45deff015597f67501c01518f2e11209d8e00b52e69c134f5e8f58a737cb3e12

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02c2f6dfef55210997c5e3934c276f22.exe
Size

13KB
MD5

02c2f6dfef55210997c5e3934c276f22
SHA1

e88637c19b53147267f9a108a13bde55fa4bd5e7
SHA256

45deff015597f67501c01518f2e11209d8e00b52e69c134f5e8f58a737cb3e12
SHA512

e3911e17a624df3b1ac61bccd8022edbd6d369d1b87bb788d583759cb83d291722cc461d738092f8b6d45952db035d0f5a5e726327fd46ec09207345e09d905a
SSDEEP

192:Z38Tl0cAvPoe3qEOLmHAqy84Omh8E+PeR3nr0NU+oMIoItRaGw6pG/151SQwtZUu:Z3850xPo+rZAGE+GVnqIoIPg6pg7xA9d

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\xwwyreak.dll = "{DC6ED3B4-D07A-4f04-9D41-0E6701C0BD09}"	02c2f6dfef55210997c5e3934c276f22.exe

Loads dropped DLL 1 IoCs

pid	Process
1688	02c2f6dfef55210997c5e3934c276f22.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xwwyreak.tmp	02c2f6dfef55210997c5e3934c276f22.exe
File opened for modification	C:\Windows\SysWOW64\xwwyreak.tmp	02c2f6dfef55210997c5e3934c276f22.exe
File opened for modification	C:\Windows\SysWOW64\xwwyreak.nls	02c2f6dfef55210997c5e3934c276f22.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6ED3B4-D07A-4f04-9D41-0E6701C0BD09}	02c2f6dfef55210997c5e3934c276f22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6ED3B4-D07A-4f04-9D41-0E6701C0BD09}\InProcServer32	02c2f6dfef55210997c5e3934c276f22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6ED3B4-D07A-4f04-9D41-0E6701C0BD09}\InProcServer32\ = "C:\\Windows\\SysWow64\\xwwyreak.dll"	02c2f6dfef55210997c5e3934c276f22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6ED3B4-D07A-4f04-9D41-0E6701C0BD09}\InProcServer32\ThreadingModel = "Apartment"	02c2f6dfef55210997c5e3934c276f22.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1688	02c2f6dfef55210997c5e3934c276f22.exe
1688	02c2f6dfef55210997c5e3934c276f22.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1688	02c2f6dfef55210997c5e3934c276f22.exe
1688	02c2f6dfef55210997c5e3934c276f22.exe
1688	02c2f6dfef55210997c5e3934c276f22.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 3672	1688	02c2f6dfef55210997c5e3934c276f22.exe	97
PID 1688 wrote to memory of 3672	1688	02c2f6dfef55210997c5e3934c276f22.exe	97
PID 1688 wrote to memory of 3672	1688	02c2f6dfef55210997c5e3934c276f22.exe	97

C:\Users\Admin\AppData\Local\Temp\02c2f6dfef55210997c5e3934c276f22.exe
"C:\Users\Admin\AppData\Local\Temp\02c2f6dfef55210997c5e3934c276f22.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BD83.tmp.bat
  2⤵
  PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BD83.tmp.bat

Filesize
179B

MD5
3543b8bf29d633631c4d15623761160f

SHA1
04f69a922f061e3aedc97ddd810acf321b6f3b23

SHA256
dfebad9e8456fe27c0bba127de864928bb6cc84ae356c1d981e0c3e064ad1819

SHA512
86c1d5965c2a8662ace6a1e6b3eebdce2c091389cf328f9eafbb0ab68f86706d242502bb572dc6c4656d17ee29977e3560b08503eb9bf4adfdb8bcdd9f9c2302

Download Submit
C:\Windows\SysWOW64\xwwyreak.dll

Filesize
993KB

MD5
f3ffea00022012cc01f443ea6aa91f70

SHA1
ba61c7b7ee672711b3af1892045e8fd58a7daf9c

SHA256
f4524276df11409f5e054b07e96bb93f3743672add6ced69d7fdb1aa82236b38

SHA512
75aa171a645de1bbf61421109261b1c00c60769eeb4c66a444739c4437eb176a016b7dffc384fe40039b41adf956a142510f0f67450457d6f2d15c5fc525bf2d

Download Submit
C:\Windows\SysWOW64\xwwyreak.tmp

Filesize
1.2MB

MD5
1442a251b36de26db37b51ecffd8fe34

SHA1
c6e6e272ca9d70ab73bada212ce2bb64b2d034eb

SHA256
a48f13e11950d08b63662e1dda63f9f799caa7f9065c3ac2f2c69309bec6fd68

SHA512
5417a6538a6f17c2dd429a09f43bbac11ea515da5a4e4f18cf73a665cb4f1cf6054b8c094766e39c8ab8b2a3ac1f5db747d944d80bdea988b33eeb0efd48f3eb

Download Submit
memory/1688-13-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1688-17-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download