29b13081b5b6db962c3b4252c8bbbbe679d160527964b1a0d9eafdacf9b27771

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e01effa812878eca35cf59292a1c253e.exe
Size

549KB
MD5

e01effa812878eca35cf59292a1c253e
SHA1

694d8f73221799d5d918f1ef46b2fefae55dbe72
SHA256

29b13081b5b6db962c3b4252c8bbbbe679d160527964b1a0d9eafdacf9b27771
SHA512

480b6ece63b665816fab5a23683c5f317417c8539562e3062964ac34dec08fc25da31e52420c45f711a2666926987046ee2f01849f3376cfad842ac203f2f695
SSDEEP

12288:drhxHkQ6AYemgHbz1OGZIMmD/kSux10mUNh:BhhkQ6AYcgGZwkSuz0F

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e01effa812878eca35cf59292a1c253e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WinInit	e01effa812878eca35cf59292a1c253e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WinInit = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\wininit.exe"	e01effa812878eca35cf59292a1c253e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e01effa812878eca35cf59292a1c253e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DCOM	e01effa812878eca35cf59292a1c253e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DCOM = "C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe"	e01effa812878eca35cf59292a1c253e.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	wininit.exe

Loads dropped DLL 15 IoCs

pid	Process
1548	e01effa812878eca35cf59292a1c253e.exe
1548	e01effa812878eca35cf59292a1c253e.exe
1548	e01effa812878eca35cf59292a1c253e.exe
1548	e01effa812878eca35cf59292a1c253e.exe
1548	e01effa812878eca35cf59292a1c253e.exe
1548	e01effa812878eca35cf59292a1c253e.exe
1548	e01effa812878eca35cf59292a1c253e.exe
1548	e01effa812878eca35cf59292a1c253e.exe
1548	e01effa812878eca35cf59292a1c253e.exe
1548	e01effa812878eca35cf59292a1c253e.exe
1548	e01effa812878eca35cf59292a1c253e.exe
1548	e01effa812878eca35cf59292a1c253e.exe
1548	e01effa812878eca35cf59292a1c253e.exe
1548	e01effa812878eca35cf59292a1c253e.exe
1548	e01effa812878eca35cf59292a1c253e.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm service	e01effa812878eca35cf59292a1c253e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm service = "C:\\Windows\\System\\lsm.exe"	e01effa812878eca35cf59292a1c253e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ClipSrv	e01effa812878eca35cf59292a1c253e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ClipSrv = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\clipsrv.exe"	e01effa812878eca35cf59292a1c253e.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System\lsm.exe	e01effa812878eca35cf59292a1c253e.exe
File created	C:\Windows\ieudinit.exe	e01effa812878eca35cf59292a1c253e.exe
File opened for modification	C:\Windows\RCX7B6D.tmp	e01effa812878eca35cf59292a1c253e.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	e01effa812878eca35cf59292a1c253e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IEudInit = "C:\\Windows\\ieudinit.exe"	e01effa812878eca35cf59292a1c253e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ClipSrv = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\clipsrv.exe"	e01effa812878eca35cf59292a1c253e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e01effa812878eca35cf59292a1c253e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ClipSrv	e01effa812878eca35cf59292a1c253e.exe
Key created	\REGISTRY\USER\.DEFAULT	e01effa812878eca35cf59292a1c253e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	e01effa812878eca35cf59292a1c253e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	e01effa812878eca35cf59292a1c253e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	e01effa812878eca35cf59292a1c253e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	e01effa812878eca35cf59292a1c253e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IEudInit	e01effa812878eca35cf59292a1c253e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e01effa812878eca35cf59292a1c253e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	e01effa812878eca35cf59292a1c253e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e01effa812878eca35cf59292a1c253e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2620	1548	e01effa812878eca35cf59292a1c253e.exe	28
PID 1548 wrote to memory of 2620	1548	e01effa812878eca35cf59292a1c253e.exe	28
PID 1548 wrote to memory of 2620	1548	e01effa812878eca35cf59292a1c253e.exe	28
PID 1548 wrote to memory of 2620	1548	e01effa812878eca35cf59292a1c253e.exe	28

C:\Users\Admin\AppData\Local\Temp\e01effa812878eca35cf59292a1c253e.exe
"C:\Users\Admin\AppData\Local\Temp\e01effa812878eca35cf59292a1c253e.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Roaming\wininit.exe
  C:\Users\Admin\AppData\Roaming\wininit.exe /a 1
  2⤵
  - Executes dropped EXE
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\clipsrv.exe

Filesize
459KB

MD5
ba0ea07e0af3ad556113d273138ff1b7

SHA1
6957f842f32c3c26298213de86897240ed66da95

SHA256
762adb3f88bde26fd073ab2e253d51a24d8aa132e3593fe039421f0ceb39ce6f

SHA512
9224fb55b05e5433a2f729f03ca8dce586ca1fb4528ba7b6675ba2963798264abdebaa3050d93a41787fe0456238e600781519900e26c413d65712f93b5e8858

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx

Filesize
10B

MD5
3789c8ba436a035920ff760109c884d4

SHA1
5f625262d4881945c38fe595c41f3aff49f784fc

SHA256
c29b271cd6f4d70ba9a01cc0655ac16530b5e9def596f267ad1e82713d51058d

SHA512
c75347693c36e1081dc95e2e2a2760dba62a51d7f66fd3199b019c3590f8ab0fc5029cae6b1a1aeb288af163a66b7975a28b077ab8fdcb3ed8a405ed9c3a7a5a

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\clipsrv.exe

Filesize
499KB

MD5
428017aea69ba25aa2aa402773829530

SHA1
b7f79ca9fa7957a8325b54a1839537443e355f25

SHA256
780489fb54cb23ba2dd19183da394d5616151a3eb10a3d76dfb6135ad283a398

SHA512
a0e957500b5b5b514e803ebfa8659860ba1d678930eec2e1c35ea4d8f444b38236209f4eab09c02daa02dcbc7e207e02d79983114a843218d668d0b875d57cea

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\clipsrv.exe

Filesize
500KB

MD5
c28260f106e84e7ca891adf5fe8d3b66

SHA1
3615b3c78f4d6827512a83adef0f8b498af5e3b8

SHA256
fe115d93dba06bba89cf163589b4a3f9d3cc483a5bfa8461e60c76d1e5952b8a

SHA512
7295f6b712198407642b6f0af2a9236853bb07aaa1603ae9b3406789845575fb21185717cfa7a85a7d1a33929978080e66072519d45cd4a4077cb0546100dff0

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\wininit.exe

Filesize
549KB

MD5
e01effa812878eca35cf59292a1c253e

SHA1
694d8f73221799d5d918f1ef46b2fefae55dbe72

SHA256
29b13081b5b6db962c3b4252c8bbbbe679d160527964b1a0d9eafdacf9b27771

SHA512
480b6ece63b665816fab5a23683c5f317417c8539562e3062964ac34dec08fc25da31e52420c45f711a2666926987046ee2f01849f3376cfad842ac203f2f695

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\csrss.exe

Filesize
523KB

MD5
a986b1ba3f64f7ca9102a09a65cec0da

SHA1
64b5da251e0fe143aad4a8f79e9322a6a6516624

SHA256
d26e5b0ad0af3a18917d89de26f4ad41febcef282d63f3e06366ab5b93af6144

SHA512
c7dfe84aa7852f03e512dee9858176a377f7356eb8c62b00375f54937bc5e72d1ea7a8f64d7c1ec98ff2d99c47072b9504b9aec4648ddd6626f86e13d1ecce3d

Download Submit
\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
247KB

MD5
646bcec25981f72645d87fabc9db9082

SHA1
02a47929f4d27b71e7aa0c19496f4d1713c2cb5a

SHA256
62760c5f8355056c54ebfa9185333dfff5ab1f7c2c28b6bccfd31f86c51c61f3

SHA512
1986f04f3c581401ce8d17b88a97446bb24da70f74c700769317f0a1e79e3be9014aef7a2c7590ba3652334218ac80526a51c4d36bc811fba5682adf5546ebb4

Download Submit
\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
256KB

MD5
8616cb10340c5d8e4d3eb32df2972f12

SHA1
be554a9f9cfb28a08747cad6103178bf39813b44

SHA256
25a4ab9ae3cc1d790ca9bb895e8cce6c56fa44186949b0acb5b52a04edb4506b

SHA512
6709690db9aa512bc184aac2e32feabaa1fd41dafbc367f5b2ab710130a5db22b13c4a8e2d5c4d08d75f8d92b38dd0d872769f92afd87dd662b81fa3b31ca2a4

Download Submit
\Windows\system\lsm.exe

Filesize
476KB

MD5
28090a98a27928612dd670a32754a19a

SHA1
2257e488fed293aea2408f66bebcb4a826f8c6ad

SHA256
f0c2b4ce18df09828beaabcb4a7d4ef1ec221256a46e7308c7286a8d266e6f63

SHA512
574091824654339ddca3698ad60b227fed97183ae93d3134788e419dcfddc4b00067469a912022b779a47e0c4c18dd88548efdd0d916bf51a431d28283a0a9fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads