Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-03-2024 02:26
Static task
static1
Behavioral task
behavioral1
Sample
c4bd87c3284cab7b4a4d4039af0f933e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c4bd87c3284cab7b4a4d4039af0f933e.exe
Resource
win10v2004-20240226-en
General
-
Target
c4bd87c3284cab7b4a4d4039af0f933e.exe
-
Size
428KB
-
MD5
c4bd87c3284cab7b4a4d4039af0f933e
-
SHA1
f99fbf47be97d05942aaa7de443ee60d1fde7c30
-
SHA256
55caca52abf37a49b12a02e66216185dce838bb0222921647148ee495c1d1c08
-
SHA512
8d8ba14128507d03cf67c88b676763038bb631579ba981ba43e83e807c6250ea6ca3e5d1db30f2e4162515236b0f4940a08100b511a78ccced8506d11ae6accd
-
SSDEEP
12288:B7tb3KcX80ljcF82LnZ84bd4zRrnKorz:dtmOjYZdbdilj
Malware Config
Extracted
latentbot
cheloulenoir.zapto.org
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TIEGHZKC55.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\TIEGHZKC55.exe = "C:\\Users\\Admin\\AppData\\Roaming\\TIEGHZKC55.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
WinSec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run WinSec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\iexplore = "C:\\Users\\Admin\\AppData\\Roaming\\TIEGHZKC55.exe" WinSec.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
WinSec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16E69CAB-EF79-AF1E-EBAD-5E74AFCB5F97} WinSec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16E69CAB-EF79-AF1E-EBAD-5E74AFCB5F97}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\TIEGHZKC55.exe" WinSec.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{16E69CAB-EF79-AF1E-EBAD-5E74AFCB5F97} WinSec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components\{16E69CAB-EF79-AF1E-EBAD-5E74AFCB5F97}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\TIEGHZKC55.exe" WinSec.exe -
Executes dropped EXE 2 IoCs
Processes:
TIEGHZKC55.exeWinSec.exepid process 1760 TIEGHZKC55.exe 2644 WinSec.exe -
Loads dropped DLL 3 IoCs
Processes:
c4bd87c3284cab7b4a4d4039af0f933e.exeTIEGHZKC55.exepid process 2060 c4bd87c3284cab7b4a4d4039af0f933e.exe 2060 c4bd87c3284cab7b4a4d4039af0f933e.exe 1760 TIEGHZKC55.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WinSec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iexplore = "C:\\Users\\Admin\\AppData\\Roaming\\TIEGHZKC55.exe" WinSec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\iexplore = "C:\\Users\\Admin\\AppData\\Roaming\\TIEGHZKC55.exe" WinSec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TIEGHZKC55.exedescription pid process target process PID 1760 set thread context of 2644 1760 TIEGHZKC55.exe WinSec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 2964 reg.exe 2744 reg.exe 2912 reg.exe 2552 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
WinSec.exedescription pid process Token: 1 2644 WinSec.exe Token: SeCreateTokenPrivilege 2644 WinSec.exe Token: SeAssignPrimaryTokenPrivilege 2644 WinSec.exe Token: SeLockMemoryPrivilege 2644 WinSec.exe Token: SeIncreaseQuotaPrivilege 2644 WinSec.exe Token: SeMachineAccountPrivilege 2644 WinSec.exe Token: SeTcbPrivilege 2644 WinSec.exe Token: SeSecurityPrivilege 2644 WinSec.exe Token: SeTakeOwnershipPrivilege 2644 WinSec.exe Token: SeLoadDriverPrivilege 2644 WinSec.exe Token: SeSystemProfilePrivilege 2644 WinSec.exe Token: SeSystemtimePrivilege 2644 WinSec.exe Token: SeProfSingleProcessPrivilege 2644 WinSec.exe Token: SeIncBasePriorityPrivilege 2644 WinSec.exe Token: SeCreatePagefilePrivilege 2644 WinSec.exe Token: SeCreatePermanentPrivilege 2644 WinSec.exe Token: SeBackupPrivilege 2644 WinSec.exe Token: SeRestorePrivilege 2644 WinSec.exe Token: SeShutdownPrivilege 2644 WinSec.exe Token: SeDebugPrivilege 2644 WinSec.exe Token: SeAuditPrivilege 2644 WinSec.exe Token: SeSystemEnvironmentPrivilege 2644 WinSec.exe Token: SeChangeNotifyPrivilege 2644 WinSec.exe Token: SeRemoteShutdownPrivilege 2644 WinSec.exe Token: SeUndockPrivilege 2644 WinSec.exe Token: SeSyncAgentPrivilege 2644 WinSec.exe Token: SeEnableDelegationPrivilege 2644 WinSec.exe Token: SeManageVolumePrivilege 2644 WinSec.exe Token: SeImpersonatePrivilege 2644 WinSec.exe Token: SeCreateGlobalPrivilege 2644 WinSec.exe Token: 31 2644 WinSec.exe Token: 32 2644 WinSec.exe Token: 33 2644 WinSec.exe Token: 34 2644 WinSec.exe Token: 35 2644 WinSec.exe Token: SeDebugPrivilege 2644 WinSec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WinSec.exepid process 2644 WinSec.exe 2644 WinSec.exe 2644 WinSec.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
c4bd87c3284cab7b4a4d4039af0f933e.exeTIEGHZKC55.exeWinSec.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2060 wrote to memory of 1760 2060 c4bd87c3284cab7b4a4d4039af0f933e.exe TIEGHZKC55.exe PID 2060 wrote to memory of 1760 2060 c4bd87c3284cab7b4a4d4039af0f933e.exe TIEGHZKC55.exe PID 2060 wrote to memory of 1760 2060 c4bd87c3284cab7b4a4d4039af0f933e.exe TIEGHZKC55.exe PID 2060 wrote to memory of 1760 2060 c4bd87c3284cab7b4a4d4039af0f933e.exe TIEGHZKC55.exe PID 1760 wrote to memory of 2644 1760 TIEGHZKC55.exe WinSec.exe PID 1760 wrote to memory of 2644 1760 TIEGHZKC55.exe WinSec.exe PID 1760 wrote to memory of 2644 1760 TIEGHZKC55.exe WinSec.exe PID 1760 wrote to memory of 2644 1760 TIEGHZKC55.exe WinSec.exe PID 1760 wrote to memory of 2644 1760 TIEGHZKC55.exe WinSec.exe PID 1760 wrote to memory of 2644 1760 TIEGHZKC55.exe WinSec.exe PID 1760 wrote to memory of 2644 1760 TIEGHZKC55.exe WinSec.exe PID 1760 wrote to memory of 2644 1760 TIEGHZKC55.exe WinSec.exe PID 1760 wrote to memory of 2644 1760 TIEGHZKC55.exe WinSec.exe PID 1760 wrote to memory of 2644 1760 TIEGHZKC55.exe WinSec.exe PID 2644 wrote to memory of 2456 2644 WinSec.exe cmd.exe PID 2644 wrote to memory of 2456 2644 WinSec.exe cmd.exe PID 2644 wrote to memory of 2456 2644 WinSec.exe cmd.exe PID 2644 wrote to memory of 2456 2644 WinSec.exe cmd.exe PID 2644 wrote to memory of 2460 2644 WinSec.exe cmd.exe PID 2644 wrote to memory of 2460 2644 WinSec.exe cmd.exe PID 2644 wrote to memory of 2460 2644 WinSec.exe cmd.exe PID 2644 wrote to memory of 2460 2644 WinSec.exe cmd.exe PID 2644 wrote to memory of 2604 2644 WinSec.exe cmd.exe PID 2644 wrote to memory of 2604 2644 WinSec.exe cmd.exe PID 2644 wrote to memory of 2604 2644 WinSec.exe cmd.exe PID 2644 wrote to memory of 2604 2644 WinSec.exe cmd.exe PID 2644 wrote to memory of 2544 2644 WinSec.exe cmd.exe PID 2644 wrote to memory of 2544 2644 WinSec.exe cmd.exe PID 2644 wrote to memory of 2544 2644 WinSec.exe cmd.exe PID 2644 wrote to memory of 2544 2644 WinSec.exe cmd.exe PID 2456 wrote to memory of 2552 2456 cmd.exe reg.exe PID 2456 wrote to memory of 2552 2456 cmd.exe reg.exe PID 2456 wrote to memory of 2552 2456 cmd.exe reg.exe PID 2456 wrote to memory of 2552 2456 cmd.exe reg.exe PID 2460 wrote to memory of 2912 2460 cmd.exe reg.exe PID 2460 wrote to memory of 2912 2460 cmd.exe reg.exe PID 2460 wrote to memory of 2912 2460 cmd.exe reg.exe PID 2460 wrote to memory of 2912 2460 cmd.exe reg.exe PID 2604 wrote to memory of 2964 2604 cmd.exe reg.exe PID 2604 wrote to memory of 2964 2604 cmd.exe reg.exe PID 2604 wrote to memory of 2964 2604 cmd.exe reg.exe PID 2604 wrote to memory of 2964 2604 cmd.exe reg.exe PID 2544 wrote to memory of 2744 2544 cmd.exe reg.exe PID 2544 wrote to memory of 2744 2544 cmd.exe reg.exe PID 2544 wrote to memory of 2744 2544 cmd.exe reg.exe PID 2544 wrote to memory of 2744 2544 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4bd87c3284cab7b4a4d4039af0f933e.exe"C:\Users\Admin\AppData\Local\Temp\c4bd87c3284cab7b4a4d4039af0f933e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe"C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinSec.exeC:\Users\Admin\AppData\Roaming\WinSec.exe3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\TIEGHZKC55.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\TIEGHZKC55.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\TIEGHZKC55.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\TIEGHZKC55.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exeFilesize
201KB
MD5177b01b99483b011b36d02dea2308802
SHA19b93fa106372290608abbf2173a6633020a96a8a
SHA256ac8f61ad831b864fc4d640b91a2d34ada2bbd427ef1b194d492c842aac5be436
SHA512974baaa2b02acffaf830d486ae17e5bbc1cf0d90b366274121fc5b0584fd4a69ede6fe48b0e266060a2989fd3e166a75da8166975f23648df4725acba3f873b0
-
C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exeFilesize
276KB
MD5441d047bd699525d4e3268e25e16e1b8
SHA165d9070ef5ba0f8dea0face8f3a2c8525111d63e
SHA256cbbf088b87bb798c35e955281026571835656d25c75aa6a994b9fb89e6070bfe
SHA5123717bcf2e929da78b8b1b62e78f81a7171c050ea0fa948f587a7a2ab02a32446d573c613f019df6206461aa7fdc6b4b6fc15a0ce9f58a5438e0b319ed46d7a28
-
C:\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exeFilesize
246KB
MD5f057bb208b4b9579cb95057086f879c0
SHA17f12a87b2f68d8225b53b4b6f4a4aa8078ecb2ad
SHA25655d08fcff3ab06454977eee3ccb99289e6997c1a36dda655dad28746d6028d3c
SHA512cd48f9c4c027796cd94eaa0569a9e370c05b8f830ae6f054b09ee4349d49d53c4d8c79eeded589ff1d3b9aefde0c93d245d62e66a5bd573bf39bd8ac2036e0ce
-
C:\Users\Admin\AppData\Roaming\WinSec.exeFilesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
\Users\Admin\AppData\Local\Temp\TIEGHZKC55.exeFilesize
241KB
MD55016b56e31f32d5835649a98f0254e50
SHA1b6960442a922b75c95d5d4b3260ca59b5d19c314
SHA256728a9da9f1f3c4f61fd3be137e4bbd87975c18d49fa36f61b8e5b091ff3c5a7c
SHA5126d4fde0271f37858057e4bc7536dc6166cd0ab3842ddf23734a7ce2b56e8fcb30cae45d3d72697398771a07481d0bbdbae620bfa347cda822ad671cf7cd8f182
-
memory/1760-15-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/1760-18-0x0000000000260000-0x00000000002A0000-memory.dmpFilesize
256KB
-
memory/1760-19-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/1760-39-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/2060-0-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/2060-14-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/2060-2-0x0000000074C50000-0x00000000751FB000-memory.dmpFilesize
5.7MB
-
memory/2060-1-0x0000000000CA0000-0x0000000000CE0000-memory.dmpFilesize
256KB
-
memory/2644-27-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2644-48-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2644-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2644-23-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2644-33-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/2644-25-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2644-45-0x0000000077BA1000-0x0000000077BA2000-memory.dmpFilesize
4KB
-
memory/2644-46-0x0000000075AB0000-0x0000000075B50000-memory.dmpFilesize
640KB
-
memory/2644-44-0x0000000075790000-0x00000000758A0000-memory.dmpFilesize
1.1MB
-
memory/2644-47-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2644-49-0x0000000075790000-0x00000000758A0000-memory.dmpFilesize
1.1MB
-
memory/2644-30-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2644-51-0x0000000075AB0000-0x0000000075B50000-memory.dmpFilesize
640KB
-
memory/2644-54-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2644-55-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2644-57-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2644-58-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2644-59-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2644-63-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2644-66-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2644-67-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB