a0b3029ef95920dd4eb1ef67a2e821bd23feaaf1f2f13e2f746ccde0876a53d5

Analysis

max time kernel
122s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ba44707d43afa39d3e84661688cb30c.exe
Size

104KB
MD5

3ba44707d43afa39d3e84661688cb30c
SHA1

00bbd759ea3e8905b742d76ba4da16684cd30192
SHA256

a0b3029ef95920dd4eb1ef67a2e821bd23feaaf1f2f13e2f746ccde0876a53d5
SHA512

40445858efcaa4bf97381112fdb745af514cdfed75321745c882399bd6e55b37273643b3e6e790415511b534a735b445091bf57fc6d52cfcb0a04a36985bd2e8
SSDEEP

768:m7Gm0wqdsPh0vNt4vWbbvKmMmdZR7Gm0wqdZsUjjHS+KYxjn1i:mKmPY+01tRbTKkd3KmPYGU6Glc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tscfgwmijxsj.dll = "{00330033-0033-0033-0033-00330033BB15}"	3ba44707d43afa39d3e84661688cb30c.exe

Deletes itself 1 IoCs

pid	Process
2460	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2484	3ba44707d43afa39d3e84661688cb30c.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tscfgwmijxsj.tmp	3ba44707d43afa39d3e84661688cb30c.exe
File opened for modification	C:\Windows\SysWOW64\tscfgwmijxsj.tmp	3ba44707d43afa39d3e84661688cb30c.exe
File opened for modification	C:\Windows\SysWOW64\tscfgwmijxsj.nls	3ba44707d43afa39d3e84661688cb30c.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00330033-0033-0033-0033-00330033BB15}\InProcServer32\ThreadingModel = "Apartment"	3ba44707d43afa39d3e84661688cb30c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00330033-0033-0033-0033-00330033BB15}	3ba44707d43afa39d3e84661688cb30c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00330033-0033-0033-0033-00330033BB15}\InProcServer32	3ba44707d43afa39d3e84661688cb30c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00330033-0033-0033-0033-00330033BB15}\InProcServer32\ = "C:\\Windows\\SysWow64\\tscfgwmijxsj.dll"	3ba44707d43afa39d3e84661688cb30c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2484	3ba44707d43afa39d3e84661688cb30c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2484	3ba44707d43afa39d3e84661688cb30c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2460	2484	3ba44707d43afa39d3e84661688cb30c.exe	31
PID 2484 wrote to memory of 2460	2484	3ba44707d43afa39d3e84661688cb30c.exe	31
PID 2484 wrote to memory of 2460	2484	3ba44707d43afa39d3e84661688cb30c.exe	31
PID 2484 wrote to memory of 2460	2484	3ba44707d43afa39d3e84661688cb30c.exe	31

C:\Users\Admin\AppData\Local\Temp\3ba44707d43afa39d3e84661688cb30c.exe
"C:\Users\Admin\AppData\Local\Temp\3ba44707d43afa39d3e84661688cb30c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\1D02.tmp.bat
  2⤵
  - Deletes itself
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1D02.tmp.bat

Filesize
179B

MD5
4be3e3d57ca5c7ae60879e850635fa60

SHA1
6a532dd6cbf029223ddc749ae45143537119f378

SHA256
0ca1eb22ba227c37d70454d6f501f4b228f67708a3a01fe4e97774644a43af65

SHA512
629831af65b8ee25b3b1558323e99e1494487dd0cdfe504534313f83c307dca25930e5931767852346da8ebd4a3f16f2b0649587f9f2ebc81adde3a37a49941e

Download Submit
C:\Windows\SysWOW64\tscfgwmijxsj.nls

Filesize
428B

MD5
eabe180c010f1b39e2f7fe4511c3221b

SHA1
bf458b4c13c8e5d99f2fb5984774ee199e848d17

SHA256
bb59f8a7f7c745373c42a50ffa11d51e82b1bcb4786bde5dc927dcd0ce1e0390

SHA512
2909cbf833eaa401ba4d6752dfe6a7724ae79d1ceaac9eb9d884022f7db2a884de2e19cdf04f7a6517da12b880625fa6efa250c5bfb575b080f73fd8717e7d7d

Download Submit
C:\Windows\SysWOW64\tscfgwmijxsj.tmp

Filesize
37KB

MD5
8a927082adf34bd33294eee4c8a15622

SHA1
e50874d5ce5328c72af53fede67993b2af41858d

SHA256
25a77034d1bb48f000d1bf4dabb6c3b0c69069f5cd9432bcdc091bf512685539

SHA512
f79ae3646a6ccd27b20764a6ec349077b922a94d10910d749c33a02270a949dcb3b4085ebb93432dfa412f497524c4b695d4f38ab0d23e65ca408477dcf53be0

Download Submit
\Windows\SysWOW64\tscfgwmijxsj.dll

Filesize
25KB

MD5
be989c9153dc22658991c05686b7baf3

SHA1
694bd3229ce61fb6bd2ac2cb3fdf3b823f845d12

SHA256
cecb0201a39a3047e374cbbb33f78881ef9683b37f83a01166b7b6361b29b627

SHA512
00c4cad90c883767503ace602ae605cd95ecd4c517e147ba71c03cd74ea161032279ff393f93521e1c50a4a1794f7a5ddef000427be0fde6ee8ce2030dd20f91

Download Submit