Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2024, 06:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bab11601f72419010ada70a4ea0061f5.exe
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
bab11601f72419010ada70a4ea0061f5.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
bab11601f72419010ada70a4ea0061f5.exe
-
Size
241KB
-
MD5
bab11601f72419010ada70a4ea0061f5
-
SHA1
ffe83f349ee0e91fbff785847c843ff13aa4da3b
-
SHA256
4e9cba71eeac46bdde5e740b1be94742300d28ffa6b54c7df002c74a4bcc9057
-
SHA512
6ca2b7ffb7fdf38d9bf2804248ac870555f660c3a6995169f94071db247f60eefa8ebb68c7f4263db86eb32b4184ac1b4c51e97a6fb2b6f096d0748ce7f25e33
-
SSDEEP
6144:XiT6oIFoxAI3Zu4IXULdVuzuLRboVl2Slt:XwI2g4rxVouKO
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\G: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\L: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\Q: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\R: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\S: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\E: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\K: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\Y: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\Z: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\X: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\H: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\I: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\M: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\N: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\U: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\J: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\O: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\P: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\T: bab11601f72419010ada70a4ea0061f5.exe File opened (read-only) \??\W: bab11601f72419010ada70a4ea0061f5.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe bab11601f72419010ada70a4ea0061f5.exe -
Drops file in Program Files directory 19 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe bab11601f72419010ada70a4ea0061f5.exe File created C:\Program Files\7-Zip\Uninstall.ivr bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\7-Zip\7z.exe bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\7-Zip\7zG.exe bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe bab11601f72419010ada70a4ea0061f5.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe bab11601f72419010ada70a4ea0061f5.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 620 4824 WerFault.exe 87 3596 4824 WerFault.exe 87 -
Modifies registry class 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdExecute\server\ = "sndrec32.exe" bab11601f72419010ada70a4ea0061f5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdFileEditing\server bab11601f72419010ada70a4ea0061f5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdFileEditing bab11601f72419010ada70a4ea0061f5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdFileEditing\server\ = "sndrec32.exe" bab11601f72419010ada70a4ea0061f5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdExecute\server bab11601f72419010ada70a4ea0061f5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec bab11601f72419010ada70a4ea0061f5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol bab11601f72419010ada70a4ea0061f5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdExecute bab11601f72419010ada70a4ea0061f5.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4824 bab11601f72419010ada70a4ea0061f5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bab11601f72419010ada70a4ea0061f5.exe"C:\Users\Admin\AppData\Local\Temp\bab11601f72419010ada70a4ea0061f5.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 15802⤵
- Program crash
PID:620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 15882⤵
- Program crash
PID:3596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4824 -ip 48241⤵PID:1872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4824 -ip 48241⤵PID:3016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
127KB
MD56aacae000591aa698150fac858a0a422
SHA188e6f189d0035184f05ee3e0446855745b086402
SHA256d66c011c426d4a5a34cf9290030f9b7dd42b0a92a2d2a6060ecb6ec98b0f15a3
SHA512ef0aad6d12b2b429d5ce324d8db162a2e0902f7f7bb2d4c610902037a4f62b9a54267b1f52d15154daaf20c21ee7288ee5685672884a075e4c9bf8adcaeb9ffb