dce9f4393ef3f7587f5ef5975da28f48beacbd86762bc8edd8a5a63bccd4cbd7

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bcd09cc1b6e3c2c89d974778fc5b97e.exe
Size

48KB
MD5

2bcd09cc1b6e3c2c89d974778fc5b97e
SHA1

9c2ab5ee8496eab8e9d2b3224cd58077315096ac
SHA256

dce9f4393ef3f7587f5ef5975da28f48beacbd86762bc8edd8a5a63bccd4cbd7
SHA512

62832266f58b2037da9d7e40f63c62e370f5cfa478f8e5cfc00ec0af811ddda02ee051235dcfa243c0a5701a9add7874ed37841551b4460a431409eca416af9c
SSDEEP

768:/d6E+WFOTkRDyWKpoDG4hu1crBXBovves9:/djvSxUAvf

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
4540	delnicek.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\delnice.dll	2bcd09cc1b6e3c2c89d974778fc5b97e.exe
File created	C:\Windows\SysWOW64\delnicek.exe	2bcd09cc1b6e3c2c89d974778fc5b97e.exe
File opened for modification	C:\Windows\SysWOW64\delnicek.exe	2bcd09cc1b6e3c2c89d974778fc5b97e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 4540	1964	2bcd09cc1b6e3c2c89d974778fc5b97e.exe	89
PID 1964 wrote to memory of 4540	1964	2bcd09cc1b6e3c2c89d974778fc5b97e.exe	89
PID 1964 wrote to memory of 4540	1964	2bcd09cc1b6e3c2c89d974778fc5b97e.exe	89
PID 1964 wrote to memory of 2688	1964	2bcd09cc1b6e3c2c89d974778fc5b97e.exe	92
PID 1964 wrote to memory of 2688	1964	2bcd09cc1b6e3c2c89d974778fc5b97e.exe	92
PID 1964 wrote to memory of 2688	1964	2bcd09cc1b6e3c2c89d974778fc5b97e.exe	92

C:\Users\Admin\AppData\Local\Temp\2bcd09cc1b6e3c2c89d974778fc5b97e.exe
"C:\Users\Admin\AppData\Local\Temp\2bcd09cc1b6e3c2c89d974778fc5b97e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\delnicek.exe
  C:\Windows\system32\delnicek.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2bcd09cc1b6e3c2c89d974778fc5b97e.exe.bat
  2⤵
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2bcd09cc1b6e3c2c89d974778fc5b97e.exe.bat

Filesize
182B

MD5
3b9ff623bead9d49d3e830d8d97b7805

SHA1
8886b30e40e0c5fb56d98b019c8c747061bb4e86

SHA256
c846890765f36d4089c36227e63ce1c510a5ff752b06bdb07014d7c6882f55ab

SHA512
aa16b096efc2531c80e7052867353714b1bfdfc2aa36bc2a304e5e870b65acc84e2637500d1609d69860d30e18667a07a19541748e506d5a1137482dcaf2d980

Download Submit
C:\Windows\SysWOW64\delnicek.exe

Filesize
48KB

MD5
2bcd09cc1b6e3c2c89d974778fc5b97e

SHA1
9c2ab5ee8496eab8e9d2b3224cd58077315096ac

SHA256
dce9f4393ef3f7587f5ef5975da28f48beacbd86762bc8edd8a5a63bccd4cbd7

SHA512
62832266f58b2037da9d7e40f63c62e370f5cfa478f8e5cfc00ec0af811ddda02ee051235dcfa243c0a5701a9add7874ed37841551b4460a431409eca416af9c

Download Submit