fd786c64ff26e1e68e83338586d504375a456e0fd3d565b23520f3fc2e28cdcd

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f6ca059ca1638943cabdff385345c0.exe
Size

176KB
MD5

23f6ca059ca1638943cabdff385345c0
SHA1

796c3812ebbb018cf303482b29b4c5c75740ba48
SHA256

fd786c64ff26e1e68e83338586d504375a456e0fd3d565b23520f3fc2e28cdcd
SHA512

005e8f91a5ff685d70f9e1ff3e973de7e98d9c283c3de42015eac813c513710d13cf5e840fbbdd3c1b9e5fd8639db02246a319e0cea9eaf733acf19f0e23fe3e
SSDEEP

3072:59E4Wgbr57BVFqmx1E9Hqmz674Qbf6xET/nhqCoNWDY1TuDBujfgY1LRQBAhHuYK:r0MJBVlx+Vf274Q2xqhxoNH1Ti5YtuY

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2956	Deviftp.exe
3756	mtstHost.exe
3528	~4314.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\perfcher = "C:\\Users\\Admin\\AppData\\Roaming\\rdrlover\\Deviftp.exe"	23f6ca059ca1638943cabdff385345c0.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mtstHost.exe	23f6ca059ca1638943cabdff385345c0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	Deviftp.exe
2956	Deviftp.exe
3536	Explorer.EXE
3756	mtstHost.exe
3536	Explorer.EXE
3756	mtstHost.exe
3536	Explorer.EXE
3756	mtstHost.exe
3756	mtstHost.exe
3536	Explorer.EXE
3536	Explorer.EXE
3756	mtstHost.exe
3536	Explorer.EXE
3756	mtstHost.exe
3536	Explorer.EXE
3756	mtstHost.exe
3756	mtstHost.exe
3536	Explorer.EXE
3536	Explorer.EXE
3756	mtstHost.exe
3756	mtstHost.exe
3536	Explorer.EXE
3536	Explorer.EXE
3756	mtstHost.exe
3756	mtstHost.exe
3536	Explorer.EXE
3536	Explorer.EXE
3756	mtstHost.exe
3756	mtstHost.exe
3536	Explorer.EXE
3536	Explorer.EXE
3756	mtstHost.exe
3756	mtstHost.exe
3536	Explorer.EXE
3536	Explorer.EXE
3756	mtstHost.exe
3756	mtstHost.exe
3536	Explorer.EXE
3536	Explorer.EXE
3756	mtstHost.exe
3756	mtstHost.exe
3536	Explorer.EXE
3536	Explorer.EXE
3756	mtstHost.exe
3756	mtstHost.exe
3536	Explorer.EXE
3536	Explorer.EXE
3756	mtstHost.exe
3536	Explorer.EXE
3756	mtstHost.exe
3536	Explorer.EXE
3756	mtstHost.exe
3536	Explorer.EXE
3756	mtstHost.exe
3536	Explorer.EXE
3756	mtstHost.exe
3756	mtstHost.exe
3536	Explorer.EXE
3536	Explorer.EXE
3756	mtstHost.exe
3756	mtstHost.exe
3536	Explorer.EXE
3536	Explorer.EXE
3756	mtstHost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3536	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2956	1204	23f6ca059ca1638943cabdff385345c0.exe	91
PID 1204 wrote to memory of 2956	1204	23f6ca059ca1638943cabdff385345c0.exe	91
PID 1204 wrote to memory of 2956	1204	23f6ca059ca1638943cabdff385345c0.exe	91
PID 2956 wrote to memory of 3528	2956	Deviftp.exe	93
PID 2956 wrote to memory of 3528	2956	Deviftp.exe	93
PID 3528 wrote to memory of 3536	3528	~4314.tmp	57
PID 1204 wrote to memory of 1016	1204	23f6ca059ca1638943cabdff385345c0.exe	94
PID 1204 wrote to memory of 1016	1204	23f6ca059ca1638943cabdff385345c0.exe	94
PID 1204 wrote to memory of 1016	1204	23f6ca059ca1638943cabdff385345c0.exe	94
PID 1016 wrote to memory of 1884	1016	cmd.exe	96
PID 1016 wrote to memory of 1884	1016	cmd.exe	96
PID 1016 wrote to memory of 1884	1016	cmd.exe	96

