe060711045c08e6a29b57f6423d43c71846655060a0d076cba38fa39377e7c56aeb71fef15cfb8bf6eb53b6415
SSDEEP

384:6hNNij0M+DdEbvZWG+22dwWxWoLDvpiiSoBkfNN5IKD:69iQMjMG+22dwmL/piiS+kn5vD

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mkgoatak.dll = "{76D44356-B494-443a-BEDC-AA68DE4255E6}"	b5fed68b6b6bc0e25d25e8b591d6708b.exe

Deletes itself 1 IoCs

pid	Process
2424	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2892	b5fed68b6b6bc0e25d25e8b591d6708b.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mkgoatak.tmp	b5fed68b6b6bc0e25d25e8b591d6708b.exe
File opened for modification	C:\Windows\SysWOW64\mkgoatak.nls	b5fed68b6b6bc0e25d25e8b591d6708b.exe
File created	C:\Windows\SysWOW64\mkgoatak.tmp	b5fed68b6b6bc0e25d25e8b591d6708b.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}	b5fed68b6b6bc0e25d25e8b591d6708b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32	b5fed68b6b6bc0e25d25e8b591d6708b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ = "C:\\Windows\\SysWow64\\mkgoatak.dll"	b5fed68b6b6bc0e25d25e8b591d6708b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ThreadingModel = "Apartment"	b5fed68b6b6bc0e25d25e8b591d6708b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2892	b5fed68b6b6bc0e25d25e8b591d6708b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2892	b5fed68b6b6bc0e25d25e8b591d6708b.exe
2892	b5fed68b6b6bc0e25d25e8b591d6708b.exe
2892	b5fed68b6b6bc0e25d25e8b591d6708b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2424	2892	b5fed68b6b6bc0e25d25e8b591d6708b.exe	28
PID 2892 wrote to memory of 2424	2892	b5fed68b6b6bc0e25d25e8b591d6708b.exe	28
PID 2892 wrote to memory of 2424	2892	b5fed68b6b6bc0e25d25e8b591d6708b.exe	28
PID 2892 wrote to memory of 2424	2892	b5fed68b6b6bc0e25d25e8b591d6708b.exe	28

C:\Users\Admin\AppData\Local\Temp\b5fed68b6b6bc0e25d25e8b591d6708b.exe
"C:\Users\Admin\AppData\Local\Temp\b5fed68b6b6bc0e25d25e8b591d6708b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\929F.tmp.bat
  2⤵
  - Deletes itself
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\929F.tmp.bat

Filesize
179B

MD5
6e3664e93a01593127c5d37ed2ca8459

SHA1
4c3c261753b8ce82e9e85bd1dd566dc4a99f7a5e

SHA256
ec1a76f92558c26bed6fe9048eba128a5ea8fbe460611c6f7dbe5a766267feb7

SHA512
d4e5777b7414c44928b4dd8ea70ba0faf31f17b77045bdce856f6a6b03a00265051cc88d800bd833b165a6d355d83557a671fda9d8667c972fa0460828141254

Download Submit
C:\Windows\SysWOW64\mkgoatak.nls

Filesize
428B

MD5
bbcbd82e40a379ab28466249d6a81301

SHA1
4a883e5dcd114d5791ce81c3ceae10b2584dc5de

SHA256
323f3491bf34366199ab59d1d0ca81364a6c76993a9332bd653169ab8a60392f

SHA512
0bfade420a480de99a2aeb768eecaa387b6806ad7152e184e366a57f99e8c9a38b8910c64ded2792042c08fa5c9732e249a9f7b9469b22cc9d1203df73f6d196

Download Submit
\Windows\SysWOW64\mkgoatak.dll

Filesize
2.3MB

MD5
72d64ad8fe155bffc597af8389e06160

SHA1
1c2196e4724465f3958fc406a9d2c62d613a6b5a

SHA256
1f375e74e1f6eb8fe5bb206d269a4dcbc28aa8d29902098e2c46e8dfe644e26c

SHA512
cd871e247db3bd385b9c5850d5dda45ab6650b06cefa12ab3ebfa367342f1a30df16aba731fc0b4cd036436732d5944685e3dd71892c191df245c521385cab39

Download Submit
memory/2892-16-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/2892-25-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download