Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 00:32
Static task
static1
Behavioral task
behavioral1
Sample
386c7ea195401747c6f7bea1314adb00N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
386c7ea195401747c6f7bea1314adb00N.exe
Resource
win10v2004-20240709-en
General
-
Target
386c7ea195401747c6f7bea1314adb00N.exe
-
Size
11KB
-
MD5
386c7ea195401747c6f7bea1314adb00
-
SHA1
3df211d363010776cc536eb02835dc6c357626d9
-
SHA256
45c1d2508ba85f787caed48cbc834547a5271d923bad51a1b39d2536353f42bf
-
SHA512
48f0297d3afd299c2a910d42a23c63fa2127d9d21d675d2392d79da8a6bf4922008d97aa26432fac75d6a1e5da2e32b16cbcaa257e8a1a9700f7c913bd90e42b
-
SSDEEP
192:Zg6eHLE5KxkDpnqKjIdtaCRYvRtCk1rE1Ty68A3CuYYpZ7E:G6eHIAx0pqNgHvRtoyhASuYYpZ7E
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2600 xplorer.exe -
Loads dropped DLL 5 IoCs
pid Process 2808 386c7ea195401747c6f7bea1314adb00N.exe 2808 386c7ea195401747c6f7bea1314adb00N.exe 2808 386c7ea195401747c6f7bea1314adb00N.exe 2808 386c7ea195401747c6f7bea1314adb00N.exe 2808 386c7ea195401747c6f7bea1314adb00N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\xplorer = "C:\\Windows\\xplorer\\xplorer.exe" reg.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 386c7ea195401747c6f7bea1314adb00N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xplorer.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\xplorer\xplorer.exe 386c7ea195401747c6f7bea1314adb00N.exe File opened for modification C:\Windows\xplorer\xplorer.exe 386c7ea195401747c6f7bea1314adb00N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe Token: SeDebugPrivilege 2600 xplorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2808 386c7ea195401747c6f7bea1314adb00N.exe 2600 xplorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2908 2808 386c7ea195401747c6f7bea1314adb00N.exe 30 PID 2808 wrote to memory of 2908 2808 386c7ea195401747c6f7bea1314adb00N.exe 30 PID 2808 wrote to memory of 2908 2808 386c7ea195401747c6f7bea1314adb00N.exe 30 PID 2808 wrote to memory of 2908 2808 386c7ea195401747c6f7bea1314adb00N.exe 30 PID 2908 wrote to memory of 2004 2908 cmd.exe 32 PID 2908 wrote to memory of 2004 2908 cmd.exe 32 PID 2908 wrote to memory of 2004 2908 cmd.exe 32 PID 2908 wrote to memory of 2004 2908 cmd.exe 32 PID 2808 wrote to memory of 2600 2808 386c7ea195401747c6f7bea1314adb00N.exe 33 PID 2808 wrote to memory of 2600 2808 386c7ea195401747c6f7bea1314adb00N.exe 33 PID 2808 wrote to memory of 2600 2808 386c7ea195401747c6f7bea1314adb00N.exe 33 PID 2808 wrote to memory of 2600 2808 386c7ea195401747c6f7bea1314adb00N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\386c7ea195401747c6f7bea1314adb00N.exe"C:\Users\Admin\AppData\Local\Temp\386c7ea195401747c6f7bea1314adb00N.exe"1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\JRGQG.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "xplorer" /t REG_SZ /d "C:\Windows\xplorer\xplorer.exe" /f3⤵
- Adds Run key to start application
PID:2004
-
-
-
C:\Windows\xplorer\xplorer.exe"C:\Windows\xplorer\xplorer.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124B
MD54e6e99d38b1264af2b53a68c7cd6d648
SHA155ffe17732d1d9c539d702a1311ef9674fe7b3cf
SHA256168d9cdf4849fde3b4817db207e60934b6c877be439289f3fb3a4eb9e4326ff0
SHA512bde21abed1bfc3dbdd6afc83614aa27c3f33dfbb434e139523ac57ecd84875b0e96a241f5828eda0b055f787ec7f95850b0f4ab0ee752ac36484b2bfd78a859d
-
Filesize
11KB
MD5f9391aa2aeea14a4604dd9401ed6d827
SHA144d8d0e430ec3c0c68f35dd21b58a66f2a1140df
SHA256d9e898bf4b3a3904fcfc2f14010bda197b001d1792f9a68b0c192a9efa527517
SHA5122544c3915ed808822a6723aa87f0f7b2e9285ab65dfbe80a748278f86421eb5de7309174a047644565cac2000e47c7be3b6eb4914f8094d1398dcec75f17bedf