e2cadb0766cf2fc20a527c917f4475388ef3fbd73b8e0c6d071b695afbb1dba3

Resubmissions

04-07-2024 17:22

240704-vxyavazeql 10

04-07-2024 17:19

240704-vv7rhazenr 10

Analysis

max time kernel
290s
max time network
125s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
Size

2.5MB
MD5

227f3ff19943a0e8c1b26a563246280f
SHA1

fe1ac18c76386fc9ce0a6ff7e6514f1d03848d1b
SHA256

7d10721692eb8300431b9c707bca16cf2de75990a6714172f7be096e5ebc666f
SHA512

f359bbbb6c6a5dbeea4d871c446507775a94d11e00011cf240fbcb09966215e853ce655db25a188d3c790dc34c3b847c45df76e666083d35390be0f73561725f
SSDEEP

24576:UVgsaDZgQjGkwlks/6HnEpFsaK2cWfVaw0HBFhWof/0o8:UVnaDZvjG0DnNaK2SQU0o

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe

Executes dropped EXE 1 IoCs

Processes:

Iagfoe32.exe

pid process

2580 Iagfoe32.exe

pid	process
2580	Iagfoe32.exe

Loads dropped DLL 6 IoCs

Processes:

[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exeWerFault.exe

pid	process
2956	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
2956	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe

Drops file in System32 directory 3 IoCs

Processes:

[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Iagfoe32.exe	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2680 2580 WerFault.exe Iagfoe32.exe

pid	pid_target	process	target process
2680	2580	WerFault.exe	Iagfoe32.exe

Modifies registry class 6 IoCs

Processes:

[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exeIagfoe32.exe

description	pid	process	target process
PID 2956 wrote to memory of 2580	2956	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe	Iagfoe32.exe
PID 2956 wrote to memory of 2580	2956	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe	Iagfoe32.exe
PID 2956 wrote to memory of 2580	2956	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe	Iagfoe32.exe
PID 2956 wrote to memory of 2580	2956	[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe	Iagfoe32.exe
PID 2580 wrote to memory of 2680	2580	Iagfoe32.exe	WerFault.exe
PID 2580 wrote to memory of 2680	2580	Iagfoe32.exe	WerFault.exe
PID 2580 wrote to memory of 2680	2580	Iagfoe32.exe	WerFault.exe
PID 2580 wrote to memory of 2680	2580	Iagfoe32.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 140
3⤵
- Loads dropped DLL
- Program crash
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Iagfoe32.exe

Filesize
2.5MB

MD5
495e388efc5f0cd164e43bdf2e6598d2

SHA1
1d5e44f03138058cc0e4dc48c78c7a89a9e19579

SHA256
a235e8784bd643390cabadb8974c8ad468071cddfaacc356395e1c8212a47ac7

SHA512
38a8f366884f4cb3db544d8c57cccaad6bf0435f3ab41a87c2c49a51a1589d534a7dc4cddabd1e778b37e53816c78c2c798821968a8a01d58242ebdb0de8ef48

Download Submit
memory/2580-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-6-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2956-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download