Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
07/03/2024, 11:20
General
-
Target
b89d36a325d0a527ed039e65038260c4.exe
-
Size
741KB
-
MD5
b89d36a325d0a527ed039e65038260c4
-
SHA1
12e2e78fa8e71ea09d8e12fae6d88ac9e7f3d848
-
SHA256
22abc3c89f804c2a187c3a2e714e1410ce7d447e6d019c9c94003fb06e74697c
-
SHA512
b6e223fea397fdc9a386bd4343ca02c962992838a6c76874df54d499256093c8302e49bbff75a384800c294b1ad1ad7cc6821f0c708c33050c9a77860a02d393
-
SSDEEP
12288:f2Pn6uN/0F4ZO5XqwTLxY/q6r1LtZYsHGllHx4wgK/225+Mctm8sC3rSDU2:ePPNsFdVlO1LtGl1GZt3Gn
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 11 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 40 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b89d36a325d0a527ed039e65038260c4.exe"C:\Users\Admin\AppData\Local\Temp\b89d36a325d0a527ed039e65038260c4.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe"C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt3030.bat3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"5⤵
-
-
-
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exeinstsrv.exe svchost C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\regedit.exeregedit -s a.reg4⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\net.exenet start svchost4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start svchost5⤵
-
-
-
-
-
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exeC:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exeC:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
556B
MD55ee7fe7e4463ecabdb6236033d2c3a05
SHA1ea831d9104dae3eaf30ab8f90dbd34eedc9145a3
SHA256236da3230ac60deed70eeb38f92a9d60a0eca2f9ee960f0127802ba768ee8fde
SHA512e15a864ee16c243460516b16e26ad791f202f66f949a8ea824709d70846f78061d603fdc1c77835d8f772edf3459e01bb4ea2f593e16c07ec4fe891eb133b87b
-
Filesize
11B
MD52218df9cdffc814a3dc25c81dd8619dd
SHA10290f796218937f61331adc8803788e7cd4c2299
SHA256455831b583cfa9549746bcd296a60f5191d2eff7829d469e029b68768c5e56d1
SHA5127aa4c745dfce7b2c38c4930e8275885727a19480597f685f89ab0e536175c31a2d5ee61cfd84b483f73eb211970a1a4fefcc59d8ef97b9af7bf09b7dcf932efa
-
Filesize
61B
MD5f5d1a3af67f05f5af2b0fca009887a97
SHA1bddaa45a9849524c4648fb778b7e0601d35ecbed
SHA256d846844887cfecb6cfbf1fa51dd2380cd203b21d154e1938df15567c256f97a5
SHA51221d84f8fb1cc2c3abda0452704f45e3c79092b33e7bb3a5fdc3973cacc53014681ba7977df60818f0375353fdac4e58977048c4db275c1c689f6ed4aef2a3496
-
Filesize
579KB
MD5def8c81af6b9eca2309b735bff710aaf
SHA17b1e9bda9d2cf0f6e626f5d8eb186280edbaf20c
SHA256babda4e7c14e753ce01212ad1efa9d2718d1edaaec3d11e6d2676689645a3171
SHA51264bb4ae41507a5d0a6657caec00ead3ad964e5ae969b04eda5ea933a4215621f6c2e5af9f21df2ddd33636b1af1116b00634e5831723430cf80bab2aa9d9b01c
-
Filesize
51KB
MD563a4c1fb434368c06d8e6ff8efeb45c8
SHA1280ba93ed9c87dc0d883cfac71a67e456fa7035c
SHA256a84c9f4aae9a1e3f9343edb745e7ddef9fb92a09ff9f149da0ac0c656825f561
SHA5122dbca5d5240ab3b590b0b13bbe04b3dfc9f64dc31860bfafe95a434f2e174de28509107c4446345800cd989a98be924789e2b0c460c0f6176af7f19c2f1ae792
-
Filesize
31KB
MD53ebc73497642e15d01c980d2d110063a
SHA17f34c0f36d871fe19b50f54748f5be8996940d31
SHA256d2467bf37684c1cfb41a714182cc7b258035118c4871b5504ed10cdce4f243bc
SHA5128e1c997427625cfa10ba11a84ef050788d67fd1e66d8dd5bc19dc342ae6e8a51e34a6d44f67b20ead6034c12daf2c1c02ed93cb21e41a978ed6ad1532976bf35
-
Filesize
31KB
MD59f7acaad365af0d1a3cd9261e3208b9b
SHA1b4c7049562e770093e707ac1329cb37ad6313a37
SHA256f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c
SHA5126847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54
-
Filesize
5KB
MD5e09aa9787af5cc53fd7525dd6693cf10
SHA157445d0779a66c61741822c0a7988573efee13d7
SHA256c7f023fc4c85680f5c334fef09155e81861634108140a5716a1395dd7cd62266
