Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 01:48
Static task
static1
Behavioral task
behavioral1
Sample
711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
Resource
win10v2004-20240508-en
General
-
Target
711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
-
Size
40KB
-
MD5
14e89bb590360f5b84a0d085962926c0
-
SHA1
0d5d0738db41cc9ab2ca0d59ae066754c3975d7b
-
SHA256
711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4
-
SHA512
ce0605600c3608466e6c11a50fcb31670c4064d369c4c6595eabb4226ddd0d0f46ac37eb6c2f6df231db3ac67fb91309c59ab41744faac00eb51a12a577f06ba
-
SSDEEP
768:yHPXwaMzQ/+Itw0HBsTBkbHrHXd4fCJcEHwzOx0vc:yvD/bsTB4bqh1vc
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exeAdmin.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Admin.exe -
Executes dropped EXE 1 IoCs
Processes:
Admin.exepid process 2160 Admin.exe -
Loads dropped DLL 2 IoCs
Processes:
711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exepid process 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exeAdmin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" Admin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exeAdmin.exepid process 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2160 Admin.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exeAdmin.exepid process 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe 2160 Admin.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exedescription pid process target process PID 2356 wrote to memory of 2160 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe Admin.exe PID 2356 wrote to memory of 2160 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe Admin.exe PID 2356 wrote to memory of 2160 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe Admin.exe PID 2356 wrote to memory of 2160 2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe Admin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe"C:\Users\Admin\AppData\Local\Temp\711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Admin.exe"C:\Users\Admin\Admin.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\Admin.exeFilesize
40KB
MD543dc8c13c047bc9aebfe86cf603fdada
SHA181e0c5542ae2627b901aba192b44a5197501551c
SHA2567d210d5aa163b540caeb8584151b330ff19f59e18456ab9b5658bac13464d99b
SHA5121c9a3c9d86f1da67bad4316291ec85baae1a5f19207d08a38e43d85135f23a4883dd30ef782fd5c50239b10904033186c6118a8f229facad2376b7d6e7347611