fc914d96fd203c1be425dc20e758c427aff1814816b57745879f0c6bf6410518

Analysis

max time kernel
122s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e4a047d50a33e11ef722c9e4e298b6b.exe
Size

14KB
MD5

0e4a047d50a33e11ef722c9e4e298b6b
SHA1

79a7f4625560655bc73cefbe2a9257d9ef5bc894
SHA256

fc914d96fd203c1be425dc20e758c427aff1814816b57745879f0c6bf6410518
SHA512

5cbf8a18ed910b0bb2a98a7babcc7afceb7e4456f109f0cfba5e1358a691cd3c6962d3ad488e5dafb48cc91392e6db3eb59db88c1daafbb2cb6f0919639b52f7
SSDEEP

384:tczoYdP1jtpypbtB0celpCWDaiBy49vwpPvQDIBJbRE00vtg6AiZQe:OMI1jtMZcl4WDFyqwxjneVg6z5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ygkipkmy.dll = "{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}"	0e4a047d50a33e11ef722c9e4e298b6b.exe

Deletes itself 1 IoCs

pid	Process
2576	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1240	0e4a047d50a33e11ef722c9e4e298b6b.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ygkipkmy.tmp	0e4a047d50a33e11ef722c9e4e298b6b.exe
File opened for modification	C:\Windows\SysWOW64\ygkipkmy.tmp	0e4a047d50a33e11ef722c9e4e298b6b.exe
File opened for modification	C:\Windows\SysWOW64\ygkipkmy.nls	0e4a047d50a33e11ef722c9e4e298b6b.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}	0e4a047d50a33e11ef722c9e4e298b6b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32	0e4a047d50a33e11ef722c9e4e298b6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ = "C:\\Windows\\SysWow64\\ygkipkmy.dll"	0e4a047d50a33e11ef722c9e4e298b6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ThreadingModel = "Apartment"	0e4a047d50a33e11ef722c9e4e298b6b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1240	0e4a047d50a33e11ef722c9e4e298b6b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1240	0e4a047d50a33e11ef722c9e4e298b6b.exe
1240	0e4a047d50a33e11ef722c9e4e298b6b.exe
1240	0e4a047d50a33e11ef722c9e4e298b6b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 2576	1240	0e4a047d50a33e11ef722c9e4e298b6b.exe	30
PID 1240 wrote to memory of 2576	1240	0e4a047d50a33e11ef722c9e4e298b6b.exe	30
PID 1240 wrote to memory of 2576	1240	0e4a047d50a33e11ef722c9e4e298b6b.exe	30
PID 1240 wrote to memory of 2576	1240	0e4a047d50a33e11ef722c9e4e298b6b.exe	30

C:\Users\Admin\AppData\Local\Temp\0e4a047d50a33e11ef722c9e4e298b6b.exe
"C:\Users\Admin\AppData\Local\Temp\0e4a047d50a33e11ef722c9e4e298b6b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\F97C.tmp.bat
  2⤵
  - Deletes itself
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F97C.tmp.bat

Filesize
179B

MD5
6fabf45afcb97df30e7fa98ca90cac61

SHA1
e0f9a4e9e664ea46f1dbf3012bbee853bbfa6827

SHA256
c754c9c2094b5e45a789b7dd23db383854062d42ad36d4067fbd463547c5b330

SHA512
e79535ec6eae0e9b36ad0367552456225a9c564b79485eb1da2f28629dd3887c13fb1d91fa0fcbea933d58a7396302b91c028305f24b76c3c55d90cb6f913f25

Download Submit
C:\Windows\SysWOW64\ygkipkmy.nls

Filesize
428B

MD5
a7b788a2bb78c13a42c0beadf4727d65

SHA1
43413fa96cce4cb4afafeacadfbcb6117518d868

SHA256
75a7d5178292807ccdbfd30280e699cbf9e16f8ff666499e4ba051c92cac9e24

SHA512
4bce5490ec008d8f07ef166c5f0327a69b54167fdcb9f77ed46ebb6e77247e3e41c69e0b64e726dae25aed83b16e6a63f87904779c3fa1e3900bbced78884d7a

Download Submit
C:\Windows\SysWOW64\ygkipkmy.tmp

Filesize
2.2MB

MD5
2cd54ce2f2163879913b641f6884fee9

SHA1
cfd2dd35dab71242fa5d00e6e1cdbde86274d560

SHA256
84a7ea4e0859f2e9403c39ee45e06398e6288845e1273e840f18dd0aa7872c22

SHA512
aac423653dfdba4829a2d5b89e80bbb211a8d687fdbbcc4d4fd5e6e782b0bc813c3aceda10f1eb9bc3abb70e80482506a2375e81863ddce15e67b520db131ff6

Download Submit
memory/1240-16-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/1240-25-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download