37a00ecbd7e4af9a25f93e074e9b9a7f70cdfac3e63fe56894129f65b0952833

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 05:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f83592a2a08a9403dfe5b508501e6e6.exe
Size

14KB
MD5

0f83592a2a08a9403dfe5b508501e6e6
SHA1

92c107234fad2f5e44539c4e51eccf1594ef38b6
SHA256

37a00ecbd7e4af9a25f93e074e9b9a7f70cdfac3e63fe56894129f65b0952833
SHA512

44bb2a9485d11f6755b445f7c3c51de14e3629d7e6b20f052bb9ac7e36644b937b7bddbfa3258a6218a7bf88226e4c747d0073ac66f0908341f3d140d46fa4bc
SSDEEP

384:po1KfVLuDvNR3nNHbaRn7/NTXJh3PAIBjg7:plluJ/un7VTPP7jg7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\imgutilhx2.dll = "{DA56B183-A731-402b-9235-2CB8803E212D}"	0f83592a2a08a9403dfe5b508501e6e6.exe

Loads dropped DLL 1 IoCs

pid	Process
4188	0f83592a2a08a9403dfe5b508501e6e6.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\imgutilhx2.tmp	0f83592a2a08a9403dfe5b508501e6e6.exe
File opened for modification	C:\Windows\SysWOW64\imgutilhx2.tmp	0f83592a2a08a9403dfe5b508501e6e6.exe
File opened for modification	C:\Windows\SysWOW64\imgutilhx2.nls	0f83592a2a08a9403dfe5b508501e6e6.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}\InProcServer32	0f83592a2a08a9403dfe5b508501e6e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}\InProcServer32\ = "C:\\Windows\\SysWow64\\imgutilhx2.dll"	0f83592a2a08a9403dfe5b508501e6e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}\InProcServer32\ThreadingModel = "Apartment"	0f83592a2a08a9403dfe5b508501e6e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}	0f83592a2a08a9403dfe5b508501e6e6.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4188	0f83592a2a08a9403dfe5b508501e6e6.exe
4188	0f83592a2a08a9403dfe5b508501e6e6.exe
4188	0f83592a2a08a9403dfe5b508501e6e6.exe
4188	0f83592a2a08a9403dfe5b508501e6e6.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4188	0f83592a2a08a9403dfe5b508501e6e6.exe
4188	0f83592a2a08a9403dfe5b508501e6e6.exe
4188	0f83592a2a08a9403dfe5b508501e6e6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 1696	4188	0f83592a2a08a9403dfe5b508501e6e6.exe	100
PID 4188 wrote to memory of 1696	4188	0f83592a2a08a9403dfe5b508501e6e6.exe	100
PID 4188 wrote to memory of 1696	4188	0f83592a2a08a9403dfe5b508501e6e6.exe	100

C:\Users\Admin\AppData\Local\Temp\0f83592a2a08a9403dfe5b508501e6e6.exe
"C:\Users\Admin\AppData\Local\Temp\0f83592a2a08a9403dfe5b508501e6e6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\B585.tmp.bat
  2⤵
  PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B585.tmp.bat

Filesize
179B

MD5
4e203632c3b17dcc7dee2e3a5187f45d

SHA1
826d84ca534942c402dfccba989aab5f31faad29

SHA256
ec4d4fdfb202d9a6145032db04e8cdbcee220b5c4ffe8ca7a7655924b4eb59f3

SHA512
83406b52f216aeef564a6642a9b9a3bc6fcf73dc3f0b1722c490b282a6db19bd7187fdcdc627f7706c0909627f750b40e4e511cb4dc020152140da11c08998f9

Download Submit
C:\Windows\SysWOW64\imgutilhx2.dll

Filesize
382KB

MD5
1e340408c93fc050143d4025717e4fa3

SHA1
1809678c446dfecdda2ab7add5d8133e4f7816be

SHA256
60648fb6d5d43f84eb4bff2bb1fd535013b39bcb50a4dff67b3339804c5b63fb

SHA512
559131b08c73bf1bc676326cb09b4221bd817bc226fcf6bfed66b43c2cc54f9743621a6f63cefe81ab5ac4f3c6d55ebb7986fa34fd7e7b07f76391dc7765a16e

Download Submit
C:\Windows\SysWOW64\imgutilhx2.tmp

Filesize
893KB

MD5
45414bfdcfcb64b22c1d59eef1f0f053

SHA1
2612acca14787d82df47f8aaf81a49b15c96a911

SHA256
6320224de5b132d7cf9f738d5c81df0643ab56d5153b2539c67630fa1189b2fb

SHA512
26da17cb84810331e4ccc606f5dcee15a0f275ab2e6dd4bf4d9412e4617d7b74911e15e5e40ffecabfaebe9fdbbc7e7637c681d15d240823559e4788cee0c04b

Download Submit
memory/4188-13-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/4188-17-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download