Overview

overview

10

Static

static

3

1542eabc81...fN.exe

windows7-x64

10

1542eabc81...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1542eabc8170fffbea99a2c530b89a2c66cf8a628a6f2685b88be128221e6ebfN.exe

  • Size

    64KB

  • MD5

    0592bf3438f49216f8f4686ee31d6890

  • SHA1

    bcc14ea50139512b405a366e3cd6fd82de5f7ad1

  • SHA256

    1542eabc8170fffbea99a2c530b89a2c66cf8a628a6f2685b88be128221e6ebf

  • SHA512

    92e45ec61679ac5a0406d841a6c8abfae1128b45baa2b32a42696bf9ac86903656fa302abb8987b01d9f82a08bd10bfc15a842f6d5587c715df1dbbd750e36b9

  • SSDEEP

    1536:9VB9ew1O/1hhDiZnHba3W74s3KdWGGZttlI6TRqnouy8hyG+jK:9Ve1fh8nHbao6dWntI6TRyouthyL

Score
10/10
discoveryevasionpersistencetrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 10 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Control Panel 3 IoCs
    evasion
  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1542eabc8170fffbea99a2c530b89a2c66cf8a628a6f2685b88be128221e6ebfN.exe
    "C:\Users\Admin\AppData\Local\Temp\1542eabc8170fffbea99a2c530b89a2c66cf8a628a6f2685b88be128221e6ebfN.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Windows security bypass
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Windows security modification
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2640
    • C:\Program Files (x86)\Windows Media Player\svchost.exe
      "C:\Program Files (x86)\Windows Media Player\svchost.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2816
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
      2⤵
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Program Files (x86)\Windows Media Player\wmpshare.exe
        "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2080
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "1542eabc8170fffbea99a2c530b89a2c66cf8a628a6f2685b88be128221e6ebfN.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2372
    • C:\Program Files (x86)\Windows Media Player\wmplayerc.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayerc.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Program Files (x86)\Windows Media Player\svchost.exe
        "C:\Program Files (x86)\Windows Media Player\svchost.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

8
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Windows Media Player\wmplayerc.exe
    Filesize

    64KB

    MD5

    71820698856caf6116caa7fb6aec0d0c

    SHA1

    007fa619194ff21a007cab77665620a2f66c2d7d

    SHA256

    6e0541c1f259e362ca0730a5980ef1342a6506ef851b08403bb57a154072aab1

    SHA512

    895194b528bac3af62d3d56a2fa36779f4965432f8219964764bfcb0a12c533908b541277ea3f9a87c0b5085e8c036ba6c2b8f71ddd45b9e282794214f5db099

    Download Submit

  • C:\RÊCYCLÊR\desktop.ini
    Filesize

    65B

    MD5

    ad0b0b4416f06af436328a3c12dc491b

    SHA1

    743c7ad130780de78ccbf75aa6f84298720ad3fa

    SHA256

    23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

    SHA512

    884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

    Download Submit

  • C:\RÊCYCLÊR\  .com
    Filesize

    64KB

    MD5

    ce5748f992f326bbbc70a26e86026945

    SHA1

    d38e3cc1e6e85749117ad7ea7f9302cf96980982

    SHA256

    68be5111f10bbdb15b8598383fc152bceaa62586f49fc1fbbd314310deea3643

    SHA512

    f37b7328ca32749723f4086416e4883938aa1361459c5c5dd65dc4f2957a2bc936f9a4a19dc17c95a841a09566d338b93e1a0425c8636cb27d34f6e8e786f674

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{1F38C402-31F6-43FD-A48A-883FE6E8CF76}.jpg
    Filesize

    22KB

    MD5

    35e787587cd3fa8ed360036c9fca3df2

    SHA1

    84c76a25c6fe336f6559c033917a4c327279886d

    SHA256

    98c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2

    SHA512

    aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{5DCC3B6D-CC26-44D3-8B07-80D308D6B269}.jpg
    Filesize

    23KB

    MD5

    fd5fd28e41676618aac733b243ad54db

    SHA1

    b2d69ad6a2e22c30ef1806ac4f990790c3b44763

    SHA256

    a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431

    SHA512

    4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\1I3DEJNA.htm
    Filesize

    114B

    MD5

    e89f75f918dbdcee28604d4e09dd71d7

    SHA1

    f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

    SHA256

    6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

    SHA512

    8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

    Download Submit

  • C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg
    Filesize

    32KB

    MD5

    84bba83cfbc0233517407678bb842686

    SHA1

    1c617de788de380d28c52dc733ad580c3745a1c1

    SHA256

    6ecf98adb3cd0931ec803f3a56a9563c7d60bb86ec1886b21e3d0f7eb25198d9

    SHA512

    a6a80c00a28c43c1c427018e6fb6dac4682d299d2f50202f520af0b1bca803546c850f04094ed2f532ff8775f6d45f2a40e4f5e069937bcaa0326a80bd818e0e

    Download Submit

  • \Program Files (x86)\Windows Media Player\svchost.exe
    Filesize

    9KB

    MD5

    a3565eec669697a3d6f7b35fb75fcb26

    SHA1

    6e81f83c057ff5da8f800a23f32f717a3e0ca2dc

    SHA256

    a7e6bd8d46e6eb541a071fb8a94b9567ecbb1c353764e36fae8b6f41b4a3d1d5

    SHA512

    0f815447afd11be56e49455bb4246b6e31063ae5f72743109a644d4d0fb0c79e78cf7b9bf17b19684fba25a72a66b2e4ad6a481871ae6792472a9e9942a20032

    Download Submit

  • memory/1676-123-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1676-124-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1824-117-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1824-199-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2640-116-0x0000000002C30000-0x0000000002C74000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2640-126-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2640-0-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2640-9-0x00000000003D0000-0x00000000003E1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2816-146-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2816-12-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download