SHA512b71a8c0939d545afa173f107f99314848c6104928b77d6f39d6e4486ca2b65797cecff0f877160edf6ca1d21dca95b7f1be53221811c945f7c4be6e77a4d1f8c
-
Filesize
3KB
MD58cc0695282007e86fe3b57e93bcd8589
SHA1e5b08bf0f016ee3e97633869bea2dbe089151cc6
SHA2568aa2f4125ddf3e7c0c41863f6895207e96e52cf5e8f91d672eb65527d4551413
SHA512a10fb8e773d804cc156e6637604045cbe6dc5ec4a95922093231ceb38a58439b6c9f90f4e9e8b80c0f55873e6fd31be64d8128e6ca903d659f14d3e6de946441
-
Filesize
3KB
MD59cd4e1ec2e2ff59475e57ec36a99e85b
SHA10159f6d801394f87ff7aff63dcd493271b395771
SHA25638f562506cfea84647f9078a8fb4aa8be0821f9997893e6251f09b3a367da35f
SHA5125b0516a2c6dbb1b4abce32732a65c3aba65d43db4085050fa463f353c2bb5c21f19b2abffd9b72bc3cdb11010cd07faf94bfb5871162cd115430ebfc83bc74e1
-
Filesize
3KB
MD55a23c702dc990cc98992e59d96958df3
SHA19a8a4c0fdb85bed365a219f8aaa6ddabfc1d7d83
SHA2564279c9cc3a2f9948050c6d33908087da31736be85cbd5284804b3a49099e5a42
SHA512ae783bff305b09fe4cd20da7074369cedb78c0f2f61bb0e65092a102afb2978504c64b78265c7d702a63c69a73f0940ec83974797ab322ce7a9040ba85842028
-
Filesize
54KB
MD52d66930c1063cf32fbd14e1a21aa03e8
SHA18983e69a22918105324ef7ba12006b5e1b15c539
SHA2567b7e8c960cc494091ebc6ed57d3f04df09ac3030df66449f2c401b46bff9bc8b
SHA5126f6b96a02a029abc2bff5993d8971b40c5e73a1e2ca6381000c4db0f0c619b0254146652ef3721c8297348f9a8a6935fd043d88a01ee1664c123c5fa4d696b6f
-
Filesize
108B
MD567594f7dd0300af35da46379cae4f4e6
SHA13d1724e333a612cea45d5267166615f139c27d73
SHA2562a81346dbb15037f5a8ce274b29f664866d089f0e41102b3217322463abea085
SHA512b440ed07732f55209a0a77c85822558386bc7de1c20551336e75a50373e6cdce8a4c3911f632d3f65a8298fd4c294de5f0c31ea5a04528902d11d7d21a457a55
-
Filesize
87B
MD5aab3e021564977a54422ba7dd1429bae
SHA1a89306dfb4818f2ca03cc7ef53cc20635e53764a
SHA256d8ddb7f8a33d4a94c9225a4d446cf1a8b517cef6de375eb114785929b945520e
SHA512a35f593a00cba8bb2ff1c4c2ba7b7c6868fd0d6bce825901ef16c8215928b8c8af48950d0445813d5fa2d01126e377c5ac9a79402b31c49d03abbafba1069d83
-
Filesize
9KB
MD5407a8aeaaf12df9d6ad971b738c15aeb
SHA1310de65f8542a770edca5df7528665220647af5b
SHA2567d5409498e172335e77a3d4e2ff06c6a745ab2bf837fa21b0883cdd8f342a3c8
SHA5128112439df510ae2a6582a481c12eb615e09bc27c619b3d048b6e58e1341c2cea7492b20a6a4faca9a9e5a455e1163ab39d7136a3269547d42edc7b605d6ed783
-
Filesize
1KB
MD5d7210dbbfa92aca222429c0e1e49be27
SHA1eef4d67ecd3e08851da7c6f985270e2554154ae3
SHA2560463ca9d506a677c16bd38649e22cb125a4bc79bef0910e57ef2f2f4bfade57a
SHA512b3e4be04ebf20ab416304d2fe0de45bc2fe34f439b7f3ee4eeffb1096545448cf019b85a03dbd39ef817828aed6d73b58a40bf5085e551dca5f1a83cd6b9a4ae
-
Filesize
8KB
MD54635935fc972c582632bf45c26bfcb0e
SHA17c5329229042535fe56e74f1f246c6da8cea3be8
SHA256abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1
SHA512167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060
-
Filesize
947B
MD5fef8a64b448040956dabff5c102104e2
SHA16029bf598ceb27341cd0a10373690a40042306a0
SHA2561dce320553ab6f2526423359a2ded7daa9c2c4877df6ffe7e7a5cb39c705bd99
SHA51204ad4f14eee880129c47ab740beecfd8ca368922496c45e543fc022d1c05ec65f68da390604bb95900fa3507ddc1ace55ea430b319c7997fac5944e97df92489
-
Filesize
220B
MD5df6887d17e2c9912e637347ec7ca20b5
SHA1dfcd2ad7429ac5ad537e6b7d10004cd7c9168066
SHA256f331858ea0c53b1a2b1fa301f5e74dddc7888dd874bd3968007dae4e4808d39c
SHA512b79559945d4ca0d78fb12ff15d397e4bbd4e0bae6eba96721bffc246b3c423e5cd2bd1aacaeed12f5740e111cd8dafcef9c97a497022da0deff44770464e885f
-
Filesize
146KB
MD58ecf1b30f5fbb12a2fe138364d351a26
SHA1ff0b828a9df228cf05898d6db9982a1fedbc0584
SHA25622a51f140a738f69da01c21ab6fcf9a5ec653da1e4a73ad107e1a0faffba16fb
SHA5121971ea29934fb3c09c53d41db23616f2d3b89bba81db51ce7f09840489f0d471dd8bfe5b09d335020f11047af744c4c4c5ab3d896f9b8d222b6b93c419201560
-
Filesize
176KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB