c26b7e05d554cae91b4bba25b8d7e408b8277402b36ed469dd83f49491e30460

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c240a73a05930190ba6b26305dbd03b5.exe
Size

236KB
MD5

c240a73a05930190ba6b26305dbd03b5
SHA1

383a799396a66931166edf46963cafde458ac635
SHA256

c26b7e05d554cae91b4bba25b8d7e408b8277402b36ed469dd83f49491e30460
SHA512

7c7d7f179682affc804d4517432e31e3849ef40722e60389564e22900bc68508329d42ac5f05ff1b1cd589e54973762f7fb7f9ccbf8c9e954d0dbdf7253ee401
SSDEEP

6144:2wmR1EzYbPCS8WsD7s0FU6ykbsdb/y99z9tnL9O99999N9999V999996999WLf9u:2J

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cwtum.exe

Executes dropped EXE 1 IoCs

pid	Process
2904	cwtum.exe

Loads dropped DLL 2 IoCs

pid	Process
2164	c240a73a05930190ba6b26305dbd03b5.exe
2164	c240a73a05930190ba6b26305dbd03b5.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /n"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /d"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /q"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /J"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /Y"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /E"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /z"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /I"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /T"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /S"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /k"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /y"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /F"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /Q"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /b"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /c"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /r"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /L"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /Z"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /O"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /W"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /C"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /x"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /K"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /V"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /p"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /i"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /u"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /N"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /e"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /w"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /G"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /l"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /X"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /s"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /M"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /v"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /t"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /f"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /m"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /A"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /o"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /g"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /h"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /D"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /U"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /R"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /P"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /a"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /B"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /H"	cwtum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwtum = "C:\\Users\\Admin\\cwtum.exe /j"	cwtum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe
2904	cwtum.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2164	c240a73a05930190ba6b26305dbd03b5.exe
2904	cwtum.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2904	2164	c240a73a05930190ba6b26305dbd03b5.exe	28
PID 2164 wrote to memory of 2904	2164	c240a73a05930190ba6b26305dbd03b5.exe	28
PID 2164 wrote to memory of 2904	2164	c240a73a05930190ba6b26305dbd03b5.exe	28
PID 2164 wrote to memory of 2904	2164	c240a73a05930190ba6b26305dbd03b5.exe	28
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27
PID 2904 wrote to memory of 2164	2904	cwtum.exe	27

C:\Users\Admin\AppData\Local\Temp\c240a73a05930190ba6b26305dbd03b5.exe
"C:\Users\Admin\AppData\Local\Temp\c240a73a05930190ba6b26305dbd03b5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\cwtum.exe
  "C:\Users\Admin\cwtum.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\cwtum.exe

Filesize
236KB

MD5
c3f592b9b505a15838d13c7c44c7415a

SHA1
e66166124e7ef5738fafb3a13c3db5748a74949a

SHA256
e18d0bac3773d9e20cfa3015398a62053c51093fbccc12827dc36261535d82d2

SHA512
b2db3d3fdb09975791bfdd4a823dd9456b4b2449406f57efaad23070fdfa38eb4b7aa9417b0aeb34935e9af1f95960a79eda731b05ed0372350cb6fc346c6f3b

Download Submit