baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe
Size

176KB
MD5

42a5ec45ffa987fe44692c5dc5596203
SHA1

8082bcdc38f3f56009d528a5a6079a1e2384072c
SHA256

baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597
SHA512

82b3970fe0be50aace3ffb77c9538ba23f007c4ef39a8bfef694538f971f0b578de6e55d431f436b91c171911d3f33466fa4f999d963be2197a55e328501ee96
SSDEEP

3072:S9E4Wgbr57BVFqmx1E9Hqmz674Qbf6xET/nhqCoNWDY1TuDBujfgY1LRQBAhHuYK:o0MJBVlx+Vf274Q2xqhxoNH1Ti5YtuY

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1352	autoclip.exe
2884	~90EA.tmp
2548	moundVol.exe

Loads dropped DLL 3 IoCs

pid	Process
1688	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe
1688	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe
1352	autoclip.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\msdtskey = "C:\\Users\\Admin\\AppData\\Roaming\\Dispelog\\autoclip.exe"	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\moundVol.exe	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1352	autoclip.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE
2548	moundVol.exe
1260	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1352	1688	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe	28
PID 1688 wrote to memory of 1352	1688	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe	28
PID 1688 wrote to memory of 1352	1688	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe	28
PID 1688 wrote to memory of 1352	1688	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe	28
PID 1352 wrote to memory of 2884	1352	autoclip.exe	29
PID 1352 wrote to memory of 2884	1352	autoclip.exe	29
PID 1352 wrote to memory of 2884	1352	autoclip.exe	29
PID 1352 wrote to memory of 2884	1352	autoclip.exe	29
PID 2884 wrote to memory of 1260	2884	~90EA.tmp	21
PID 1688 wrote to memory of 2636	1688	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe	31
PID 1688 wrote to memory of 2636	1688	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe	31
PID 1688 wrote to memory of 2636	1688	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe	31
PID 1688 wrote to memory of 2636	1688	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe	31
PID 2636 wrote to memory of 2704	2636	cmd.exe	33
PID 2636 wrote to memory of 2704	2636	cmd.exe	33
PID 2636 wrote to memory of 2704	2636	cmd.exe	33
PID 2636 wrote to memory of 2704	2636	cmd.exe	33

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2704	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1260
- C:\Users\Admin\AppData\Local\Temp\baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe
  "C:\Users\Admin\AppData\Local\Temp\baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Roaming\Dispelog\autoclip.exe
    "C:\Users\Admin\AppData\Roaming\Dispelog\autoclip.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\~90EA.tmp
      "C:\Users\Admin\AppData\Local\Temp\~90EA.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    /C 259428960.cmd
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe"
      4⤵
      Views/modifies file attributes
      PID:2704

C:\Windows\SysWOW64\moundVol.exe
C:\Windows\SysWOW64\moundVol.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259428960.cmd

Filesize
291B

MD5
6fec61fc1d61711a7c03e75340ce605b

SHA1
b2b057a58218d91003826429846bd2294454311b

SHA256
b377c762fae611f2c4aca7d5efcbbe347afeaa36361bbb9ea7b07d68312a372d

SHA512
0f10e76c0c3004eabd77bc48ab4147d5b8bb63efbd59064a42c14b31fa6c5aac9125c299c02f0ffef28bcdd66ed9f5d3cfaf31d156bdd3a2951b58069cfae142

Download Submit
C:\Windows\SysWOW64\moundVol.exe

Filesize
176KB

MD5
42a5ec45ffa987fe44692c5dc5596203

SHA1
8082bcdc38f3f56009d528a5a6079a1e2384072c

SHA256
baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597

SHA512
82b3970fe0be50aace3ffb77c9538ba23f007c4ef39a8bfef694538f971f0b578de6e55d431f436b91c171911d3f33466fa4f999d963be2197a55e328501ee96

Download Submit
\Users\Admin\AppData\Local\Temp\~90EA.tmp

Filesize
6KB

MD5
ce65318f0995592b774014c288b811ac

SHA1
980796ddd10e4661422cd9cc8f1243e951c51cd7

SHA256
eecc9c552b3b19d3d6eb4944665b098f4acf3794dcc80075802c9c5fd3238398

SHA512
995d12a1b34447c40e7dc3c3464efa2635e1b517d68a9e03c451cfd1996972c33b4724cfde49d260a318a66b0a3add4c7b2740605e5b0c867f076af4390075df

Download Submit
\Users\Admin\AppData\Roaming\Dispelog\autoclip.exe

Filesize
176KB

MD5
622f00efa944a9357c5eae13238c5ccf

SHA1
ac7b9ed4b1196302c23cbe24e09b250c7e490d03

SHA256
b2ab0d09c7498bd8f9eba8dc6314be0637d9f5f25d0ed0bc8ab8780236b760cc

SHA512
02fadb2195c2f3cb94c6023c8d9387f0e19655f8ee527206458f3a81a8ab0c5d01a347232c7dc3be0ebfad8c8c00d6b2c4266df271733e3efb35b2e534b0369b

Download Submit
memory/1260-17-0x0000000002AB0000-0x0000000002AF3000-memory.dmp

Filesize
268KB

Download
memory/1260-16-0x0000000002AB0000-0x0000000002AF3000-memory.dmp

Filesize
268KB

Download
memory/1260-21-0x0000000002AB0000-0x0000000002AF3000-memory.dmp

Filesize
268KB

Download
memory/1352-12-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/1688-0-0x00000000001F0000-0x0000000000230000-memory.dmp

Filesize
256KB

Download
memory/2548-27-0x00000000001D0000-0x0000000000210000-memory.dmp

Filesize
256KB

Download
memory/2548-30-0x00000000001D0000-0x0000000000210000-memory.dmp

Filesize
256KB

Download
memory/2548-29-0x00000000001D0000-0x0000000000210000-memory.dmp

Filesize
256KB

Download