Overview
overview
10Static
static
100715240d1a...ce.exe
windows7-x64
907fec2205c...42.exe
windows7-x64
1010dc6e128c...c0.exe
windows7-x64
3133bf8be0c...de.exe
windows7-x64
10139a8bb2c5...c1.exe
windows7-x64
1019f7d53c4a...a0.exe
windows7-x64
102896b38ec3...9c.exe
windows7-x64
102d301697ff...f4.exe
windows7-x64
3337576503...d8.exe
windows7-x64
33e04fe9f42...f1.exe
windows7-x64
103e6fbc358e...45.exe
windows7-x64
103f7458e658...df.exe
windows7-x64
434ea9832e...27.exe
windows7-x64
1047792144c9...6f.exe
windows7-x64
105114aae6e8...8c.exe
windows7-x64
10537a2fd4d2...ba.exe
windows7-x64
355754358dd...1c.exe
windows7-x64
15b1caa9bec...c1.exe
windows7-x64
160c24a4c6b...21.exe
windows7-x64
963396a28b7...cc.exe
windows7-x64
978d4fce0c2...2e.exe
windows7-x64
37c27b9fef6...33.exe
windows7-x64
381689f1be9...ed.exe
windows7-x64
10995a91e668...55.exe
windows7-x64
109d90421b2e...56.exe
windows7-x64
10a597d34bc2...40.exe
windows7-x64
10a5e6df754a...d1.exe
windows7-x64
10add2850732...6b.exe
windows7-x64
10b098486c49...0d.exe
windows7-x64
10b923f1d2ec...ed.exe
windows7-x64
10bbdac308d2...4b.exe
windows7-x64
9c3fb821138...c1.exe
windows7-x64
9Analysis
-
max time kernel
1216s -
max time network
1218s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
16-07-2024 08:54
Static task
static1
Behavioral task
behavioral1
Sample
0715240d1af82c1cea262cde2a286b8b400805dc1f35f49422c7ee39e00f93ce.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
07fec2205cbbf2900ede2f6a1d9a5c428ef314c1dda559c632833a9c1d121542.exe
Resource
win7-20240705-en
Behavioral task
behavioral3
Sample
10dc6e128c7e5e7088f487ba9b22c1a836f50a552bc93fcce748d7e1c8f76fc0.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
133bf8be0cf7003b83b03579970997d408a930e58ec2726715140520900c06de.exe
Resource
win7-20240708-en
Behavioral task
behavioral5
Sample
139a8bb2c5537190e747d2f651b423147018fd9a9a21bb36281d4ce1c61727c1.exe
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
19f7d53c4a9ba784fd4c64a06fc6a88caf5a4d9913341a625582d51b1c095ba0.exe
Resource
win7-20240704-en
Behavioral task
behavioral7
Sample
2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c.exe
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
2d301697ff72986171c0b2ccc979ab8e93671d640de6abad57de7d4e146b70f4.exe
Resource
win7-20240708-en
Behavioral task
behavioral9
Sample
3337576503c3e2d8876f50191ae8995b04a4536f816025c543d0e20250598fd8.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Resource
win7-20240705-en
Behavioral task
behavioral11
Sample
3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
3f7458e658401c15b675db78a2e9871ca3eeff3c6e299c4545515e56b66466df.exe
Resource
win7-20240704-en
Behavioral task
behavioral13
Sample
434ea9832e6d11d614905e3eb31c333289429095b76573f1ceb38fd10608bc27.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
47792144c9b440b3d2fbd422f68a23a8a8dfc16466d2a7430fc283a9d382826f.exe
Resource
win7-20240704-en
Behavioral task
behavioral15
Sample
5114aae6e86c7eedfbf181110e4fddfad88fe296ec590390705e00272121e48c.exe
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe
Resource
win7-20240705-en
Behavioral task
behavioral17
Sample
55754358ddd26b3c56ca27780dcc408711f8a9fc42b1c9d305d1045146f40f1c.exe
Resource
win7-20240705-en
Behavioral task
behavioral18
Sample
5b1caa9bec8d7d7833b0e25f3e4256975c38a22c2901f8e4d99fb164dfde13c1.exe
Resource
win7-20240705-en
Behavioral task
behavioral19
Sample
60c24a4c6b54b1f4baeaee585e5e2486bbd3ab4733de36bb28da1fdb20596e21.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
63396a28b79a7eaa60c384bcb02699398cd3b2b0c14fe9cfaf52b2ffa57798cc.exe
Resource
win7-20240705-en
Behavioral task
behavioral21
Sample
78d4fce0c253356bf72cf72f260f27a3f0f3cf0a904a3618f3011cbe0b4e882e.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
7c27b9fef6e94e99092fb628716ae9114385d4d5753f72bff1221bad2eb54933.exe
Resource
win7-20240705-en
Behavioral task
behavioral23
Sample
81689f1be92c8fb7e94fe241441c7eb43cfb77c6d23592b0248566bd709ff2ed.exe
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
995a91e668b85a992c8a71aed191fa0fafa3b1606bf205bef93a2457786de555.exe
Resource
win7-20240704-en
Behavioral task
behavioral25
Sample
9d90421b2e7afff3634a9b1590a165c07995d9e4f171e143c131d540147ec556.exe
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
a597d34bc2464c3ace48ac04f6653f65ac4822ea8e4a5717ba9e4909b8c62240.exe
Resource
win7-20240705-en
Behavioral task
behavioral27
Sample
a5e6df754a4d3bb72f4d5c91d6b582e7e2c2f87ca838f5d976bc82384a5ad2d1.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b.exe
Resource
win7-20240708-en
Behavioral task
behavioral29
Sample
b098486c49a73591ca003f20276f1ca33605618a7167407d9f3f096bc7ec930d.exe
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
b923f1d2ece074dabe58bb6a603ed5d49e8d62044a1293a37e8afbcac029dded.exe
Resource
win7-20240708-en
Behavioral task
behavioral31
Sample
bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
c3fb821138d38ef9a2b0c77a4a3572ca38499b2dac3530c4a5faf2f789d57fc1.exe
Resource
win7-20240708-en
General
-
Target
3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe
-
Size
126KB
-
MD5
ff1f6956f07e700a86b5986b63ea12db
-
SHA1
a8d88813f2691cf71e8d6790e473593644c913ed
-
SHA256
3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545
-
SHA512
04f4d29f37079ef04e2b1be812d20d89dca82e4fffff28047de435425a18573cc3edfd5b148e0aded71d652583785e82585c708e0fc38b5dbda61962cbb1f927
-
SSDEEP
1536:YxOUyl20w8bVZQ40iMSO1fY+iUyQs2r8t5p1ySotICS4A6QdZls8XzUXiWr4X5Fg:YMhQNDEtb3A2ZHjUyWr4X5FTDUA
Malware Config
Extracted
C:\Users\ez6061-readme.txt
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/654E6A57B456D094
http://decoder.re/654E6A57B456D094
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3004 netsh.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\K: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\P: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\R: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\E: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\M: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\O: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\Q: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\Y: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\G: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\L: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\V: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\F: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\T: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\A: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\W: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\Z: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\B: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\I: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\U: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\X: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\S: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\D: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\J: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened (read-only) \??\N: 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\581s731g7618j.bmp" 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe -
Drops file in Program Files directory 27 IoCs
description ioc Process File opened for modification \??\c:\program files\LockInitialize.ADTS 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\ReadGroup.aifc 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\WaitJoin.asx 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File created \??\c:\program files\tmp 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File created \??\c:\program files (x86)\ez6061-readme.txt 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\DebugConfirm.pot 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\MoveInitialize.php 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\SkipConnect.xlsm 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\TestGroup.ttc 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\ExitOpen.pot 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\MountSend.bmp 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\PushSkip.mp3 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\tmp 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\ez6061-readme.txt 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\ez6061-readme.txt 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\ez6061-readme.txt 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\ExitTrace.rmi 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\LockSync.wmv 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\PushRevoke.jfif 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\RequestDeny.txt 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\tmp 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\DebugUnprotect.ppsm 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\RevokeDeny.ogg 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\tmp 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File opened for modification \??\c:\program files\AssertSplit.midi 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File created \??\c:\program files\ez6061-readme.txt 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe File created \??\c:\program files (x86)\tmp 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1768 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe 1768 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe 1768 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe 1768 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe 1768 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1768 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe Token: SeTakeOwnershipPrivilege 1768 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe Token: SeBackupPrivilege 2884 vssvc.exe Token: SeRestorePrivilege 2884 vssvc.exe Token: SeAuditPrivilege 2884 vssvc.exe Token: SeBackupPrivilege 1388 vssvc.exe Token: SeRestorePrivilege 1388 vssvc.exe Token: SeAuditPrivilege 1388 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1768 wrote to memory of 3004 1768 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe 29 PID 1768 wrote to memory of 3004 1768 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe 29 PID 1768 wrote to memory of 3004 1768 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe 29 PID 1768 wrote to memory of 3004 1768 3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe 29 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe"C:\Users\Admin\AppData\Local\Temp\3e6fbc358e0204cb67a41b05771fac74f1b49737c7ab7138e415c7e9628ef545.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3004
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3064
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ez6061-readme.txt1⤵PID:2700
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD518be26d37a3453d1ee46d448c144771f
SHA1311e20ba8ba8c02163611da1f68a04b5e2efdf15
SHA25606c7b0a5bb41c62ffb6c28fa08b30fcdf3cf747df63737a0dd8150f4375e692f
SHA512cf876679686d048a296232a401b46ea5afc02cd4230d29468108d52ca66b2aef785b7ee268d656f63aeca98e57abbe064e3f08348e51269e42ce6e1f0f4f1d3b