26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
Size

292KB
MD5

0f455b470891006dc8921d5474a5abe7
SHA1

d2ad40a773b9b20141d8ee22d6b3c77372713b35
SHA256

26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2
SHA512

0a49448f0587bea9e9eef4aac49b8ac78bd1a41f5599c02580d6f6b941ec079b7510c7e4b01de657f00cc50058361c7f28dd59aafbc98d55169c182552b0d680
SSDEEP

768:jZKM11gG4ChfiPO0rfz0shcUypMC5/VKhZyg3iepFV2DIQqSsFY2s/qsy/EI0IQR:gMDgG4ChfiPOefgsOUqQwg

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System applets = "C:\\Windows\\System\\applets.exe"	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Syssrc32 = "C:\\Windows\\Syssrc32.exe"	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fndfst32 = "C:\\Windows\\System\\fndfst32.exe"	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer Shell = "C:\\Windows\\System\\Explorer.exe"	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System\fndfst32.exe	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
File created	C:\Windows\System\Explorer.exe	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
File opened for modification	C:\Windows\Help\intret.cnt	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
File opened for modification	C:\Windows\System\Sysexp32.exe	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
File opened for modification	C:\Windows\Syssrc32.exe	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
File created	C:\Windows\System\applets.exe	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
File created	C:\Windows\System\Sysexp32.exe	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
File opened for modification	C:\Windows\System\mplayerw.exe	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
File opened for modification	C:\Windows\System\applets.exe	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
File created	C:\Windows\Syssrc32.exe	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
File created	C:\Windows\System\fndfst32.exe	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
File created	C:\Windows\Help\intret.cnt	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
File created	C:\Windows\System\mplayerw.exe	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
File opened for modification	C:\Windows\System\Explorer.exe	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1704	4504	WerFault.exe	84

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\Explore = "%SystemRoot%\\SysWow64\\NOTEPAD.EXE %1"	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\System\\Sysexp32.exe %1"	26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe

C:\Users\Admin\AppData\Local\Temp\26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe
"C:\Users\Admin\AppData\Local\Temp\26003668989f33dbedd2ca68595fb7d9908efeb93054096d0402f4ceee2677f2.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
PID:4504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 336
  2⤵
  - Program crash
  PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4504 -ip 4504
1⤵
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\Sysexp32.exe

Filesize
304KB

MD5
3a6b69fc9d3899d5adba1aa41c91d9f3

SHA1
4a8d6241b7a5ed1504e78955da0fdcad4b0850fd

SHA256
2a44c468c42624b6dfb5adb17b916e7636301c0f60bc98d878ecbe3f203924f1

SHA512
0b1f9b10503d269333c54f97bd1d0ea6915426fc694d02d7d3650f08823423848ebf4e4d1526fddddfe62bac823111d5d27e5918b414d036b14afc2bbe3d03ea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads