Analysis

  • max time kernel
    121s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 05:21

General

  • Target

    e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe

  • Size

    3.1MB

  • MD5

    e3e1b247481c08890ed60eed55d41d94

  • SHA1

    e59eb8591f9c4c7b0ac16ea63b5d45ee4ebf0c07

  • SHA256

    e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1

  • SHA512

    b34cfffeffbe3dae4957d09cc61421ed78922e6ff55225d9611d8834767e19fdb92279e60fce4cbd13561f838c1639d29b1ce6712a777a9c62e51b22220ee431

  • SSDEEP

    98304:gMmD2mDe2mDMmD2mDc2mDMmD2mD82mDM/:gMmD2mDe2mDMmD2mDc2mDMmD2mD82mDM

Score
10/10

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe
    "C:\Users\Admin\AppData\Local\Temp\e609755ba4dca66179e8fd79e85423623d51fc183e5bbc840e0784f4c781aaf1.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Modifies registry key
      PID:3040
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2540
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Users\Admin\AppData\Local\Temp\avscan.exe
            C:\Users\Admin\AppData\Local\Temp\avscan.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2528
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\windows\W_X_C.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2040
            • C:\windows\hosts.exe
              C:\windows\hosts.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2276
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
              6⤵
              • Adds policy Run key to start application
              PID:1924
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:2836
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:1788
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:1760
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:1732
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          PID:2620
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1508
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1608
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:828
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:1840
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2772
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        PID:2008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    6.2MB

    MD5

    a53c96dfbb79f3e792c13e5ecdd32830

    SHA1

    4a11cfd1ca1b8769bf3be054b54bf5d549604c90

    SHA256

    cf3bfedc5cd172228218fadc4fdb0866aa19222b80f9cc68e3916441df2da5e7

    SHA512

    8b4b07dcc77b291885d8308993dd3cf38aed7041c741680c02534cf46dc76900d5a8e236df74f49a98bd9d1701e1e11d04a61eb25713f88bcce9ba1b7b1a6572

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    9.2MB

    MD5

    817002cba8ffd240e5f75aa51b77dc15

    SHA1

    643b2e724f85c2ca2a24c16df2f8be0cd7931759

    SHA256

    0d6b8981f4dd3b4e0fc1fcca024d871c7bee48a6f9532c5c2c4bcd0476b0f140

    SHA512

    9f740803a8a925b32c0c84f160f8c05b6ea8a042d5d0ad99d823983bf34e72e0543c4f172b061a20658d4d124ce817a444d03c5998940cb4ef98932a8b5790a6

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    12.3MB

    MD5

    516199f1cbcea565b4aa4a85e97e8f16

    SHA1

    7095762624103d2982bd9d7e8e2dae2940295b72

    SHA256

    90cd8697d4ddf69a5007dd26b22319615a5e497c62640a2a8bb8dafec951e3a6

    SHA512

    84af6625b505d8693f06038c44b1bb008a639d6dbd0e5c38a1c740fca04444b63232758618df78394c5cfed448a486ee3dc3e3dbe1190954c59f20b917cbf27a

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    18.4MB

    MD5

    7c192209c52348cbac776b3ed785adee

    SHA1

    9a98e73ac33d18d0bef1094c4bfa4c68c16b56b7

    SHA256

    5ffe3b7acf81c325b2388a54e477ed7b6752b1911cc530d2d17a89c326627827

    SHA512

    527d7828597ee67da95a5217df7639ee91dc57f7706b58f8a82c8e0a14970cb83f2dfa9eaa805eadce5591b01a01479b0f9c758d3edf74db06656d5e3118e87e

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    18.4MB

    MD5

    a1a53a6ab5b8a43ed06d839925980a1e

    SHA1

    4028d13360b1c54eccfdb9a7ba8306bef0d80523

    SHA256

    cbd692fb2d3e9469092cf6bfc8349bd55963626bc974154576ca22531b5c968e

    SHA512

    e5b98fb8418f17cdfb57c748d362a90a6fab281e3e37a56a7584d940daacab4c9b8755d2dde6cb0682304405640afe4f78856d83dcf900e82fc542eadf04f012

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    24.5MB

    MD5

    4330ac0b888e1caa10bd7e0be1b3524f

    SHA1

    2f18b357b64011683ba0767a9136ae556071df75

    SHA256

    431e5b2fe6a2346b8da56200b03e46b283407836787bbfbec0b23b13101a6170

    SHA512

    59088b54ffc5ad87963e0f69e144aece8fbdd9724d3639ffa1e290e497106c99df4e917a4b2718d2088815cd56e39def2019b47401b93729e507230988a7a2d3

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    24.5MB

    MD5

    bed1d56b80b6a3ec3d99e762a0a39bcb

    SHA1

    c9f5081b2c60055657be7c3fe5ac5dbbb590cedf

    SHA256

    bcefdb471b871543db8972bc5aabfc218180415c9833a4d6eee9eb8ca2d2c113

    SHA512

    81a2331dcf7bbfa8fcbfbca0a620144888cbf60c1c927304095f002fc58b01c1ca51476b151e553af19cf1ad9fcf4ba6cb0115ddc1798b321f0090212433c64f

  • C:\Windows\W_X_C.vbs

    Filesize

    195B

    MD5

    f95358465555a555747e89f1ff9648ec

    SHA1

    c49cf9463efca89b6e07f06ccbb2e6d17d6fc645

    SHA256

    f40d0daff2b4d5f62032c405ece6f2ad5482a2fcc53a29a41393ee72d996528f

    SHA512

    6a9ad835557fb4c74c826abab42eb8c35a7c2d9f7d61dab15e244d2aeab00cde77abb2669a805ef79f0cf3b07f732ef2267668e1397e623ce543948b99fdbad5

  • C:\Windows\hosts.exe

    Filesize

    3.1MB

    MD5

    eb074ced6670448ffcae4e37b132ac14

    SHA1

    65b3386055a607a1b03824cc76117ffba2debe72

    SHA256

    0047a3a070befb9a8de971e2f1b0bbeaf0f4b6897eeee32aa56d9e567688e43c

    SHA512

    5ed934d1155abe880b4685e31fbde63b994437c0762a587545a5af889ea70374233bb2cc5a7dd9f49a958fe0155593cf592b1f62bb52710e0ed4a9085c652fbf

  • \??\c:\windows\W_X_C.bat

    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    3.1MB

    MD5

    df874e396d203675edbacdcbe51c95da

    SHA1

    1f2925b2130c54641e52e18a59c505d043168934

    SHA256

    ad96eb42433457811089874a8ff2b658cbae30c3c953a67bab1c91d882e3f3ea

    SHA512

    a7f3567dca1e6ce354a88f775542e2fcf7005bee21142835e23118d25c5989b5909a2a39023c2e40d6b0efe370f7b6e0e41b959b62a09ef784f89ff18ef7b6ea