fc914d96fd203c1be425dc20e758c427aff1814816b57745879f0c6bf6410518

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 04:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e4a047d50a33e11ef722c9e4e298b6b.exe
Size

14KB
MD5

0e4a047d50a33e11ef722c9e4e298b6b
SHA1

79a7f4625560655bc73cefbe2a9257d9ef5bc894
SHA256

fc914d96fd203c1be425dc20e758c427aff1814816b57745879f0c6bf6410518
SHA512

5cbf8a18ed910b0bb2a98a7babcc7afceb7e4456f109f0cfba5e1358a691cd3c6962d3ad488e5dafb48cc91392e6db3eb59db88c1daafbb2cb6f0919639b52f7
SSDEEP

384:tczoYdP1jtpypbtB0celpCWDaiBy49vwpPvQDIBJbRE00vtg6AiZQe:OMI1jtMZcl4WDFyqwxjneVg6z5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\lrgygrhs.dll = "{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}"	0e4a047d50a33e11ef722c9e4e298b6b.exe

Loads dropped DLL 1 IoCs

pid	Process
3896	0e4a047d50a33e11ef722c9e4e298b6b.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lrgygrhs.tmp	0e4a047d50a33e11ef722c9e4e298b6b.exe
File opened for modification	C:\Windows\SysWOW64\lrgygrhs.tmp	0e4a047d50a33e11ef722c9e4e298b6b.exe
File opened for modification	C:\Windows\SysWOW64\lrgygrhs.nls	0e4a047d50a33e11ef722c9e4e298b6b.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}	0e4a047d50a33e11ef722c9e4e298b6b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32	0e4a047d50a33e11ef722c9e4e298b6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ = "C:\\Windows\\SysWow64\\lrgygrhs.dll"	0e4a047d50a33e11ef722c9e4e298b6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ThreadingModel = "Apartment"	0e4a047d50a33e11ef722c9e4e298b6b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3896	0e4a047d50a33e11ef722c9e4e298b6b.exe
3896	0e4a047d50a33e11ef722c9e4e298b6b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3896	0e4a047d50a33e11ef722c9e4e298b6b.exe
3896	0e4a047d50a33e11ef722c9e4e298b6b.exe
3896	0e4a047d50a33e11ef722c9e4e298b6b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 2800	3896	0e4a047d50a33e11ef722c9e4e298b6b.exe	100
PID 3896 wrote to memory of 2800	3896	0e4a047d50a33e11ef722c9e4e298b6b.exe	100
PID 3896 wrote to memory of 2800	3896	0e4a047d50a33e11ef722c9e4e298b6b.exe	100

C:\Users\Admin\AppData\Local\Temp\0e4a047d50a33e11ef722c9e4e298b6b.exe
"C:\Users\Admin\AppData\Local\Temp\0e4a047d50a33e11ef722c9e4e298b6b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\C592.tmp.bat
  2⤵
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C592.tmp.bat

Filesize
179B

MD5
6fabf45afcb97df30e7fa98ca90cac61

SHA1
e0f9a4e9e664ea46f1dbf3012bbee853bbfa6827

SHA256
c754c9c2094b5e45a789b7dd23db383854062d42ad36d4067fbd463547c5b330

SHA512
e79535ec6eae0e9b36ad0367552456225a9c564b79485eb1da2f28629dd3887c13fb1d91fa0fcbea933d58a7396302b91c028305f24b76c3c55d90cb6f913f25

Download Submit
C:\Windows\SysWOW64\lrgygrhs.dll

Filesize
1024KB

MD5
ea038b6e29ee8e17687b1b9f3ed78497

SHA1
b19ce65d60da092fe8cfa8ce82652f9628f00e00

SHA256
2e2b913415546198ea5364575dd3beeff6cc61a8f1e380cea992e798a0cb91b3

SHA512
7e57cdaaba721110afee864601b8f8b09ac4eb396dd862a516eb4a7ef0fac68be2b59361d3c0b47447205f0c563e758c95e75342d5d79d1136525865eec33887

Download Submit
C:\Windows\SysWOW64\lrgygrhs.nls

Filesize
428B

MD5
a7b788a2bb78c13a42c0beadf4727d65

SHA1
43413fa96cce4cb4afafeacadfbcb6117518d868

SHA256
75a7d5178292807ccdbfd30280e699cbf9e16f8ff666499e4ba051c92cac9e24

SHA512
4bce5490ec008d8f07ef166c5f0327a69b54167fdcb9f77ed46ebb6e77247e3e41c69e0b64e726dae25aed83b16e6a63f87904779c3fa1e3900bbced78884d7a

Download Submit
C:\Windows\SysWOW64\lrgygrhs.tmp

Filesize
1.2MB

MD5
fb50211b403e21edb284d7160bf8e8f9

SHA1
f7035bf36a7d653bd97b1095e398420a22a20203

SHA256
4c161a72f09e023f7d21eaa0473046a673aba8445538257850074e6ce7eef617

SHA512
eab3e639fe7b80f6be78186705a0146cc6070d646825fd61ceb5c6fc21c29aa4dbe4cea66ab43b28be2f1960fdaafe5ed561544b9838f283e57ed13ffc06275d

Download Submit
memory/3896-17-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/3896-21-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download