d14818e17de66a4547f91f21143211466116f67988f90e3c06a4592bf0fc3890

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22881642dee4ec8b9ce9c7ce3693cdb7.exe
Size

13KB
MD5

22881642dee4ec8b9ce9c7ce3693cdb7
SHA1

7c6c07466e8cdcfc4b0d65714993ad05ac261fe6
SHA256

d14818e17de66a4547f91f21143211466116f67988f90e3c06a4592bf0fc3890
SHA512

3b077eb473431001615e6f6efe2b1ec809fbcf74ba71abe30c6c19e6ff65234a169dbcdd5b7a4472c465749eb6ccd86fac6fdb1283d195ee28ab7b7128edab80
SSDEEP

384:15VQTh1BCbsmUBOnBF+tkdTLX4jDI+DYp:UhqpUUqiZX4jk+4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\cliconfgzx.dll = "{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}"	22881642dee4ec8b9ce9c7ce3693cdb7.exe

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2392	22881642dee4ec8b9ce9c7ce3693cdb7.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cliconfgzx.tmp	22881642dee4ec8b9ce9c7ce3693cdb7.exe
File opened for modification	C:\Windows\SysWOW64\cliconfgzx.tmp	22881642dee4ec8b9ce9c7ce3693cdb7.exe
File opened for modification	C:\Windows\SysWOW64\cliconfgzx.nls	22881642dee4ec8b9ce9c7ce3693cdb7.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32	22881642dee4ec8b9ce9c7ce3693cdb7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32\ = "C:\\Windows\\SysWow64\\cliconfgzx.dll"	22881642dee4ec8b9ce9c7ce3693cdb7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32\ThreadingModel = "Apartment"	22881642dee4ec8b9ce9c7ce3693cdb7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}	22881642dee4ec8b9ce9c7ce3693cdb7.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2392	22881642dee4ec8b9ce9c7ce3693cdb7.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2392	22881642dee4ec8b9ce9c7ce3693cdb7.exe
2392	22881642dee4ec8b9ce9c7ce3693cdb7.exe
2392	22881642dee4ec8b9ce9c7ce3693cdb7.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2652	2392	22881642dee4ec8b9ce9c7ce3693cdb7.exe	29
PID 2392 wrote to memory of 2652	2392	22881642dee4ec8b9ce9c7ce3693cdb7.exe	29
PID 2392 wrote to memory of 2652	2392	22881642dee4ec8b9ce9c7ce3693cdb7.exe	29
PID 2392 wrote to memory of 2652	2392	22881642dee4ec8b9ce9c7ce3693cdb7.exe	29

C:\Users\Admin\AppData\Local\Temp\22881642dee4ec8b9ce9c7ce3693cdb7.exe
"C:\Users\Admin\AppData\Local\Temp\22881642dee4ec8b9ce9c7ce3693cdb7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\7964.tmp.bat
  2⤵
  - Deletes itself
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7964.tmp.bat

Filesize
179B

MD5
a6d18a4c21006efdd63f4c63fb1cfe52

SHA1
12a48d85b017b3e9c84c983d09215ae442f920cc

SHA256
83491d408853313083084c0ff83079f4e11a4d9cfa5c5464b24db5692ee30c20

SHA512
92124bfd4483adcb603eaf459a0ae8b3498bc8378cb9d7005267e801624f118d370680bf8e5345498eb51b41f4eae1f65c2c5f9cbab76283c82ad2067c9397c9

Download Submit
C:\Windows\SysWOW64\cliconfgzx.dll

Filesize
384KB

MD5
cf98d45036fae5c8a92d88e88394aa23

SHA1
c5520f622eb8df3e6dede1ec9135d108e8a8ee2a

SHA256
b5d90d5cfd23e91667bfc8707c7fd94bc018e34e47f337c0d3212211a9c0b39a

SHA512
7d96a18493b0066eef480760caf6cede61b786a4e1681aa5b987257f3bbbb2e5ba9d3faee32f99f94044aa943b7b85b619ffb87a5acfc640e48adc8916b09b52

Download Submit
\Windows\SysWOW64\cliconfgzx.dll

Filesize
100KB

MD5
5ab5ae26a5b26d6c04bbe8a8fab0ffaf

SHA1
cfbb4b4db802265d1298eec6008e6b4435eac63e

SHA256
1d00e6fa51b9c92925608e667267e2747295ecaf5ed06ef835fba8224ef0a8c0

SHA512
28af4db2e29cb4d1e1c01487f9f19d86e258eba264e3fa287970b4a2e74d93692ae3bb2a5f14bc58f34a1f8f2721367ad7083c304887b79dbde5dc161a874624

Download Submit
memory/2392-8-0x0000000020000000-0x000000002000A000-memory.dmp

Filesize
40KB

Download
memory/2392-17-0x0000000020000000-0x000000002000A000-memory.dmp

Filesize
40KB

Download