Analysis
-
max time kernel
120s -
max time network
69s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
14/08/2024, 13:39
General
-
Target
0ae9da583019975a83b03ddcd722ebb0N.exe
-
Size
3.7MB
-
MD5
0ae9da583019975a83b03ddcd722ebb0
-
SHA1
b423cd8b885527b815410bfbaaa1ed4ec1257572
-
SHA256
5436bf05d6c0d951519d68a8ab41e15ef54141699ecd4a7330b9d8c158cfa0c2
-
SHA512
537c01cf17eba8c1b94ffb8bee5df1c5e7927e4f8dc68311d37c8d400450b9a3cd2cbd4495f4c27ccc5eca8c066c3a5c95404e902a27fdaf4f373f6873061fd4
-
SSDEEP
24576:Qfs6Ds6e+JmLkMQaejgLAKWNV96IO4t0drSvc7:Qfs6Ds6rmLbQa3AKWRhtuo
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 38 IoCs
-
Modifies registry class 37 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ae9da583019975a83b03ddcd722ebb0N.exe"C:\Users\Admin\AppData\Local\Temp\0ae9da583019975a83b03ddcd722ebb0N.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Temp\0ae9da583019975a83b03ddcd722ebb0N2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\msng.exe"C:\Windows\system32\msng.exe" fuckystart2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe http://www.OpenClose.ir3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.openclose.ir/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5ac39c19fa0ea709769a94e08ee80e848
SHA1ff49d94dcd787f07a036b38d1dc9228451a63824
SHA2562cb52dfb088f56abbeaa4d7ad3626f205ebce2229726077784052331d9c9842b
SHA51261b71ee4924ecac83898f4326ee19795a14adf9dbe7dc359d6279602e8720fde66488afc07e03a6fbef553e4235f332109a222cd594fe42da92f5e7bf533a2a7
-
Filesize
342B
MD5a8f5601448c16c14cee419f7bdf14599
SHA1527088c48baaed7728c69604e0cbebae0a39c54f
SHA2567f141434dd5ecd3a0d26a95b1e0864faab425026f60fd5920bcf0a59421b8edf
SHA5121d59f295dfdab3dfd5cab89b0eed1a8862d5842473315df2200139971e59d1a01f0e925731c437b7c10915cdcaa568c6e8f1c81e1f5a286cf9e5b1950fcdc41f
-
Filesize
342B
MD5a39cb82b8adfdb18e462bf7ed0e73540
SHA18b0985854abbd7ca7344cb0fd58d7ba0ca7d2e34
SHA2569d5322a97dc9055edd9267255fcb258cff809304e55758d8806367b57a6a050b
SHA5124b753aeff8493f329920eb138884f9bbe2f745fddaf34e351b35c7ae75f095dcb9b581a7225d216f3b066abef3ba5f48fc0d4d1879f1fe09c61dd1f64bfca7a8
-
Filesize
342B
MD59138fb072d9c2ab2b89391ead744cf29
SHA1156ab7dc7a1be7b697301fbcb5a93b9faebf44fb
SHA256efa4b9c846d97bf53633faf49e203e9f9ed504ca07956c322abda24aaa011a69
SHA5128fb87bd7860ae1eef00d4de76323bf5178a1a09d6e3c7c609b4ee0c3e4667cd36276332907140775d0db297ed2a41651a1860cade91e7e88eb0a07bcd9524817
-
Filesize
342B
MD55bd68d9a5fd63a40a642fecba6016510
SHA17dc3d5246952e4ac5b7163572bc0ef1585a1a18a
SHA2569f9f44d77144d66675a254828689b417a8fcae0791a16f1a616a60e7cd41ff5c
SHA5122caab7f9deace3b60e999360bfb64727c18130c2dff7f7c0d2f56ffa72b16bdc07b2b3537d680e7f7a7da9d770e4cf4d0057ade3ce3d5bf81cc4d3bfcfe9de74
-
Filesize
342B
MD5c78c3b2d63b0a9a93d3dbcd82335c428
SHA1997a0ade275178d47f44aa4cb773c1775bba8375
SHA256c5eace2629cbb921fa1717b592db9df654818500e63c50f4198fc43cba0a515a
SHA512d60992149383c0be2944d74e00870c4cd4dc6d2f6b71f62ece6ee4d0e6fc29d5912298a7e9448f5c51d01244c97a0df3d9a6c9b003b3c393e35aae7c6469cd55
-
Filesize
342B
MD594a0b6389a34e8a7500fa416f6ace54b
SHA16dc32801b5341e398a17f1891f392bc9b89c8abb
SHA256b2cc0b63c823dd63c52e91a251f5ddc507e2d35f048541e0ba75e034d5746f0a
SHA5123f9ca193c337ae920541dd4d664410b40c7944d5dba05d954d238832448e177d6ad1d8dbf658b716252a125667602ab69f14e7928ab19f1f017e553002463c52
-
Filesize
342B
MD594c9e3414541ad8f06f332514dacaa39
SHA1bb35e7a3c9d33b379d84029936a03a5878b1ab91
SHA25634d5327c08546d9e1e2b1763c1208c16c9965565ccb84df877142600aa492c67
SHA5125860432c6ed33ba46939d961ed988120e10b74aaee3973de80977ec88e6b3486ec6140103dc8f4781512afdf5581fe9458f294b6c6838b46088f7fece0b44cba
-
Filesize
342B
MD5ed35226df41111ef70e167db779878c2
SHA14ec5a0c7bfbdf85194c14e9627ec527d77d8d3a7
SHA25662c35455aaf15087ef3a05e5804f13e9ab4a8393982117d89fc414572bfb6814
SHA5125571a3167f7e31fb98a37dd6492c220f1fa63781faf995bd12e17af221962f46d81ad6316548aaa780a4223990b63b37935eac1e1366478bc128d79a77c542f0
-
Filesize
342B
MD589c36eea4503cef4e5a60c2c79633c7f
SHA1e9ecfd6cae79c55d47bf85712f7eaec801a51021
SHA25651483239a9578e72131132993620eca9b190b981f46eeb7f84bdd3387dce7457
SHA5123b558722b15b5abdee778c8c933bc6b5a990a25a449cb9b84ec928f932fb0d8b2936c9559169989f2442a81dbbb790511068700af4e9a151c93afc5c00f3cc5d
-
Filesize
342B
MD5354b1fc5adc5edd994241977c866a30c
SHA103c1782758c36d18e519635102ee439840b8d4e7
SHA25667383d9e340b886dd18340a529fef88a48518ad7c0f03c06a39b6139974381a0
SHA5123180fa5ebd94bcc4ef29f554ae41dffeafbb0ea48c3aba097f24b2c2b905bc2a45e3f67d980772ba3c044e171fc4ee3c9396ecff732efe62f0d7c64fc0b0a58b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
69B
MD5cb8850e75e3f2fb25a5c4d9c038d50c6
SHA1cb8d5b0fd4b601d5322e9345b11c80989a4787bf
SHA2566c24f0a30ddc5261e3ece63121263a7e7cac5155ebf51ee38be1998f64f5a827
SHA5120dedc10a760cbb3612b332a820a9f5341733a069a7ed155d466c29654426a383e67c72b6e35fda3a30bff84f9277b53cf08fa7286f0c0cbca919ed2c7bcfaa2c
-
Filesize
3.7MB
MD50ae9da583019975a83b03ddcd722ebb0
SHA1b423cd8b885527b815410bfbaaa1ed4ec1257572
SHA2565436bf05d6c0d951519d68a8ab41e15ef54141699ecd4a7330b9d8c158cfa0c2
SHA512537c01cf17eba8c1b94ffb8bee5df1c5e7927e4f8dc68311d37c8d400450b9a3cd2cbd4495f4c27ccc5eca8c066c3a5c95404e902a27fdaf4f373f6873061fd4
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
8KB
-
Filesize
64KB