7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4

Analysis

max time kernel
121s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-04-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Size

279KB
MD5

baeac661772480505e6f7c382809134a
SHA1

40a61102e1de64f383a5a3175139d4bb8958ef1b
SHA256

7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4
SHA512

c21ca0df12c485d6c70ad864277096d50e5068e721a5afd2d4a9eee6909c76b236a7b3d278217138360e9aeea826e0ed506d92bd483c4067fde972ff2b4a8337
SSDEEP

6144:LTz+WrPFZvTXb4RyW42vFlOloh2E+7phg7ozD:LTBPFV0RyWl3h2E+7ph

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2488	winit32.exe
2612	winit32.exe

Loads dropped DLL 4 IoCs

pid	Process
2664	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
2664	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
2664	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
2488	winit32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ntdriver\DefaultIcon\ = "%1"	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\DefaultIcon\ = "%1"	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ntdriver\DefaultIcon	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ntdriver\shell\open\command\IsolatedCommand = "\"%1\" %*"	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\DefaultIcon	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas\command	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ntdriver\shell\open\command	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open\command	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ntdriver\Content-Type = "application/x-msdownload"	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\ = "ntdriver"	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ntdriver\shell\runas\command	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ntdriver\ = "Application"	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ntdriver\shell	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ntdriver\shell\runas	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ntdriver	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ntdriver\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\winit32.exe\" /START \"%1\" %*"	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ntdriver\shell\runas\command\IsolatedCommand = "\"%1\" %*"	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ntdriver\shell\open	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ntdriver\shell\runas\command\ = "\"%1\" %*"	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\winit32.exe\" /START \"%1\" %*"	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2488	winit32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2488	2664	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe	28
PID 2664 wrote to memory of 2488	2664	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe	28
PID 2664 wrote to memory of 2488	2664	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe	28
PID 2664 wrote to memory of 2488	2664	7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe	28
PID 2488 wrote to memory of 2612	2488	winit32.exe	29
PID 2488 wrote to memory of 2612	2488	winit32.exe	29
PID 2488 wrote to memory of 2612	2488	winit32.exe	29
PID 2488 wrote to memory of 2612	2488	winit32.exe	29

C:\Users\Admin\AppData\Local\Temp\7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe
"C:\Users\Admin\AppData\Local\Temp\7656fde2618ee7fbecd1e3e2149d909429892dd9abd0377c537309d625e988f4.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe"
    3⤵
    - Executes dropped EXE
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Sys32\winit32.exe

Filesize
279KB

MD5
1016d550f845cd30747174d1c4c51441

SHA1
de100d57892bc4364782b79349b62bd354fb2670

SHA256
6fbe6987fd675d572225e754914182b98b7f1258eb7c4fca72c29a3b742f3164

SHA512
bc423db801ae4b7e9365cedc5b94489d721d23da5240f26068d9848b36b6e3d82077e6357126942f70e7ec69b6f996075a63a9af19908f8c650a4bce0530d532

Download Submit