e9063e847f506e45000ee8f983b3db62bc19f2e7fa79edc18f7b8162b6dfe46c

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e9fa391b449719565a188b51105913a.dll
Size

169KB
MD5

0e9fa391b449719565a188b51105913a
SHA1

845b9d1b5d2fcbf23333aa577cb18ccbaed3821b
SHA256

e9063e847f506e45000ee8f983b3db62bc19f2e7fa79edc18f7b8162b6dfe46c
SHA512

01a4f7b305e2fdae2b18dac6f6d29b74299dc5e341e386b912df5f7dc5deb0de1c97e821abf9a9a7b80ef74d296c95b7775e5df26319f1639ccf5390bada72e9
SSDEEP

3072:h58nVS9CNRMrdfbkqaX9y8lJupNO2hOtvncB4SMM99QmVK9yB4U:hmVMCTMrdbWQ8lJ4NO2hOtvLTm0yB

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~3\\32simdllqwe.dat,StartAs"	regsvr32.exe

Drops file in Program Files directory 4 IoCs

Processes:

regsvr32.exe

description	ioc	process
File created	C:\PROGRA~3\32simdllqwe.dat	regsvr32.exe
File opened for modification	C:\PROGRA~3\32simdllqwe.dat	regsvr32.exe
File created	C:\PROGRA~3\ewqlldmis23.dat	regsvr32.exe
File opened for modification	C:\PROGRA~3\ewqlldmis23.dat	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

476 regsvr32.exe
476 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

regsvr32.exe

description pid process

Token: SeDebugPrivilege 476 regsvr32.exe

pid	process
476	regsvr32.exe
476	regsvr32.exe

description	pid	process
Token: SeDebugPrivilege	476	regsvr32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3136 wrote to memory of 476	3136	regsvr32.exe	regsvr32.exe
PID 3136 wrote to memory of 476	3136	regsvr32.exe	regsvr32.exe
PID 3136 wrote to memory of 476	3136	regsvr32.exe	regsvr32.exe
PID 476 wrote to memory of 3552	476	regsvr32.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3552

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0e9fa391b449719565a188b51105913a.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\0e9fa391b449719565a188b51105913a.dll
3⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\32simdllqwe.dat
Filesize
1.2MB

MD5
f77683d17764cb9dc123517d2ea43128

SHA1
c24e0bde4f994d34259a8334d97e199d5c0937f8

SHA256
16d8ea40fdf9471ff76dadca46d4ebd5d8334d88b5508de9dec6dacd14135c29

SHA512
ae0cb85c7d0b0c8f7b0539d3af56f3a3e370bf6e0ed03c715d570b97ae22dd56f6c1c56188907977e6354194d0a8223f00481a4ae9e942d2f54a9dc7840790dd

Download Submit
C:\PROGRA~3\ewqlldmis23.dat
Filesize
1.2MB

MD5
b5afe45995f25c5c30648f84a89dd606

SHA1
9dc8a44aa4e346faa3d6c02f5889c8a0923b8300

SHA256
11e7761e16e306937e9ff0175933d81e24c95b2488f3cbff70c7394dd2cb85a4

SHA512
cf35434acc211f51bc8ac1f111c6b3b1780b27924e46fbc35b6d328e9c7aa7eee0d33ff621bb7c8e0d2716f6e6114dd5f304f49354c4ff42bff0efeb805ffaea

Download Submit
memory/476-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/476-1-0x0000000002C90000-0x0000000002CBA000-memory.dmp

Filesize
168KB

Download
memory/476-2-0x0000000002D00000-0x0000000002D68000-memory.dmp

Filesize
416KB

Download
memory/476-3-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/476-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download