7d93356ce79e5c931bc2951c4284d42fc9210c8e130ffec7833463f3d7aaaa75

Analysis

max time kernel
134s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$INSTDIR"/bin/"/WinTail.exe
Size

52KB
MD5

3a5bb63758bf6b7d9db7302282905fc9
SHA1

da9e4d73245685a5ab8d3c97985bcf4c1e5ce901
SHA256

f0bd288e745ded5dec8b55d16d8f85ec787caeafb9de09b67d751a6c7404cbaf
SHA512

745a4dc70c6dd64ee728308e049b3c55df9b2484ceee3662f0c6196507d8c8f5f20c582e550e63c817626bb4e53c59f23fb18f044340c857d351b3e129ecbf9f
SSDEEP

768:yaVsCWUeA96qbmALOV96YEVZeT/u1bmVm1gD8B5zxtHtZ/mKFInHOiB9uOcchdYO:9GEVZeTUS+NtNNmKFIntcYdYgo2J5

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WinTail.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	WinTail.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	WinTail.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	WinTail.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	WinTail.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	WinTail.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	WinTail.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	WinTail.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	WinTail.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	WinTail.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	WinTail.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	WinTail.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	WinTail.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	WinTail.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	WinTail.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	WinTail.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	WinTail.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	WinTail.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	WinTail.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinTail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2664	WinTail.exe

C:\Users\Admin\AppData\Local\Temp\$INSTDIR_\bin\_\WinTail.exe
"C:\Users\Admin\AppData\Local\Temp\$INSTDIR_\bin\_\WinTail.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads