3258001bd74ab68825ac5c7d6ceeadb6fc4a1737704fa28227a0b0a250270d93

Analysis

max time kernel
144s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16c1f3a171bca17a2afb429a451afb1d.exe
Size

13KB
MD5

16c1f3a171bca17a2afb429a451afb1d
SHA1

b93d6bd21483baba6ba0f121bb31f3c1a460f24a
SHA256

3258001bd74ab68825ac5c7d6ceeadb6fc4a1737704fa28227a0b0a250270d93
SHA512

f487ea923f195ecfb06b60f0e000f1f7dab5c4db9c47cd9a6cf833814695a1fbaffb3cabb7798e52413be9366e384579e3934e47ad353a3490e8512c42037a77
SSDEEP

192:nmOr1W7LByeduaOkAG6+mkAuLe/LJwlfeTSBaXZQmV/le8ZSwMFd3oCd7a7vtyB8:nma1F4t6Vpu+yMpV/lLSwsGg7EqXX4CG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dispexcb.dll = "{76D44356-B494-443a-BEDC-AA68DE4255E6}"	16c1f3a171bca17a2afb429a451afb1d.exe

Loads dropped DLL 1 IoCs

pid	Process
4456	16c1f3a171bca17a2afb429a451afb1d.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dispexcb.tmp	16c1f3a171bca17a2afb429a451afb1d.exe
File opened for modification	C:\Windows\SysWOW64\dispexcb.tmp	16c1f3a171bca17a2afb429a451afb1d.exe
File opened for modification	C:\Windows\SysWOW64\dispexcb.nls	16c1f3a171bca17a2afb429a451afb1d.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32	16c1f3a171bca17a2afb429a451afb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ = "C:\\Windows\\SysWow64\\dispexcb.dll"	16c1f3a171bca17a2afb429a451afb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ThreadingModel = "Apartment"	16c1f3a171bca17a2afb429a451afb1d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}	16c1f3a171bca17a2afb429a451afb1d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4456	16c1f3a171bca17a2afb429a451afb1d.exe
4456	16c1f3a171bca17a2afb429a451afb1d.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4456	16c1f3a171bca17a2afb429a451afb1d.exe
4456	16c1f3a171bca17a2afb429a451afb1d.exe
4456	16c1f3a171bca17a2afb429a451afb1d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 4964	4456	16c1f3a171bca17a2afb429a451afb1d.exe	97
PID 4456 wrote to memory of 4964	4456	16c1f3a171bca17a2afb429a451afb1d.exe	97
PID 4456 wrote to memory of 4964	4456	16c1f3a171bca17a2afb429a451afb1d.exe	97

C:\Users\Admin\AppData\Local\Temp\16c1f3a171bca17a2afb429a451afb1d.exe
"C:\Users\Admin\AppData\Local\Temp\16c1f3a171bca17a2afb429a451afb1d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\E6C6.tmp.bat
  2⤵
  PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E6C6.tmp.bat

Filesize
179B

MD5
e5800d2a9023f3c4c76b8cf53b04dc7a

SHA1
ab0f8c12b8a952c1dc1991aa0d10930137f26925

SHA256
837059b793d5f7176e774d36c3391a9041bbfdced884d9c0f0e27b17b4250ac9

SHA512
be64d87a472b952489857cac42f6fc252a0d29771071648566dc13c87c21b43a5a2933d5c2dc8ece85ddb0a5adf51e61cdd6400bd181e3cc42671d86048968b8

Download Submit
C:\Windows\SysWOW64\dispexcb.dll

Filesize
941KB

MD5
e861b459a7b237a064317c54bc91c3e2

SHA1
08d4f63f7b059f29cb800fc9922baa42b99e9f34

SHA256
a63ef43ea07e4a293a6d7618490570922cb189aba83355ed894b3493cc282893

SHA512
945eb9734fe4db88f0fc2e45de4f7d300a913c4730b115e52ff6b96fb0686fa70c50d17c61de3d2019307bc1ab4e1a679afb710028a1b963bf503214e8c4d107

Download Submit
C:\Windows\SysWOW64\dispexcb.nls

Filesize
428B

MD5
258053b380bc93b614c32a18b8b726ea

SHA1
0f04967ba3a6226368623155838d51711e3e0a8c

SHA256
2ab1145482d8d09e90d8d0e2b5f4ff2532eb89ba7f71587ee15a9dd7138e18ef

SHA512
71146acb2f4ad59df738d49749908af7f87a28c3aa970f61f48786bbabafae4b9f3c8e85ec9d51e517aa2dca1bc276db66d49b90823690f67a19164b23f8f2eb

Download Submit
C:\Windows\SysWOW64\dispexcb.tmp

Filesize
204KB

MD5
5d4576b89a9469de8360168762a89de1

SHA1
0079788e61dcb678e958c78142087bca9a054b75

SHA256
6e76e3dd823b7481439c1ffdac62c133082630a6bf48ca6dc09498c11edd7c9b

SHA512
66ec3f06b41171be68e082ea8c72182854589c094c3e387ccf3a3e18fa3a302149735adac39f333bf6a048844ea6d344408198d4e7c616a65c624d1ae453d5ff

Download Submit
memory/4456-17-0x0000000020000000-0x000000002006C000-memory.dmp

Filesize
432KB

Download
memory/4456-22-0x0000000020000000-0x000000002006C000-memory.dmp

Filesize
432KB

Download