2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe
Size

176KB
MD5

8893a8b6776c2ad16f3db82e78e26e99
SHA1

a33299db49945a46276765b443e232c493dc6541
SHA256

2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606
SHA512

180c6e616672462d97d948fb25f0d737902e171bcbd45d63022458a175e70d7051ef9ca60b146b1866f86c09a52be37985812a146f683df8328aaa42faf3403e
SSDEEP

3072:D9E4Wgbr57BVFqmx1E9Hqmz674Qbf6xET/nhqCoNWDY1TuDBujfgY1LRQBAhHukK:J0MJBVlx+Vf274Q2xqhxoNH1Ti5Ytuk

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2884	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1448	charelog.exe
1216	~9482.tmp
2484	MRINethc.exe

Loads dropped DLL 3 IoCs

pid	Process
1748	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe
1748	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe
1448	charelog.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\convvr32 = "C:\\Users\\Admin\\AppData\\Roaming\\fltMexer\\charelog.exe"	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MRINethc.exe	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1448	charelog.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE
2484	MRINethc.exe
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1448	1748	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe	30
PID 1748 wrote to memory of 1448	1748	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe	30
PID 1748 wrote to memory of 1448	1748	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe	30
PID 1748 wrote to memory of 1448	1748	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe	30
PID 1448 wrote to memory of 1216	1448	charelog.exe	31
PID 1448 wrote to memory of 1216	1448	charelog.exe	31
PID 1448 wrote to memory of 1216	1448	charelog.exe	31
PID 1448 wrote to memory of 1216	1448	charelog.exe	31
PID 1216 wrote to memory of 1200	1216	~9482.tmp	21
PID 1748 wrote to memory of 2884	1748	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe	33
PID 1748 wrote to memory of 2884	1748	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe	33
PID 1748 wrote to memory of 2884	1748	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe	33
PID 1748 wrote to memory of 2884	1748	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe	33
PID 2884 wrote to memory of 2752	2884	cmd.exe	35
PID 2884 wrote to memory of 2752	2884	cmd.exe	35
PID 2884 wrote to memory of 2752	2884	cmd.exe	35
PID 2884 wrote to memory of 2752	2884	cmd.exe	35

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2752	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1200
- C:\Users\Admin\AppData\Local\Temp\2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe
  "C:\Users\Admin\AppData\Local\Temp\2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Roaming\fltMexer\charelog.exe
    "C:\Users\Admin\AppData\Roaming\fltMexer\charelog.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\~9482.tmp
      "C:\Users\Admin\AppData\Local\Temp\~9482.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    /C 259429631.cmd
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe"
      4⤵
      Views/modifies file attributes
      PID:2752

C:\Windows\SysWOW64\MRINethc.exe
C:\Windows\SysWOW64\MRINethc.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259429631.cmd

Filesize
291B

MD5
58610a33dce854c12977c3e4d9cb93f8

SHA1
2b44da9e500533ba627e454a11722926b0db4704

SHA256
40401c0359f992572cfec3f12701f6cd7f0fac64c0c33cf5e7c663382f80d382

SHA512
97fb33a59879d474e850ad3bf2af05c5e731598ef9d358fa5f9f7d7054170d09c5ffd577e157d75f2467e3e17ab3b808b5eac483e6e3afbc315708e050c3ebca

Download Submit
C:\Windows\SysWOW64\MRINethc.exe

Filesize
176KB

MD5
8893a8b6776c2ad16f3db82e78e26e99

SHA1
a33299db49945a46276765b443e232c493dc6541

SHA256
2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606

SHA512
180c6e616672462d97d948fb25f0d737902e171bcbd45d63022458a175e70d7051ef9ca60b146b1866f86c09a52be37985812a146f683df8328aaa42faf3403e

Download Submit
\Users\Admin\AppData\Local\Temp\~9482.tmp

Filesize
6KB

MD5
46811a5736a552489ee072744a661511

SHA1
c206cc5f746748d338edf651945b6a6a117e769d

SHA256
b4a967cefd2e06c29528a111d1b710456c38e83432048860920ab88cacbfaee4

SHA512
49c7ab76dfc5045da0ef4be04542ce11f0ebd036c1ff513cfbe8da3bf306898af8ad1164d09ba7cfbfdd72265c50400be99d2bf5f1629fb62ac22bccc3601747

Download Submit
\Users\Admin\AppData\Roaming\fltMexer\charelog.exe

Filesize
176KB

MD5
4265872c6304f942817242911f62b150

SHA1
20f6ca6b3eb8bcd705720288346d1e5f74dc9d6d

SHA256
aeca5e90c005d7916ebb44dd939a2f4117894a901af8ea4496297c10248bc994

SHA512
abeca04a9fabe62cfe3db5f47ec8635652e0eafd7b6f2ce5fcf6df13e7ff620a64623269084f3e9002a75362fc929fc09dd939b4277e87086559108b8b0242d8

Download Submit
memory/1200-17-0x0000000002E10000-0x0000000002E53000-memory.dmp

Filesize
268KB

Download
memory/1200-16-0x0000000002E10000-0x0000000002E53000-memory.dmp

Filesize
268KB

Download
memory/1200-19-0x0000000002E10000-0x0000000002E53000-memory.dmp

Filesize
268KB

Download
memory/1448-12-0x0000000000070000-0x00000000000B0000-memory.dmp

Filesize
256KB

Download
memory/1748-0-0x0000000000070000-0x00000000000B0000-memory.dmp

Filesize
256KB

Download
memory/2484-26-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2484-28-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2484-29-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download