969ff1524e50f532b272cee748b30da63c6892608986705e34a89efcc3ea40d4

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cf97b5fe3133c0bdc8100a13972dbbd.exe
Size

12KB
MD5

0cf97b5fe3133c0bdc8100a13972dbbd
SHA1

c1e4ee58268912aa625c8afb3e38806e61cd5730
SHA256

969ff1524e50f532b272cee748b30da63c6892608986705e34a89efcc3ea40d4
SHA512

0a14414bd40f9e3432eb177fdd7bbb51918aba35f2018e4f8445e807b346dbd164741a24d403ccbf59fd12134628a9403d28a828b93096a4bd6d30c8703d772f
SSDEEP

384:8no7NccDdj9T9AicZA6Foap8fVxTz8VanCj:ePgt9ZOFoap8fVxUVaCj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\adsntzt.dll = "{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}"	0cf97b5fe3133c0bdc8100a13972dbbd.exe

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2916	0cf97b5fe3133c0bdc8100a13972dbbd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\adsntzt.tmp	0cf97b5fe3133c0bdc8100a13972dbbd.exe
File opened for modification	C:\Windows\SysWOW64\adsntzt.tmp	0cf97b5fe3133c0bdc8100a13972dbbd.exe
File opened for modification	C:\Windows\SysWOW64\adsntzt.nls	0cf97b5fe3133c0bdc8100a13972dbbd.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}\InProcServer32	0cf97b5fe3133c0bdc8100a13972dbbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}\InProcServer32\ = "C:\\Windows\\SysWow64\\adsntzt.dll"	0cf97b5fe3133c0bdc8100a13972dbbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}\InProcServer32\ThreadingModel = "Apartment"	0cf97b5fe3133c0bdc8100a13972dbbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}	0cf97b5fe3133c0bdc8100a13972dbbd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2916	0cf97b5fe3133c0bdc8100a13972dbbd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2916	0cf97b5fe3133c0bdc8100a13972dbbd.exe
2916	0cf97b5fe3133c0bdc8100a13972dbbd.exe
2916	0cf97b5fe3133c0bdc8100a13972dbbd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2612	2916	0cf97b5fe3133c0bdc8100a13972dbbd.exe	28
PID 2916 wrote to memory of 2612	2916	0cf97b5fe3133c0bdc8100a13972dbbd.exe	28
PID 2916 wrote to memory of 2612	2916	0cf97b5fe3133c0bdc8100a13972dbbd.exe	28
PID 2916 wrote to memory of 2612	2916	0cf97b5fe3133c0bdc8100a13972dbbd.exe	28

C:\Users\Admin\AppData\Local\Temp\0cf97b5fe3133c0bdc8100a13972dbbd.exe
"C:\Users\Admin\AppData\Local\Temp\0cf97b5fe3133c0bdc8100a13972dbbd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\88B0.tmp.bat
  2⤵
  - Deletes itself
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\88B0.tmp.bat

Filesize
179B

MD5
5e24d501dab38e43f1bcc2cfef3429e2

SHA1
11e125ad6a1d2c0c0fdb1535be534a88024f07db

SHA256
a44a97646b668937cd4db1ca76389d334c47a540665a4eb7f3bdd3bc39b7a20b

SHA512
51e4ca5802b12b1952e0345242072f8f4f7a0906819a158dc8e122fa377f225dd2901290a365c7fe694c5090a83cbd637579b70deb8352ea6e315536f92b2bfe

Download Submit
C:\Windows\SysWOW64\adsntzt.tmp

Filesize
820KB

MD5
332baa9a2a32fba68e7f345e6a8f0412

SHA1
17e0f4a40c88238bdc88970498994e73933235bd

SHA256
e4ca330350c55140f33edab0cc89120d5c403b7851e34a01f3913b3d7d9f7c64

SHA512
9bd4ec4ae3044424cf10dc4e3162079bc422008abe227d70cf10c691bc70320d03568d80b12bfaec4c487ecff2f2b6715818d030f08dd82e1d790c4bc962e19e

Download Submit
memory/2916-12-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/2916-21-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download