c96b41fac848211321861fcf957e5f475a950c56f9024f792e5c9584f1fbd3ef

Analysis

max time kernel
246s
max time network
251s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pclock_unpack.exe
Size

419KB
MD5

1fc5cb7e0ad732461f8eab5d1125c427
SHA1

2974651cf335d46b2e7d2287b325232c3b77d9f1
SHA256

05fab5797ed3fa8ba1fbe0e0de14e5284f84506c1b5bb386638e49c3f027e75d
SHA512

b0818ac1d5ec83cad5760b76551f8237e2a3e1968ebdfec8deacccb291842ef7f838ad7071590a215b9cb6c030b6f69ccf81c3d05447216c6456b6cec20961e9
SSDEEP

6144:zHuwWf/SZxB5+TlkJUjvvh02jNnPAPowEoxAKJaITtSXp:OfoxB5+JM+6oJIovSDtSX

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

WinFaxViewer.exewinhub.exe

pid process

2776 WinFaxViewer.exe
2960 winhub.exe

pid	process
2776	WinFaxViewer.exe
2960	winhub.exe

Loads dropped DLL 7 IoCs

Processes:

pclock_unpack.exeWinFaxViewer.exe

pid	process
3028	pclock_unpack.exe
3028	pclock_unpack.exe
3028	pclock_unpack.exe
3028	pclock_unpack.exe
3028	pclock_unpack.exe
2776	WinFaxViewer.exe
2776	WinFaxViewer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WinFaxViewer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wincl = "C:\\Users\\Public\\WinHub\\winhub.exe"	WinFaxViewer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pclock_unpack.exeWinFaxViewer.exetaskkill.exewinhub.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pclock_unpack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinFaxViewer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhub.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2700 taskkill.exe

pid	process
2700	taskkill.exe

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2700 taskkill.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

pclock_unpack.exeWinFaxViewer.exewinhub.exe

pid process

3028 pclock_unpack.exe
2776 WinFaxViewer.exe
2960 winhub.exe

description	pid	process
Token: SeDebugPrivilege	2700	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

pclock_unpack.exeWinFaxViewer.exe

description	pid	process	target process
PID 3028 wrote to memory of 2776	3028	pclock_unpack.exe	WinFaxViewer.exe
PID 3028 wrote to memory of 2776	3028	pclock_unpack.exe	WinFaxViewer.exe
PID 3028 wrote to memory of 2776	3028	pclock_unpack.exe	WinFaxViewer.exe
PID 3028 wrote to memory of 2776	3028	pclock_unpack.exe	WinFaxViewer.exe
PID 2776 wrote to memory of 2700	2776	WinFaxViewer.exe	taskkill.exe
PID 2776 wrote to memory of 2700	2776	WinFaxViewer.exe	taskkill.exe
PID 2776 wrote to memory of 2700	2776	WinFaxViewer.exe	taskkill.exe
PID 2776 wrote to memory of 2700	2776	WinFaxViewer.exe	taskkill.exe
PID 2776 wrote to memory of 2960	2776	WinFaxViewer.exe	winhub.exe
PID 2776 wrote to memory of 2960	2776	WinFaxViewer.exe	winhub.exe
PID 2776 wrote to memory of 2960	2776	WinFaxViewer.exe	winhub.exe
PID 2776 wrote to memory of 2960	2776	WinFaxViewer.exe	winhub.exe

C:\Users\Admin\AppData\Local\Temp\pclock_unpack.exe
"C:\Users\Admin\AppData\Local\Temp\pclock_unpack.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\WinFaxViewer.exe
  "C:\Users\Admin\AppData\Local\Temp\WinFaxViewer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM criminal_case_against_you.scr
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Users\Public\WinHub\winhub.exe
    "C:\Users\Public\WinHub\winhub.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\WinFaxViewer.exe

Filesize
419KB

MD5
1fc5cb7e0ad732461f8eab5d1125c427

SHA1
2974651cf335d46b2e7d2287b325232c3b77d9f1

SHA256
05fab5797ed3fa8ba1fbe0e0de14e5284f84506c1b5bb386638e49c3f027e75d

SHA512
b0818ac1d5ec83cad5760b76551f8237e2a3e1968ebdfec8deacccb291842ef7f838ad7071590a215b9cb6c030b6f69ccf81c3d05447216c6456b6cec20961e9

Download Submit
memory/3028-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download