d3ac9178b6e07b4331c00abbbbc84d92731acf53332bb4986a14815d9e29dbcb

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd4b11e40d1ebd839d02e668c097f018.exe
Size

80KB
MD5

bd4b11e40d1ebd839d02e668c097f018
SHA1

64bd5768eb0cfe54f9ffa8daef429ceb9879c235
SHA256

d3ac9178b6e07b4331c00abbbbc84d92731acf53332bb4986a14815d9e29dbcb
SHA512

842c8f5d49f597420e023050374b1754ea770fe589f131e247fa37b2d3734fa27f5cb6564b1fee52e110b35443a07266362a253695686faebcc3693853e545e6
SSDEEP

768:EyLwrBwCZM/gQUGHeBPY9ogmu3x88w9NtvDHvGk5Lak7R9uDNIXNldBkaQkTHxVX:HtLUKt3x899NtrOCrlXklgV

Score

8^/10

discovery persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	bd4b11e40d1ebd839d02e668c097f018.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\WinDrv = "C:\\Windows\\system32\\run.exe"	bd4b11e40d1ebd839d02e668c097f018.exe

Executes dropped EXE 1 IoCs

pid	Process
2940	run.exe

Loads dropped DLL 2 IoCs

pid	Process
1224	bd4b11e40d1ebd839d02e668c097f018.exe
1224	bd4b11e40d1ebd839d02e668c097f018.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\run.exe	bd4b11e40d1ebd839d02e668c097f018.exe
File opened for modification	C:\Windows\SysWOW64\run.exe	bd4b11e40d1ebd839d02e668c097f018.exe
File opened for modification	C:\Windows\SysWOW64\run.Exe	run.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1224	bd4b11e40d1ebd839d02e668c097f018.exe
2940	run.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2940	1224	bd4b11e40d1ebd839d02e668c097f018.exe	28
PID 1224 wrote to memory of 2940	1224	bd4b11e40d1ebd839d02e668c097f018.exe	28
PID 1224 wrote to memory of 2940	1224	bd4b11e40d1ebd839d02e668c097f018.exe	28
PID 1224 wrote to memory of 2940	1224	bd4b11e40d1ebd839d02e668c097f018.exe	28

C:\Users\Admin\AppData\Local\Temp\bd4b11e40d1ebd839d02e668c097f018.exe
"C:\Users\Admin\AppData\Local\Temp\bd4b11e40d1ebd839d02e668c097f018.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\run.exe
  "C:\Windows\system32\run.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\run.exe

Filesize
80KB

MD5
bd4b11e40d1ebd839d02e668c097f018

SHA1
64bd5768eb0cfe54f9ffa8daef429ceb9879c235

SHA256
d3ac9178b6e07b4331c00abbbbc84d92731acf53332bb4986a14815d9e29dbcb

SHA512
842c8f5d49f597420e023050374b1754ea770fe589f131e247fa37b2d3734fa27f5cb6564b1fee52e110b35443a07266362a253695686faebcc3693853e545e6

Download Submit
memory/1224-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1224-6-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/1224-13-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/1224-17-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1224-19-0x0000000000460000-0x000000000046D000-memory.dmp

Filesize
52KB

Download
memory/2940-15-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads