45c1d2508ba85f787caed48cbc834547a5271d923bad51a1b39d2536353f42bf

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

386c7ea195401747c6f7bea1314adb00N.exe
Size

11KB
MD5

386c7ea195401747c6f7bea1314adb00
SHA1

3df211d363010776cc536eb02835dc6c357626d9
SHA256

45c1d2508ba85f787caed48cbc834547a5271d923bad51a1b39d2536353f42bf
SHA512

48f0297d3afd299c2a910d42a23c63fa2127d9d21d675d2392d79da8a6bf4922008d97aa26432fac75d6a1e5da2e32b16cbcaa257e8a1a9700f7c913bd90e42b
SSDEEP

192:Zg6eHLE5KxkDpnqKjIdtaCRYvRtCk1rE1Ty68A3CuYYpZ7E:G6eHIAx0pqNgHvRtoyhASuYYpZ7E

Score

7^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2600	xplorer.exe

Loads dropped DLL 5 IoCs

pid	Process
2808	386c7ea195401747c6f7bea1314adb00N.exe
2808	386c7ea195401747c6f7bea1314adb00N.exe
2808	386c7ea195401747c6f7bea1314adb00N.exe
2808	386c7ea195401747c6f7bea1314adb00N.exe
2808	386c7ea195401747c6f7bea1314adb00N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\xplorer = "C:\\Windows\\xplorer\\xplorer.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	386c7ea195401747c6f7bea1314adb00N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xplorer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\xplorer\xplorer.exe	386c7ea195401747c6f7bea1314adb00N.exe
File opened for modification	C:\Windows\xplorer\xplorer.exe	386c7ea195401747c6f7bea1314adb00N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe
Token: SeDebugPrivilege	2600	xplorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2808	386c7ea195401747c6f7bea1314adb00N.exe
2600	xplorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2908	2808	386c7ea195401747c6f7bea1314adb00N.exe	30
PID 2808 wrote to memory of 2908	2808	386c7ea195401747c6f7bea1314adb00N.exe	30
PID 2808 wrote to memory of 2908	2808	386c7ea195401747c6f7bea1314adb00N.exe	30
PID 2808 wrote to memory of 2908	2808	386c7ea195401747c6f7bea1314adb00N.exe	30
PID 2908 wrote to memory of 2004	2908	cmd.exe	32
PID 2908 wrote to memory of 2004	2908	cmd.exe	32
PID 2908 wrote to memory of 2004	2908	cmd.exe	32
PID 2908 wrote to memory of 2004	2908	cmd.exe	32
PID 2808 wrote to memory of 2600	2808	386c7ea195401747c6f7bea1314adb00N.exe	33
PID 2808 wrote to memory of 2600	2808	386c7ea195401747c6f7bea1314adb00N.exe	33
PID 2808 wrote to memory of 2600	2808	386c7ea195401747c6f7bea1314adb00N.exe	33
PID 2808 wrote to memory of 2600	2808	386c7ea195401747c6f7bea1314adb00N.exe	33

C:\Users\Admin\AppData\Local\Temp\386c7ea195401747c6f7bea1314adb00N.exe
"C:\Users\Admin\AppData\Local\Temp\386c7ea195401747c6f7bea1314adb00N.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\JRGQG.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "xplorer" /t REG_SZ /d "C:\Windows\xplorer\xplorer.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2004
- C:\Windows\xplorer\xplorer.exe
  "C:\Windows\xplorer\xplorer.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JRGQG.bat

Filesize
124B

MD5
4e6e99d38b1264af2b53a68c7cd6d648

SHA1
55ffe17732d1d9c539d702a1311ef9674fe7b3cf

SHA256
168d9cdf4849fde3b4817db207e60934b6c877be439289f3fb3a4eb9e4326ff0

SHA512
bde21abed1bfc3dbdd6afc83614aa27c3f33dfbb434e139523ac57ecd84875b0e96a241f5828eda0b055f787ec7f95850b0f4ab0ee752ac36484b2bfd78a859d

Download Submit
\Windows\xplorer\xplorer.exe

Filesize
11KB

MD5
f9391aa2aeea14a4604dd9401ed6d827

SHA1
44d8d0e430ec3c0c68f35dd21b58a66f2a1140df

SHA256
d9e898bf4b3a3904fcfc2f14010bda197b001d1792f9a68b0c192a9efa527517

SHA512
2544c3915ed808822a6723aa87f0f7b2e9285ab65dfbe80a748278f86421eb5de7309174a047644565cac2000e47c7be3b6eb4914f8094d1398dcec75f17bedf

Download Submit
memory/2600-48-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-27-0x0000000002080000-0x0000000002089000-memory.dmp

Filesize
36KB

Download
memory/2808-44-0x0000000002090000-0x0000000002099000-memory.dmp

Filesize
36KB

Download
memory/2808-43-0x0000000002090000-0x0000000002099000-memory.dmp

Filesize
36KB

Download
memory/2808-42-0x0000000002090000-0x0000000002099000-memory.dmp

Filesize
36KB

Download
memory/2808-41-0x0000000002080000-0x0000000002089000-memory.dmp

Filesize
36KB

Download
memory/2808-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2808-52-0x0000000002090000-0x0000000002099000-memory.dmp

Filesize
36KB

Download
memory/2808-51-0x0000000002080000-0x0000000002089000-memory.dmp

Filesize
36KB

Download
memory/2808-53-0x0000000002090000-0x0000000002099000-memory.dmp

Filesize
36KB

Download
memory/2808-54-0x0000000002090000-0x0000000002099000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads