cb75cd2e2d79867fc18db65d7f1c66ee9cf78c5e83de586ac2152cead23edb20

Analysis

max time kernel
147s
max time network
40s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3814e0fda56498bc7ab859fa7a0bb199.exe
Size

19KB
MD5

3814e0fda56498bc7ab859fa7a0bb199
SHA1

1ea7ba700e66c88956c030a94fc63c7e25163c81
SHA256

cb75cd2e2d79867fc18db65d7f1c66ee9cf78c5e83de586ac2152cead23edb20
SHA512

cf569fce62405bafd7c7b0336279dc64d2f64735722dbd7a8ba20cf99e4f79070a51621f9eb1b56b226887733c75baf908ea4b1fc9292da2ba6068e25049fa91
SSDEEP

384:KJPsIqheC38GM1q81g9OKEOU5rJ5lp7IC6/Y7mJSnRBgL//8r6+:KZsIYL8Gaq8+gOUrrlp72/YiEnRO/krV

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1032	3814e0fda56498bc7ab859fa7a0bb199.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zycdex.dll	3814e0fda56498bc7ab859fa7a0bb199.exe
File created	C:\Windows\SysWOW64\tf0	3814e0fda56498bc7ab859fa7a0bb199.exe
File opened for modification	C:\Windows\SysWOW64\zycdex.dll.LoG	3814e0fda56498bc7ab859fa7a0bb199.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}\InProcServer32	3814e0fda56498bc7ab859fa7a0bb199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}\InProcServer32\ = "C:\\Windows\\SysWow64\\zycdex.dll"	3814e0fda56498bc7ab859fa7a0bb199.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	3814e0fda56498bc7ab859fa7a0bb199.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE	3814e0fda56498bc7ab859fa7a0bb199.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT	3814e0fda56498bc7ab859fa7a0bb199.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS	3814e0fda56498bc7ab859fa7a0bb199.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}	3814e0fda56498bc7ab859fa7a0bb199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}\ = "MICROSOFT"	3814e0fda56498bc7ab859fa7a0bb199.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER	3814e0fda56498bc7ab859fa7a0bb199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\	3814e0fda56498bc7ab859fa7a0bb199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45AADFAA-DD36-42AB-83AD-0521BBF58C24}\InProcServer32\ThreadingModel = "Apartment"	3814e0fda56498bc7ab859fa7a0bb199.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION	3814e0fda56498bc7ab859fa7a0bb199.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1032	3814e0fda56498bc7ab859fa7a0bb199.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	1032	3814e0fda56498bc7ab859fa7a0bb199.exe
Token: SeRestorePrivilege	1032	3814e0fda56498bc7ab859fa7a0bb199.exe
Token: SeBackupPrivilege	1032	3814e0fda56498bc7ab859fa7a0bb199.exe
Token: SeRestorePrivilege	1032	3814e0fda56498bc7ab859fa7a0bb199.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1032	3814e0fda56498bc7ab859fa7a0bb199.exe
1032	3814e0fda56498bc7ab859fa7a0bb199.exe
1032	3814e0fda56498bc7ab859fa7a0bb199.exe

C:\Users\Admin\AppData\Local\Temp\3814e0fda56498bc7ab859fa7a0bb199.exe
"C:\Users\Admin\AppData\Local\Temp\3814e0fda56498bc7ab859fa7a0bb199.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\zycdex.dll

Filesize
220KB

MD5
951e9959e5e03cd55cd7676c6fd15a9e

SHA1
7d25c16bbea06943667c180e7601301cf7cb316f

SHA256
03c409d8fddeefcaab0ebe5a141a2d06416028df226c065247828a5fd8f72cc8

SHA512
36d3c291173f9e1f4d1d981cef5685c567281ede4f113dbe648326e49b2517d3d589afb10546a810687f637db50c002b3f5cbaed2593c9186d1a52ca81be8612

Download Submit
memory/1032-2-0x00000000002E0000-0x00000000002ED000-memory.dmp

Filesize
52KB

Download
memory/1032-5-0x00000000002E0000-0x00000000002ED000-memory.dmp

Filesize
52KB

Download
memory/1032-6-0x00000000002E0000-0x00000000002ED000-memory.dmp

Filesize
52KB

Download