e52ed95bce26721b6665e4ad8edf20a2b87a89adc044b3d2df640694a9455e3b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69159e7c584739a3c1433fb47e8ab07e.dll
Size

104KB
MD5

69159e7c584739a3c1433fb47e8ab07e
SHA1

d160d165806a60d174edd1cdfd8cb80c78c74b3f
SHA256

e52ed95bce26721b6665e4ad8edf20a2b87a89adc044b3d2df640694a9455e3b
SHA512

fb84a33d1fe2c4a8c32aa94005d44b611402c67148f9f11d8876896b2a9215d46b66b3d62c36fc9c25315a541e8a91b43fc14482e4d9457debc7552bcca7da06
SSDEEP

1536:fb1Mjs1cA/PPIKsunAN/KPf93kzvb427JmQ/UOVIZgZFUN+b56NB:t1DfIHunAVifG427EQ/USI6ZF1bY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\DisplayWork = "{cf336a57-6064-4143-833d-de5aec26233c}"	regsvr32.exe

Loads dropped DLL 1 IoCs

pid	Process
1904	regsvr32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Display\DisplayWork.dll	regsvr32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cf336a57-6064-4143-833d-de5aec26233c}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cf336a57-6064-4143-833d-de5aec26233c}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cf336a57-6064-4143-833d-de5aec26233c}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Display\\DisplayWork.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cf336a57-6064-4143-833d-de5aec26233c}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1904	regsvr32.exe
1904	regsvr32.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1904	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1904	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1904	2532	regsvr32.exe	14
PID 2532 wrote to memory of 1904	2532	regsvr32.exe	14
PID 2532 wrote to memory of 1904	2532	regsvr32.exe	14
PID 2532 wrote to memory of 1904	2532	regsvr32.exe	14
PID 2532 wrote to memory of 1904	2532	regsvr32.exe	14
PID 2532 wrote to memory of 1904	2532	regsvr32.exe	14
PID 2532 wrote to memory of 1904	2532	regsvr32.exe	14

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\69159e7c584739a3c1433fb47e8ab07e.dll
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\69159e7c584739a3c1433fb47e8ab07e.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Common Files\Display\DisplayWork.dll

Filesize
104KB

MD5
69159e7c584739a3c1433fb47e8ab07e

SHA1
d160d165806a60d174edd1cdfd8cb80c78c74b3f

SHA256
e52ed95bce26721b6665e4ad8edf20a2b87a89adc044b3d2df640694a9455e3b

SHA512
fb84a33d1fe2c4a8c32aa94005d44b611402c67148f9f11d8876896b2a9215d46b66b3d62c36fc9c25315a541e8a91b43fc14482e4d9457debc7552bcca7da06

Download Submit
memory/1904-3-0x00000000001A0000-0x00000000001BB000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads