Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 19:57

General

  • Target

    02697866ed322eac1cb757a574089ba6.exe

  • Size

    92KB

  • MD5

    02697866ed322eac1cb757a574089ba6

  • SHA1

    3393b1f22f447e21d8f417c5e45f200091091e1a

  • SHA256

    79f3d4ffcb38a0d20454ecaca60bfc0427c0595489c26ddf4304ac40b42448ba

  • SHA512

    0c2f818bd62c1ea493a95e80b37b7096b35dab5c8f23361c33b2a7d66c4788db53e5520a6958532cd06e4e2938eef2f7b8871db1936d0899eb4409b0abb4d8fe

  • SSDEEP

    768:7TToLE6M/M50JMsXDM9NtNrBDsX9Mix489Et78XKTTo1:7TToLE6M/M5Katwdx4MEWaTTo1

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 45 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02697866ed322eac1cb757a574089ba6.exe
    "C:\Users\Admin\AppData\Local\Temp\02697866ed322eac1cb757a574089ba6.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files\lj\dllaxjsl.dll"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:2576
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c regedit.exe /s C:\Windows\reg.reg
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2692
  • C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s C:\Windows\reg.reg
    1⤵
    • Installs/modifies Browser Helper Object
    • Runs .reg file with regedit
    PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\reg.reg

    Filesize

    185B

    MD5

    12bd717417516054ab1e182a063055b7

    SHA1

    d25ff40c376e932372a5c562ba8061ead8468519

    SHA256

    6abe4d60e1dfbfabf5f53a170fce0a0675c45892c4cda089d2ef262c81171e2b

    SHA512

    e5feabe7a7d24d0e6e0fd63662897100e17e01ac5a72c9df2002a694b705b5ad7ed0c0dfa1b50f0740400fcfdcddaba189f99038d29a841381f95ceda923c7b2

  • \Program Files\lj\dllaxjsl.dll

    Filesize

    32KB

    MD5

    bf41207ec87014150c2f884bcb6a15b3

    SHA1

    4abb6e0088a7f6408a549ffdab97be173531fdf5

    SHA256

    fd1f06dc1751f222e1f2a4442c9f45a333aee5169cba688616ca8e1f889a8dc6

    SHA512

    c1ab38637e9755dcb5d061260c0748443e5682bcd33b911e9638a0e11fc7e31414387809ded59928edad685ed985865e29762fb5f534fd193ea964e1f1bea17d

  • memory/1748-0-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/1748-3-0x0000000000020000-0x0000000000038000-memory.dmp

    Filesize

    96KB

  • memory/1748-2-0x0000000000020000-0x0000000000038000-memory.dmp

    Filesize

    96KB

  • memory/1748-1-0x0000000000020000-0x0000000000038000-memory.dmp

    Filesize

    96KB

  • memory/1748-8-0x0000000000020000-0x0000000000038000-memory.dmp

    Filesize

    96KB

  • memory/1748-7-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

  • memory/1748-9-0x0000000000020000-0x0000000000038000-memory.dmp

    Filesize

    96KB

  • memory/1748-14-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB