57ea57263488c35f29b4a38387de1ad9c89a3dc25260810fd77b0203467b7bfb

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

078435d3a8f905bbe3dce492ed116bfa.exe
Size

15KB
MD5

078435d3a8f905bbe3dce492ed116bfa
SHA1

80e31b8b463cd13e818789d7b61f582822cbeb01
SHA256

57ea57263488c35f29b4a38387de1ad9c89a3dc25260810fd77b0203467b7bfb
SHA512

9c34755b09fe3383b660fde24e040e0daf2e57ad511ea57b2ae449b461f73903b83825cfa75939635092933057a48e2c036cfb7bda1b7e4244b65b6eee1a9429
SSDEEP

384:vSXcEf0Fhb9eNTzPhlReHaLRTwNUr+9fplhcavJ:cH0FKNTThcaLKS6fpncS

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\hqnpkzod.dll = "{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}"	078435d3a8f905bbe3dce492ed116bfa.exe

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1300	078435d3a8f905bbe3dce492ed116bfa.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hqnpkzod.tmp	078435d3a8f905bbe3dce492ed116bfa.exe
File opened for modification	C:\Windows\SysWOW64\hqnpkzod.tmp	078435d3a8f905bbe3dce492ed116bfa.exe
File opened for modification	C:\Windows\SysWOW64\hqnpkzod.nls	078435d3a8f905bbe3dce492ed116bfa.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}	078435d3a8f905bbe3dce492ed116bfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}\InProcServer32	078435d3a8f905bbe3dce492ed116bfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}\InProcServer32\ = "C:\\Windows\\SysWow64\\hqnpkzod.dll"	078435d3a8f905bbe3dce492ed116bfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}\InProcServer32\ThreadingModel = "Apartment"	078435d3a8f905bbe3dce492ed116bfa.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1300	078435d3a8f905bbe3dce492ed116bfa.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1300	078435d3a8f905bbe3dce492ed116bfa.exe
1300	078435d3a8f905bbe3dce492ed116bfa.exe
1300	078435d3a8f905bbe3dce492ed116bfa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2796	1300	078435d3a8f905bbe3dce492ed116bfa.exe	29
PID 1300 wrote to memory of 2796	1300	078435d3a8f905bbe3dce492ed116bfa.exe	29
PID 1300 wrote to memory of 2796	1300	078435d3a8f905bbe3dce492ed116bfa.exe	29
PID 1300 wrote to memory of 2796	1300	078435d3a8f905bbe3dce492ed116bfa.exe	29

C:\Users\Admin\AppData\Local\Temp\078435d3a8f905bbe3dce492ed116bfa.exe
"C:\Users\Admin\AppData\Local\Temp\078435d3a8f905bbe3dce492ed116bfa.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\8391.tmp.bat
  2⤵
  - Deletes itself
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8391.tmp.bat

Filesize
179B

MD5
20cba86c35ce68c43a43e2019293c0c2

SHA1
82db115a3e34109e3badfed223aa19b9e4eb8c0b

SHA256
1a4a847172e1bd4de4483727c42b200fb109fe9c36f30b19ff6b99b80dc6e9a6

SHA512
e7150ab43ddd3d87d5884bfcbcf070e8caa4e6ab7d3bb2553b66143fc0859eb07ff880d0303d6bfa4be5d0daaa64b5dd3564ec6540fb63654fce5768fcee8f87

Download Submit
C:\Windows\SysWOW64\hqnpkzod.tmp

Filesize
216KB

MD5
f7d326d76a43eead7bd38c112b148093

SHA1
130f72cd5da91ff25f87aaf3872c889f41aa3ceb

SHA256
1772446489525a91912e13ba4a72bb90109624faa9aeeb08c58ed298227549ba

SHA512
48f1bd7ac639cdfce88d748d82e8b2b1f09041b145a3091dd0f533b0ddd67f0e59a2e7999af50b64053d5358d573b3f676db2fb8e49e5b745e06c66d2f67f8e4

Download Submit
\Windows\SysWOW64\hqnpkzod.dll

Filesize
192KB

MD5
117787c61639044f255ffe88357efe54

SHA1
d8abada9e83a0c595e4de94c3778926eb2dc7583

SHA256
34a6959982fde522355b387d45ad4dcd33495f9f1f0370714273d0631a991632

SHA512
75b0433562c1ef3d5acb0f2bee3b977f90059e00a42e7c346e6e2107adb229e43220a8890e3fa6a0dd052ae0cdc9991894da9765ca1378f9c0dde52ced4ab0c1

Download Submit
memory/1300-12-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1300-21-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download