cdef9b49022cdfa277e61e57822cbd9e18d2eb2be74aab39f62f873350cf3be9

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 00:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

210818c3fc3461d81d5d9f6272e16c4a.exe
Size

36KB
MD5

210818c3fc3461d81d5d9f6272e16c4a
SHA1

a13224aa7fb03e8d4f55709d8bb063e23ff52fc9
SHA256

cdef9b49022cdfa277e61e57822cbd9e18d2eb2be74aab39f62f873350cf3be9
SHA512

09049e18c9b8f6e38ae1f5c879a7c87c9497b14c8799e642983525de79d099f72a2871ecd3228cb9a2d34a7f35e9ec76e71cbc7523087a55dd8aa7e2b0a15b0a
SSDEEP

384:f7ZRiVisM3Kvv41+ofl1qRMQcYm4E1HK0sz2F2aT7ZIQqXfBW3x:f78isMavAEof7quQcfH7szozfCQqP8x

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IPSEO\Parameters\ServiceDll = "C:\\Windows\\system32\\ipse0.dll"	210818c3fc3461d81d5d9f6272e16c4a.exe

Deletes itself 1 IoCs

pid	Process
1944	DelBF97.tmp

Executes dropped EXE 1 IoCs

pid	Process
1944	DelBF97.tmp

Loads dropped DLL 1 IoCs

pid	Process
4900	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ipse60.dll	210818c3fc3461d81d5d9f6272e16c4a.exe
File opened for modification	C:\Windows\SysWOW64\ipse60.dll	210818c3fc3461d81d5d9f6272e16c4a.exe
File created	C:\Windows\SysWOW64\ipse0.dll	210818c3fc3461d81d5d9f6272e16c4a.exe
File opened for modification	C:\Windows\SysWOW64\ipse0.dll	210818c3fc3461d81d5d9f6272e16c4a.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4900	svchost.exe
4900	svchost.exe
4900	svchost.exe
4900	svchost.exe
4900	svchost.exe
4900	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1944	1044	210818c3fc3461d81d5d9f6272e16c4a.exe	91
PID 1044 wrote to memory of 1944	1044	210818c3fc3461d81d5d9f6272e16c4a.exe	91
PID 1044 wrote to memory of 1944	1044	210818c3fc3461d81d5d9f6272e16c4a.exe	91

C:\Users\Admin\AppData\Local\Temp\210818c3fc3461d81d5d9f6272e16c4a.exe
"C:\Users\Admin\AppData\Local\Temp\210818c3fc3461d81d5d9f6272e16c4a.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\DelBF97.tmp
  C:\Users\Admin\AppData\Local\Temp\DelBF97.tmp 328 "C:\Users\Admin\AppData\Local\Temp\210818c3fc3461d81d5d9f6272e16c4a.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1944

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k IPSEO -s IPSEO
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DelBF97.tmp

Filesize
36KB

MD5
210818c3fc3461d81d5d9f6272e16c4a

SHA1
a13224aa7fb03e8d4f55709d8bb063e23ff52fc9

SHA256
cdef9b49022cdfa277e61e57822cbd9e18d2eb2be74aab39f62f873350cf3be9

SHA512
09049e18c9b8f6e38ae1f5c879a7c87c9497b14c8799e642983525de79d099f72a2871ecd3228cb9a2d34a7f35e9ec76e71cbc7523087a55dd8aa7e2b0a15b0a

Download Submit
\??\c:\windows\SysWOW64\ipse0.dll

Filesize
6KB

MD5
75150ecf39e0d2f173cc055745739b84

SHA1
f23515280c404d4996a88bfeec45ee030ae79a58

SHA256
63bfd35e51164acf1f75ffd6edddf6dac79932587b4da50f93a873228c608e30

SHA512
5ab42b512cd525725a53c4863d32307ffe550f113bb04b4ed414eea21be3f0f897e01bc0782411b143e31384951ee211fc3bb390afc940f27a52b56071ea616e

Download Submit