7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe
Size

9KB
MD5

054772b3f3004015c243e83109b6b4d0
SHA1

4eeb1d21b04de3164549c45df693feb6f647e152
SHA256

7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7
SHA512

d03b2265c4e7b75603e35f627384d59b36953fd81f19c045a46106d3cb5f19d7dfe1277bb1be28f62fa3d5c2ac25c2049a2be5dc921383b4739aefae46933bed
SSDEEP

192:1oMRHyW1XehWG81mdib6T9GtT3JdxaaEzppao:1lRHhehWidib6RGt7rxaZpj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\midimapqn3 = "{4F4F0064-71E0-4f0d-0022-708476C7815F}"	7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe

Loads dropped DLL 1 IoCs

pid	Process
4948	7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\midimapqn3.tmp	7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe
File opened for modification	C:\Windows\SysWOW64\midimapqn3.dat	7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe
File created	C:\Windows\SysWOW64\midimapqn3.tmp	7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F4F0064-71E0-4f0d-0022-708476C7815F}	7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F4F0064-71E0-4f0d-0022-708476C7815F}\InProcServer32	7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F4F0064-71E0-4f0d-0022-708476C7815F}\InProcServer32\ = "C:\\Windows\\SysWow64\\midimapqn3.dll"	7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F4F0064-71E0-4f0d-0022-708476C7815F}\InProcServer32\ThreadingModel = "Apartment"	7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4948	7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe
4948	7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4948	7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 3480	4948	7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe	83
PID 4948 wrote to memory of 3480	4948	7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe	83
PID 4948 wrote to memory of 3480	4948	7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe	83

C:\Users\Admin\AppData\Local\Temp\7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe
"C:\Users\Admin\AppData\Local\Temp\7e259c43825a7154c829357ba2cfca2e332dfebad0c5a61f38e37509cd5ee0a7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\C0F3.tmp.bat
  2⤵
  PID:3480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C0F3.tmp.bat

Filesize
243B

MD5
c315ae226362264ff90317e196c141ca

SHA1
8ab46476c682eedd74923f4ba176687500a3736e

SHA256
dab90b58010403b017749fee0d78f0d6f39e64acc15c8aa9d247117c63addde1

SHA512
4cd909e93c1790fad8f074dbdd6e834b2ddad932f41ec10f39d0c89c2bd9ecb0ee7577bdbc819ac0c044617e52408a5a86e47256ee047f7aae432eef070dcfcc

Download Submit
C:\Windows\SysWOW64\midimapqn3.dll

Filesize
19KB

MD5
b2577935cad667053ed93f561beb7529

SHA1
00b2c6be10b299e1a80c3f27647a7ef89eb0edf8

SHA256
225dd689844a4adf236938a2530eeb98fc618ff004b767f9c4a1a36df1aa7b36

SHA512
b212a295d9b082410c5efcb742965a82d1e45495d76da4309b75cb8597b621dcd647050f8e1d5f298c46df87d78a7963a5ced95f7aed63b59b1ec5381437c138

Download Submit
memory/3480-133-0x0000000000000000-mapping.dmp

Download