ca1853b0cddf67d881e1bdb39b48386af1bc5cb8f7fcd3a70b151b35b46092fc

Analysis

max time kernel
177s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0887d2051d384859635c448d13b953ac.exe
Size

14KB
MD5

0887d2051d384859635c448d13b953ac
SHA1

f8be03acac38294d7b5af5315419a275d96bc51e
SHA256

ca1853b0cddf67d881e1bdb39b48386af1bc5cb8f7fcd3a70b151b35b46092fc
SHA512

ce4ece77bd33b8d9105644f6bb53fc960a4d0b280cfc498314140d4986d24566d11b1318aee2f3e3530219b4602d7b2ffbf7b6b088337f20b8c192c2663a8cf8
SSDEEP

384:N/OpcJix5cUxb7znzOOf/EAasNIR9rPGrCa/zOQ3:EpcJC5cUt77aSIKAR+d1

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bniyccby.dll = "{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}"	0887d2051d384859635c448d13b953ac.exe

Loads dropped DLL 1 IoCs

pid	Process
3508	0887d2051d384859635c448d13b953ac.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bniyccby.tmp	0887d2051d384859635c448d13b953ac.exe
File opened for modification	C:\Windows\SysWOW64\bniyccby.nls	0887d2051d384859635c448d13b953ac.exe
File created	C:\Windows\SysWOW64\bniyccby.tmp	0887d2051d384859635c448d13b953ac.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ = "C:\\Windows\\SysWow64\\bniyccby.dll"	0887d2051d384859635c448d13b953ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ThreadingModel = "Apartment"	0887d2051d384859635c448d13b953ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}	0887d2051d384859635c448d13b953ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32	0887d2051d384859635c448d13b953ac.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3508	0887d2051d384859635c448d13b953ac.exe
3508	0887d2051d384859635c448d13b953ac.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3508	0887d2051d384859635c448d13b953ac.exe
3508	0887d2051d384859635c448d13b953ac.exe
3508	0887d2051d384859635c448d13b953ac.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 4484	3508	0887d2051d384859635c448d13b953ac.exe	101
PID 3508 wrote to memory of 4484	3508	0887d2051d384859635c448d13b953ac.exe	101
PID 3508 wrote to memory of 4484	3508	0887d2051d384859635c448d13b953ac.exe	101

C:\Users\Admin\AppData\Local\Temp\0887d2051d384859635c448d13b953ac.exe
"C:\Users\Admin\AppData\Local\Temp\0887d2051d384859635c448d13b953ac.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\6CAF.tmp.bat
  2⤵
  PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6CAF.tmp.bat

Filesize
179B

MD5
416fa84c8dbb91e34cbf879a6b3d25bf

SHA1
e19259572840427f3f7bd20cc9a5f9df6f77f369

SHA256
d16847ec764d303baab1a599bcd06fb7ac1be92b0735cc9463a496219dfe0294

SHA512
554b24f9c3a84f2503f9c4d2ebde2caa0e0b365d41c2c70387ecacc892e834d6edfb35208dfe343310445afb2a3a5e321768af221cce89b26422a929f68e65c9

Download Submit
C:\Windows\SysWOW64\bniyccby.dll

Filesize
332KB

MD5
b9a25e4d8e62aea2ad420eb7a1c7c352

SHA1
d17f6dd762f1645430b9927f1216ba6b750c7c7e

SHA256
0090b13a44ab1e411607d130b0ef32ab16b585efb6c88faef16d8ae1373067af

SHA512
0e01cf14e3a8746829e58a9f2814acb984d1e5b5daf6dcb0c712a207f6e692023b823872f80b8b9a876ff340b87dcb612b513f91c87e13148ff0bc65dd4cdc27

Download Submit
C:\Windows\SysWOW64\bniyccby.nls

Filesize
428B

MD5
1210ea00eba0d69ce9a954c89b08eb98

SHA1
0cc4f9d9aa401c91818737062b824df6916b975e

SHA256
3182106aa082b293f05e83acc50aa9c0b3fb3972f8feb988c00739719be83d69

SHA512
efd0a54cdf4593f9297bbc584da61e92f78462c970042b875c613aa26b6aaa5174b311b17b74776526407f48fbfae4ce6e7a775136bcf377562b77fe03d23d5a

Download Submit
C:\Windows\SysWOW64\bniyccby.tmp

Filesize
459KB

MD5
ec6314ebc7554be4749271b14b823b59

SHA1
146c960c1b5fccc11c10d8ec349df08bf9be1f4d

SHA256
79fe5a4fc609bc6ad225676090d1f44c36478e5bf8ff8538cd96f4adf1540f0c

SHA512
d70f8e536e878e08966b7b55832cb9acc15a8e22df9e967fd5d1dc402fee7e330ca6fa3bcdb0440c8c563c39682bae0b64bbe3883739c1d11b1b97a33b600330

Download Submit
memory/3508-17-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3508-22-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download