13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 23:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
Size

72KB
MD5

a3188aae76d8c959aa0cf338b7468300
SHA1

caa8ad9d7b988f86309b8a5ddfa68e8ad367fd53
SHA256

13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063
SHA512

b0b0739019ba5110db85b62fa4e9edc65bfbf36dff5269490c118599c360f2805ab70dad755c8c553daf38643f8d3ac41af3242062df12b6cd3c266612ed8b00
SSDEEP

768:s1ZSPvZYKHYZjXRIEeVFxhmmvdgZXjYt1NEDIefZsL:s7zKHCjBuV1mHJMt1y

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Admin.exe

Executes dropped EXE 1 IoCs

pid	Process
1620	Admin.exe

Loads dropped DLL 2 IoCs

pid	Process
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	Admin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1620	Admin.exe
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
1620	Admin.exe
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
1620	Admin.exe
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
1620	Admin.exe
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
1620	Admin.exe
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
1620	Admin.exe
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
1620	Admin.exe
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
1620	Admin.exe
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
1620	Admin.exe
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
1620	Admin.exe
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
1620	Admin.exe
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
1620	Admin.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1620	1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe	30
PID 1716 wrote to memory of 1620	1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe	30
PID 1716 wrote to memory of 1620	1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe	30
PID 1716 wrote to memory of 1620	1716	13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe	30

C:\Users\Admin\AppData\Local\Temp\13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe
"C:\Users\Admin\AppData\Local\Temp\13c887d96af718be5a9f60395694754823d291dc2e6c4fde3de34c4c987a7063N.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\Admin.exe
  "C:\Users\Admin\Admin.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\Admin.exe

Filesize
72KB

MD5
37b2a36a5d646e5dd3c3316bf3490b3f

SHA1
9683e9a95aa698a757493cb4dd254f1a01b8793c

SHA256
f34586a066d30543326a51257aa35616491760a5940ba342299bd3ffa7a68305

SHA512
ce1cf7884c30b07d3b474a63b3ebaffe77e906b95b16a51d9b05d5846cc97de38b8657746d6639b7118964ff23b7b10ddf5a6baa96053695caa73fe380a0f8cd

Download Submit
memory/1620-16-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1620-21-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1716-1-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1716-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1716-14-0x0000000003820000-0x000000000383A000-memory.dmp

Filesize
104KB

Download
memory/1716-13-0x0000000003820000-0x000000000383A000-memory.dmp

Filesize
104KB

Download
memory/1716-19-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1716-20-0x0000000003820000-0x000000000383A000-memory.dmp

Filesize
104KB

Download