8d2a1468aa98a85123be3d570aa071d51026e719716d3a88c4c97a0f95d4a0c2

Analysis

max time kernel
150s
max time network
172s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

109cf7f8941beab19bb8df5da41f46aa.exe
Size

72KB
MD5

109cf7f8941beab19bb8df5da41f46aa
SHA1

376708c2c50d4758e50c23fecfccd5a19654d968
SHA256

8d2a1468aa98a85123be3d570aa071d51026e719716d3a88c4c97a0f95d4a0c2
SHA512

68c8476f654f8b7cfbbcbba460cb21f35cfc040b3a9e98473a1d98549af286150dc47b4e91df16436e6bc19d67e12453e3b08e22cea285e48be5b9b405a2cbaf
SSDEEP

1536:dNgVbuDBif3xLYKgGRS7nea66xkVTLQ1Up0UYpTnNu3Gz1zbH5b:rg9SSgGRweahkVA1Xpky

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
5	2468	rundll32.exe
11	2468	rundll32.exe
12	2468	rundll32.exe
14	2468	rundll32.exe
16	2468	rundll32.exe
19	2468	rundll32.exe

Deletes itself 1 IoCs

pid	Process
1632	cmd.exe

Loads dropped DLL 5 IoCs

pid	Process
2748	109cf7f8941beab19bb8df5da41f46aa.exe
2468	rundll32.exe
2468	rundll32.exe
2468	rundll32.exe
2468	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hsjubwje = "rundll32.exe \"C:\\Program Files (x86)\\hsjubwje\\zofstkxo.dll\",Init"	regedit.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\hsjubwje\zofstkxo.dll	109cf7f8941beab19bb8df5da41f46aa.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2288	regedit.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2288	2748	109cf7f8941beab19bb8df5da41f46aa.exe	28
PID 2748 wrote to memory of 2288	2748	109cf7f8941beab19bb8df5da41f46aa.exe	28
PID 2748 wrote to memory of 2288	2748	109cf7f8941beab19bb8df5da41f46aa.exe	28
PID 2748 wrote to memory of 2288	2748	109cf7f8941beab19bb8df5da41f46aa.exe	28
PID 2748 wrote to memory of 2468	2748	109cf7f8941beab19bb8df5da41f46aa.exe	29
PID 2748 wrote to memory of 2468	2748	109cf7f8941beab19bb8df5da41f46aa.exe	29
PID 2748 wrote to memory of 2468	2748	109cf7f8941beab19bb8df5da41f46aa.exe	29
PID 2748 wrote to memory of 2468	2748	109cf7f8941beab19bb8df5da41f46aa.exe	29
PID 2748 wrote to memory of 2468	2748	109cf7f8941beab19bb8df5da41f46aa.exe	29
PID 2748 wrote to memory of 2468	2748	109cf7f8941beab19bb8df5da41f46aa.exe	29
PID 2748 wrote to memory of 2468	2748	109cf7f8941beab19bb8df5da41f46aa.exe	29
PID 2748 wrote to memory of 1632	2748	109cf7f8941beab19bb8df5da41f46aa.exe	33
PID 2748 wrote to memory of 1632	2748	109cf7f8941beab19bb8df5da41f46aa.exe	33
PID 2748 wrote to memory of 1632	2748	109cf7f8941beab19bb8df5da41f46aa.exe	33
PID 2748 wrote to memory of 1632	2748	109cf7f8941beab19bb8df5da41f46aa.exe	33

C:\Users\Admin\AppData\Local\Temp\109cf7f8941beab19bb8df5da41f46aa.exe
"C:\Users\Admin\AppData\Local\Temp\109cf7f8941beab19bb8df5da41f46aa.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\tmp92904.reg"
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2288
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files (x86)\hsjubwje\zofstkxo.dll",Init
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2468
- C:\Windows\SysWOW64\cmd.exe
  /c del C:\Users\Admin\AppData\Local\Temp\109CF7~1.EXE >> NUL
  2⤵
  - Deletes itself
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp92904.reg

Filesize
161B

MD5
4607d2c59d792a337a1251a168d0e93e

SHA1
f5a5d2bf46c3cfc3b53b765f8dd3944ba5b27fa8

SHA256
d0a2431fb90eaf4f317290e2ff9a0e4ba1ce15c86520354115c4285fc470cfe1

SHA512
96023effbf0869acfd2ca4c081bce06dbeb699fb3930b78603f4364b608ce871f1b581e0f2b7995e7991ec767a6c08561da22152441236b66108e9b8ef888bf3

Download Submit
\Program Files (x86)\hsjubwje\zofstkxo.dll

Filesize
46KB

MD5
beee63662b4fd669f6a25b2e4f60e328

SHA1
5960f2f6b140553a05884f287cafcd71761263f0

SHA256
56a9f1aefda02fd3e0d70a0c1fe68f54a6db4c664d32f7504ab01c1f61cc9b38

SHA512
c465a58da775ad2fb719bd707e44506dbc7d8ade23c5724eab89c40189dc920b62177185ece7eb76c794bdf654927c5e3b27d86ec4e31468cc3a6a58c7f3a07b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads