7ab75cd48171a95eb961148f28d63055af2dc623938605ed6409d5c2512637ec

Analysis

max time kernel
147s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 04:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b6887c970065ae7b3a49d41fb98e1232.exe
Size

14KB
MD5

b6887c970065ae7b3a49d41fb98e1232
SHA1

c7bd28fbd62fe21ded605cf0b2730508503890a8
SHA256

7ab75cd48171a95eb961148f28d63055af2dc623938605ed6409d5c2512637ec
SHA512

68f64dc61ac57eb2f63f698e92fbc1f6a5d2eb7c09a589aab2e1880854a8a9f108b716acfc28f3507c377af361b0f7f92d8c990239517c7f73005ecafdc4cae8
SSDEEP

384:OlcpOorUP0vo3WwkeZ+GYxbrEl2/bWvDPPi:0cp5dQGzGY5mUijPi

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2672	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2168	winsto.exe

Loads dropped DLL 2 IoCs

pid	Process
3012	b6887c970065ae7b3a49d41fb98e1232.exe
3012	b6887c970065ae7b3a49d41fb98e1232.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Rescue System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winsto.exe"	b6887c970065ae7b3a49d41fb98e1232.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Rescue System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winsto.exe"	winsto.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\New Windows\PopupMgr = "yes"	winsto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "no"	winsto.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	winsto.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2168	3012	b6887c970065ae7b3a49d41fb98e1232.exe	28
PID 3012 wrote to memory of 2168	3012	b6887c970065ae7b3a49d41fb98e1232.exe	28
PID 3012 wrote to memory of 2168	3012	b6887c970065ae7b3a49d41fb98e1232.exe	28
PID 3012 wrote to memory of 2168	3012	b6887c970065ae7b3a49d41fb98e1232.exe	28
PID 3012 wrote to memory of 2672	3012	b6887c970065ae7b3a49d41fb98e1232.exe	29
PID 3012 wrote to memory of 2672	3012	b6887c970065ae7b3a49d41fb98e1232.exe	29
PID 3012 wrote to memory of 2672	3012	b6887c970065ae7b3a49d41fb98e1232.exe	29
PID 3012 wrote to memory of 2672	3012	b6887c970065ae7b3a49d41fb98e1232.exe	29

C:\Users\Admin\AppData\Local\Temp\b6887c970065ae7b3a49d41fb98e1232.exe
"C:\Users\Admin\AppData\Local\Temp\b6887c970065ae7b3a49d41fb98e1232.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\winsto.exe
  C:\Users\Admin\AppData\Local\Temp\winsto.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7hjhffd.bat" "C:\Users\Admin\AppData\Local\Temp\b6887c970065ae7b3a49d41fb98e1232.exe""
  2⤵
  - Deletes itself
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7hjhffd.bat

Filesize
51B

MD5
b89a6400c207efc86cb2af6b7ea9a346

SHA1
f9f957d91991f88a7b0e2e9b1034e14b20a6866f

SHA256
94a80174fd3fe86f55bf71ff67047d910925fe5aa0ce7a04a5cd9060a12e8af0

SHA512
b03ef8435e82a2d301f31dbbcbdbafb5700ec6ec4b1ff0de26a525add9c160f595a952193d7bdc9fb28f1237bc1d4c3499cde775df77e94134c308247963b64d

Download Submit
\Users\Admin\AppData\Local\Temp\winsto.exe

Filesize
14KB

MD5
b6887c970065ae7b3a49d41fb98e1232

SHA1
c7bd28fbd62fe21ded605cf0b2730508503890a8

SHA256
7ab75cd48171a95eb961148f28d63055af2dc623938605ed6409d5c2512637ec

SHA512
68f64dc61ac57eb2f63f698e92fbc1f6a5d2eb7c09a589aab2e1880854a8a9f108b716acfc28f3507c377af361b0f7f92d8c990239517c7f73005ecafdc4cae8

Download Submit
memory/2168-18-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3012-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads