57ea57263488c35f29b4a38387de1ad9c89a3dc25260810fd77b0203467b7bfb

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

078435d3a8f905bbe3dce492ed116bfa.exe
Size

15KB
MD5

078435d3a8f905bbe3dce492ed116bfa
SHA1

80e31b8b463cd13e818789d7b61f582822cbeb01
SHA256

57ea57263488c35f29b4a38387de1ad9c89a3dc25260810fd77b0203467b7bfb
SHA512

9c34755b09fe3383b660fde24e040e0daf2e57ad511ea57b2ae449b461f73903b83825cfa75939635092933057a48e2c036cfb7bda1b7e4244b65b6eee1a9429
SSDEEP

384:vSXcEf0Fhb9eNTzPhlReHaLRTwNUr+9fplhcavJ:cH0FKNTThcaLKS6fpncS

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\niyvlwbw.dll = "{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}"	078435d3a8f905bbe3dce492ed116bfa.exe

Loads dropped DLL 1 IoCs

pid	Process
4692	078435d3a8f905bbe3dce492ed116bfa.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\niyvlwbw.tmp	078435d3a8f905bbe3dce492ed116bfa.exe
File opened for modification	C:\Windows\SysWOW64\niyvlwbw.tmp	078435d3a8f905bbe3dce492ed116bfa.exe
File opened for modification	C:\Windows\SysWOW64\niyvlwbw.nls	078435d3a8f905bbe3dce492ed116bfa.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}	078435d3a8f905bbe3dce492ed116bfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}\InProcServer32	078435d3a8f905bbe3dce492ed116bfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}\InProcServer32\ = "C:\\Windows\\SysWow64\\niyvlwbw.dll"	078435d3a8f905bbe3dce492ed116bfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}\InProcServer32\ThreadingModel = "Apartment"	078435d3a8f905bbe3dce492ed116bfa.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4692	078435d3a8f905bbe3dce492ed116bfa.exe
4692	078435d3a8f905bbe3dce492ed116bfa.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4692	078435d3a8f905bbe3dce492ed116bfa.exe
4692	078435d3a8f905bbe3dce492ed116bfa.exe
4692	078435d3a8f905bbe3dce492ed116bfa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 4288	4692	078435d3a8f905bbe3dce492ed116bfa.exe	93
PID 4692 wrote to memory of 4288	4692	078435d3a8f905bbe3dce492ed116bfa.exe	93
PID 4692 wrote to memory of 4288	4692	078435d3a8f905bbe3dce492ed116bfa.exe	93

C:\Users\Admin\AppData\Local\Temp\078435d3a8f905bbe3dce492ed116bfa.exe
"C:\Users\Admin\AppData\Local\Temp\078435d3a8f905bbe3dce492ed116bfa.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\EAEC.tmp.bat
  2⤵
  PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EAEC.tmp.bat

Filesize
179B

MD5
20cba86c35ce68c43a43e2019293c0c2

SHA1
82db115a3e34109e3badfed223aa19b9e4eb8c0b

SHA256
1a4a847172e1bd4de4483727c42b200fb109fe9c36f30b19ff6b99b80dc6e9a6

SHA512
e7150ab43ddd3d87d5884bfcbcf070e8caa4e6ab7d3bb2553b66143fc0859eb07ff880d0303d6bfa4be5d0daaa64b5dd3564ec6540fb63654fce5768fcee8f87

Download Submit
C:\Windows\SysWOW64\niyvlwbw.dll

Filesize
176KB

MD5
aafe224c693c1c09a552d9848a1ea74a

SHA1
247e3e59b125f77bf95f6a255898c715b39a5f37

SHA256
e1377359939e005a322e437c89450e9012205ccf603669a7a0d55284ff2fcb85

SHA512
1656e72b608ada7750dde028be38211446959c14d64c8c65cdc1f4762c0a6d22aed801ed9c73282a2c0040128000b1f5aebb09c11508fdbeb4d2b3f099c60fd5

Download Submit
C:\Windows\SysWOW64\niyvlwbw.tmp

Filesize
269KB

MD5
a11cd74eb15fc687876e12b5b92687f5

SHA1
f3102a1120c35851d05569ecb4eb5a092ce476fa

SHA256
f4fde442f0702fbcd77202eee85ccd1f16d42de1956433f9a36fd395a407659d

SHA512
a82d7baed421b732b96044e6b2ad83644b24d998d786483e6fe5faecea9f1c338bced3deeb92fe7090a82b5d7484ee16b0273033cfaacf40c8965cd99c951798

Download Submit
memory/4692-13-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/4692-18-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download