Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 21:32

General

  • Target

    2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe

  • Size

    514KB

  • MD5

    65c713d83b613d647d369ed305632930

  • SHA1

    eb79bea11c59b78498dbf65679ba1a24203e8d9e

  • SHA256

    2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878f

  • SHA512

    26d9af89110278380c85c8193d44ac1002e4df88dfce7312402f2bd6b6e610e92559600a71068c54a17598429f55a36cc69998cb210f6ceb964d5f53f31032b5

  • SSDEEP

    6144:/pW2bgbbV28okoS1oWMkdlZQ5iinNrv26FYLIcw/3ScNAf3:/pW2IoioS6p7q

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 13 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
    "C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"
    1⤵
    • Modifies system executable filetype association
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • UAC bypass
      • Modifies registry key
      PID:2176
    • C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      2⤵
      • Modifies registry key
      PID:1664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\fNYSDQhn.exe

    Filesize

    514KB

    MD5

    041c5ee5bd19d448f029f71c1f3ea5d3

    SHA1

    dca087c05d161ea277274f431eec4934ceffd448

    SHA256

    058c9e0e6ba29d102561ade0614098639091d1e732246862b801d7a79fb6da72

    SHA512

    43c939044b2a669446e765bf55604456ed5a1c9ba836facd9b2f1e820a43957c5cece924095def3d79f048f5746d64950c0d1b93309beb36cec27424d4d1f9fa

  • memory/2432-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

    Filesize

    4KB

  • memory/2432-1-0x0000000000820000-0x0000000000848000-memory.dmp

    Filesize

    160KB

  • memory/2432-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

    Filesize

    9.9MB

  • memory/2432-1140-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

    Filesize

    4KB

  • memory/2432-1277-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

    Filesize

    9.9MB