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1884	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:3536
- C:\Users\Admin\AppData\Local\Temp\23f6ca059ca1638943cabdff385345c0.exe
  "C:\Users\Admin\AppData\Local\Temp\23f6ca059ca1638943cabdff385345c0.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Users\Admin\AppData\Roaming\rdrlover\Deviftp.exe
    "C:\Users\Admin\AppData\Roaming\rdrlover\Deviftp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\~4314.tmp
      "C:\Users\Admin\AppData\Local\Temp\~4314.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    /C 240599859.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "23f6ca059ca1638943cabdff385345c0.exe"
      4⤵
      Views/modifies file attributes
      PID:1884

C:\Windows\SysWOW64\mtstHost.exe
C:\Windows\SysWOW64\mtstHost.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240599859.cmd

Filesize
195B

MD5
cf6b14bbf73e9e214e681ea422457785

SHA1
1c27f70feefadd9606514fe0d43168fa5903f1e1

SHA256
be90ba83dfdd72e3db65f2d0f9e8a928c281df6d294bc7d2fd57121a8238b7af

SHA512
4d9569d68deaa59789496d7f8a7b6b4618709c4ad5e349d44226331d6001077343c378f7abbfb233ce21280c68abe87357ca6e4c05ea298e0d0b7d854a29c898

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4314.tmp

Filesize
6KB

MD5
f38a1cb92ac4ff874c5e4511830872b2

SHA1
c98fd852d3471ee2a7bfae547e56879019ca00b7

SHA256
8c8da14cd52741eedb9f805e7bbdfd1d79dc1f9c6b2757d0c593c5342fcfe856

SHA512
e654e3c10e09fb3df2ca72dbf9665cbcb8d0d84b281d4f77410a4b241df56f6eb04deba58f441d50640ac8a597ab1c6c515b83f4025d47fab2cc203070e95c71

Download Submit
C:\Users\Admin\AppData\Roaming\rdrlover\Deviftp.exe

Filesize
176KB

MD5
a4f0eb265fdcedd9d80e2b76c8cb16cb

SHA1
aeff4a419cec6bbd7089ea0f54a30f5783121cbd

SHA256
14826317be7ef1c4711bd07c0b13766567fed8b8678ebca69d123d70ccf0eb1a

SHA512
1be6d542bd71140a2689c894cff26eafad85cbd3202c53a9a3284be7f3b89a8e71c2253bb46ccaa3ab94ab87c045ec1b2335e71b0926bfde139981d37aeb9981

Download Submit
C:\Windows\SysWOW64\mtstHost.exe

Filesize
176KB

MD5
23f6ca059ca1638943cabdff385345c0

SHA1
796c3812ebbb018cf303482b29b4c5c75740ba48

SHA256
fd786c64ff26e1e68e83338586d504375a456e0fd3d565b23520f3fc2e28cdcd

SHA512
005e8f91a5ff685d70f9e1ff3e973de7e98d9c283c3de42015eac813c513710d13cf5e840fbbdd3c1b9e5fd8639db02246a319e0cea9eaf733acf19f0e23fe3e

Download Submit
memory/1204-0-0x0000000000710000-0x0000000000750000-memory.dmp

Filesize
256KB

Download
memory/2956-8-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/3536-15-0x0000000002ED0000-0x0000000002F13000-memory.dmp

Filesize
268KB

Download
memory/3536-13-0x0000000002ED0000-0x0000000002F13000-memory.dmp

Filesize
268KB

Download
memory/3756-17-0x0000000000F60000-0x0000000000FA0000-memory.dmp

Filesize
256KB

Download
memory/3756-16-0x0000000000F60000-0x0000000000FA0000-memory.dmp

Filesize
256KB

Download
memory/3756-20-0x0000000000F60000-0x0000000000FA0000-memory.dmp

Filesize
256KB

Download