Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 13:58
Static task
static1
Behavioral task
behavioral1
Sample
4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe
Resource
win10v2004-20241007-en
General
-
Target
4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe
-
Size
47KB
-
MD5
9d8511bf4a25576e31f30c5fb38a3ab0
-
SHA1
a670610763f095968bfe3c6af62981315324e04e
-
SHA256
4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674d
-
SHA512
ae69acb32facb957eba6a53a55511a68d3a2521069c4dfd4f25754cfcb2358a30e752a96f61f295017c6fb8799792c7221d0ad749ab07f98615f64b1b36b68a5
-
SSDEEP
768:PTAm5hiTllzeF/AJOTmbWa8RYdiU3/7Shy5nv9/vJ7o9B/PxDc2Zpo/:PLIcNTcWATPuhI963hDR8
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows/system32/SVCH0ST.EXE" 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe -
Disables Task Manager via registry modification
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Agent = "C:\\Windows\\System32\\SVCH0ST.EXE" 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\SVCH0ST.EXE 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe File opened for modification C:\Windows\SysWOW64\SVCH0ST.EXE 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system\wincirl.com 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe File opened for modification C:\Windows\system\wincirl.com 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 34 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a003100000000006c59496f102054656d700000360008000400efbe4a59dc446c59496f2a00000001020000000002000000000000000000000000000000540065006d007000000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 52003100000000004a59dc44122041707044617461003c0008000400efbe4a59dc444a59dc442a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000004a59674b100041646d696e00380008000400efbe4a59dc444a59674b2a00000033000000000003000000000000000000000000000000410064006d0069006e00000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000004a59dc441100557365727300600008000400efbeee3a851a4a59dc442a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c003100000000004a591d4610204c6f63616c00380008000400efbe4a59dc444a591d462a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2224 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe 2224 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe 2224 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe 2224 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe 2224 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe 2224 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2224 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2224 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe 2224 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2832 2224 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe 31 PID 2224 wrote to memory of 2832 2224 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe 31 PID 2224 wrote to memory of 2832 2224 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe 31 PID 2224 wrote to memory of 2832 2224 4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe"C:\Users\Admin\AppData\Local\Temp\4671a2b6c4d1b19595640721dc51e343c7b21db565c8714d082fccda773a674dN.exe"1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\Explorer.exeC:\Windows\Explorer.exe C:\Users\Admin\AppData\Local\Temp2⤵PID:2832
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD544b3f6fd6fd891b2e12de41a0ea0b3e0
SHA1f26b0c2baa01aea544777d101438de1a056d50e8
SHA25663170d3409e67f4c2381f8492fa49d8c97d9ef0e288075e8cabbbd4473f5ede9
SHA5129563b12a5cb6fc070d901a6cc9596730201c0920b98f8ada83fec5aa9ec78c5aa3ac885e6634375dbc4dbf20b2f0cb3d7b49a69569eeb81ae45696c54ba88f0f