Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 21:32
Static task
static1
Behavioral task
behavioral1
Sample
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
Resource
win10v2004-20240802-en
General
-
Target
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
-
Size
514KB
-
MD5
65c713d83b613d647d369ed305632930
-
SHA1
eb79bea11c59b78498dbf65679ba1a24203e8d9e
-
SHA256
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878f
-
SHA512
26d9af89110278380c85c8193d44ac1002e4df88dfce7312402f2bd6b6e610e92559600a71068c54a17598429f55a36cc69998cb210f6ceb964d5f53f31032b5
-
SSDEEP
6144:/pW2bgbbV28okoS1oWMkdlZQ5iinNrv26FYLIcw/3ScNAf3:/pW2IoioS6p7q
Malware Config
Signatures
-
Processes:
reg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 13 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe VBSSF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe RTFDF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe CMDSF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe HTMWF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription pid Process procid_target PID 2432 wrote to memory of 2176 2432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 28 PID 2432 wrote to memory of 2176 2432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 28 PID 2432 wrote to memory of 2176 2432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 28 PID 2432 wrote to memory of 1664 2432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 29 PID 2432 wrote to memory of 1664 2432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 29 PID 2432 wrote to memory of 1664 2432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"1⤵
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
PID:2176
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:1664
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
514KB
MD5041c5ee5bd19d448f029f71c1f3ea5d3
SHA1dca087c05d161ea277274f431eec4934ceffd448
SHA256058c9e0e6ba29d102561ade0614098639091d1e732246862b801d7a79fb6da72
SHA51243c939044b2a669446e765bf55604456ed5a1c9ba836facd9b2f1e820a43957c5cece924095def3d79f048f5746d64950c0d1b93309beb36cec27424d4d1f9fa