3258001bd74ab68825ac5c7d6ceeadb6fc4a1737704fa28227a0b0a250270d93

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16c1f3a171bca17a2afb429a451afb1d.exe
Size

13KB
MD5

16c1f3a171bca17a2afb429a451afb1d
SHA1

b93d6bd21483baba6ba0f121bb31f3c1a460f24a
SHA256

3258001bd74ab68825ac5c7d6ceeadb6fc4a1737704fa28227a0b0a250270d93
SHA512

f487ea923f195ecfb06b60f0e000f1f7dab5c4db9c47cd9a6cf833814695a1fbaffb3cabb7798e52413be9366e384579e3934e47ad353a3490e8512c42037a77
SSDEEP

192:nmOr1W7LByeduaOkAG6+mkAuLe/LJwlfeTSBaXZQmV/le8ZSwMFd3oCd7a7vtyB8:nma1F4t6Vpu+yMpV/lLSwsGg7EqXX4CG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dispexcb.dll = "{76D44356-B494-443a-BEDC-AA68DE4255E6}"	16c1f3a171bca17a2afb429a451afb1d.exe

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2932	16c1f3a171bca17a2afb429a451afb1d.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dispexcb.tmp	16c1f3a171bca17a2afb429a451afb1d.exe
File opened for modification	C:\Windows\SysWOW64\dispexcb.tmp	16c1f3a171bca17a2afb429a451afb1d.exe
File opened for modification	C:\Windows\SysWOW64\dispexcb.nls	16c1f3a171bca17a2afb429a451afb1d.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}	16c1f3a171bca17a2afb429a451afb1d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32	16c1f3a171bca17a2afb429a451afb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ = "C:\\Windows\\SysWow64\\dispexcb.dll"	16c1f3a171bca17a2afb429a451afb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ThreadingModel = "Apartment"	16c1f3a171bca17a2afb429a451afb1d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2932	16c1f3a171bca17a2afb429a451afb1d.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2932	16c1f3a171bca17a2afb429a451afb1d.exe
2932	16c1f3a171bca17a2afb429a451afb1d.exe
2932	16c1f3a171bca17a2afb429a451afb1d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2720	2932	16c1f3a171bca17a2afb429a451afb1d.exe	28
PID 2932 wrote to memory of 2720	2932	16c1f3a171bca17a2afb429a451afb1d.exe	28
PID 2932 wrote to memory of 2720	2932	16c1f3a171bca17a2afb429a451afb1d.exe	28
PID 2932 wrote to memory of 2720	2932	16c1f3a171bca17a2afb429a451afb1d.exe	28

C:\Users\Admin\AppData\Local\Temp\16c1f3a171bca17a2afb429a451afb1d.exe
"C:\Users\Admin\AppData\Local\Temp\16c1f3a171bca17a2afb429a451afb1d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\70FB.tmp.bat
  2⤵
  - Deletes itself
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\70FB.tmp.bat

Filesize
179B

MD5
e5800d2a9023f3c4c76b8cf53b04dc7a

SHA1
ab0f8c12b8a952c1dc1991aa0d10930137f26925

SHA256
837059b793d5f7176e774d36c3391a9041bbfdced884d9c0f0e27b17b4250ac9

SHA512
be64d87a472b952489857cac42f6fc252a0d29771071648566dc13c87c21b43a5a2933d5c2dc8ece85ddb0a5adf51e61cdd6400bd181e3cc42671d86048968b8

Download Submit
C:\Windows\SysWOW64\dispexcb.nls

Filesize
428B

MD5
258053b380bc93b614c32a18b8b726ea

SHA1
0f04967ba3a6226368623155838d51711e3e0a8c

SHA256
2ab1145482d8d09e90d8d0e2b5f4ff2532eb89ba7f71587ee15a9dd7138e18ef

SHA512
71146acb2f4ad59df738d49749908af7f87a28c3aa970f61f48786bbabafae4b9f3c8e85ec9d51e517aa2dca1bc276db66d49b90823690f67a19164b23f8f2eb

Download Submit
C:\Windows\SysWOW64\dispexcb.tmp

Filesize
944KB

MD5
46dcac9652031871b3fe9c9dcb199b76

SHA1
6ec8950b4524932941e853e9560db847ca51461b

SHA256
9b79b5da72565ccf364baf8c33d2fc39c8aacd605db825a00c8437503fccc4d6

SHA512
474a1973ddea4ab8c2c431238c89710d62c5b6e333d6f996a397b8328c783655d98320f87b74a8a0e0370f9fba6b8d491401d517d992964936d454eb0a8e4069

Download Submit
memory/2932-16-0x0000000020000000-0x000000002006C000-memory.dmp

Filesize
432KB

Download
memory/2932-25-0x0000000020000000-0x000000002006C000-memory.dmp

Filesize
432KB

Download