Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 01:18
Static task
static1
Behavioral task
behavioral1
Sample
a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe
Resource
win10v2004-20240508-en
General
-
Target
a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe
-
Size
76KB
-
MD5
18d94ddfe5d614e698b8b982ce4ca56f
-
SHA1
b0584c8257f076e6a70ae18a5dbba59f069ba9a2
-
SHA256
a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83
-
SHA512
d4925fcce730ea8e42313eceae36c9a41fee8b9d91ecf96a33f8dd9506d1d2da242de87e262f7007983589868903f780d2dedf0ad735d439356e3638f5fa062c
-
SSDEEP
768:rxgZvuTrbYJLKmkwW+cBh8mvdgCXGcZDxc7mdKnI/:r1bKLHG+i8HSPZDW
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Admin.exe -
Executes dropped EXE 1 IoCs
pid Process 2948 Admin.exe -
Loads dropped DLL 2 IoCs
pid Process 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" Admin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2948 Admin.exe 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 2948 Admin.exe 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 2948 Admin.exe 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 2948 Admin.exe 2948 Admin.exe 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 2948 Admin.exe 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 2948 Admin.exe 2948 Admin.exe 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 2948 Admin.exe 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 2948 Admin.exe 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 2948 Admin.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 2948 Admin.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2948 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 28 PID 2184 wrote to memory of 2948 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 28 PID 2184 wrote to memory of 2948 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 28 PID 2184 wrote to memory of 2948 2184 a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe"C:\Users\Admin\AppData\Local\Temp\a92f7ff1e437840786a132020d2ec00af5a19c1b34d7440f8e7080fd388e6e83.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\Admin.exe"C:\Users\Admin\Admin.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5cb72e550fe9e96b63224ef628df89335
SHA167be2430e4cba39db2d2c95e7fb6db20e9ee6fd8
SHA2564c99161df51ea517bcf0d5a525b3e3afc20f99c68c2f8451b869ecdb111acb5d
SHA512045413aaf02bafa56c187eb044e85945d657d75392f2f9b3d2234e269187b52d78e01bbe45907d48d360b050a3d26e5285db97bdafa6fde8b0d6385a4e225fc1