Analysis

  • max time kernel
    133s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 03:34

General

  • Target

    268d188d7b1f70bf429b088ee2ea249d.exe

  • Size

    14KB

  • MD5

    268d188d7b1f70bf429b088ee2ea249d

  • SHA1

    6fcd0f5b0daf293ebb28a358ca4b43a828ca917f

  • SHA256

    f4247e8555a5e4392dbf67566d5a8796741ef259ed1ad17cce7ed9e2d46b35fc

  • SHA512

    7d456dc5518e02dd506ea0f4c162daff36d07e1ecee87c24af4fe8b2ddceb950cb9da5a8b99ea51020a66153e62a1f1873432d46b47defa8610babbd7fbecaa5

  • SSDEEP

    384:ekmIM4hZjFnEsO1jlUs0/mPZR1z5G3lJIh:OuJnEs6mh/a75q2

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\268d188d7b1f70bf429b088ee2ea249d.exe
    "C:\Users\Admin\AppData\Local\Temp\268d188d7b1f70bf429b088ee2ea249d.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8393.tmp.bat
      2⤵
        PID:1244

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\8393.tmp.bat

      Filesize

      179B

      MD5

      9883c33929174aafc7e25c72c1cb19b2

      SHA1

      4a3d9c8c7676d61a3905c859a719c81dfbeb9abd

      SHA256

      a460a73e8929716ac524c56b05bd68acc5ed29c4ab67808c3b6bba40c5923c9a

      SHA512

      cda5f6fd8f7bdbc07e4437980dab422d64fa21905db9ea7b2924623fa3cd1135975659c677264b9fe082a352a8ba5f27f72f97900467de6f9a5af50129991bc5

    • C:\Windows\SysWOW64\ntgklwic.tmp

      Filesize

      2.4MB

      MD5

      fcdf2947c6b24d625ef20c46982922cf

      SHA1

      1b3c05788c3f6e11d2a715a74e239db3fe3fdedd

      SHA256

      a87da9154da57ff322ca9c7bc89f330c7c1be42c03af7acb20834a3f3bb7db5e

      SHA512

      9b7f5c7578e0353d0b0c3c92c709c7d61a15792b7159b45540a8cc2bbd49abb68e8f6d428efdc622be444201a8b085dac0dc3926d69d9ab7197dea4b02477e4b

    • memory/2092-13-0x0000000010000000-0x0000000010008000-memory.dmp

      Filesize

      32KB

    • memory/2092-18-0x0000000010000000-0x0000000010008000-memory.dmp

      Filesize

      32KB