1704d3bc65cab3412bb9950c9fe80fa981952931654ac5387436aca25d24b5cf

Analysis

max time kernel
121s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 17:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

41706e500793c5379bdeb78b9fd93f50.exe
Size

14KB
MD5

41706e500793c5379bdeb78b9fd93f50
SHA1

a0bf527b21764f56adb7742b1f829a5f689babb6
SHA256

1704d3bc65cab3412bb9950c9fe80fa981952931654ac5387436aca25d24b5cf
SHA512

22ad18e0fc456de912f1d2bb432946526cbf05408ea9187c4baaa2d4f6819031b78e71556f09e3a91cc646f8af771cc17157719b93ac562a396c25f2bd7d85de
SSDEEP

384:LTisU39l2k9kupsje9OxK7PKm3XUBHIYSMqXX4CfZ:LTp82k5uIOxwkBLSXnj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\lweurqhx.dll = "{71A78CD4-E470-4a18-8457-E0E0283DD507}"	41706e500793c5379bdeb78b9fd93f50.exe

Deletes itself 1 IoCs

pid	Process
2556	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2412	41706e500793c5379bdeb78b9fd93f50.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lweurqhx.tmp	41706e500793c5379bdeb78b9fd93f50.exe
File opened for modification	C:\Windows\SysWOW64\lweurqhx.tmp	41706e500793c5379bdeb78b9fd93f50.exe
File opened for modification	C:\Windows\SysWOW64\lweurqhx.nls	41706e500793c5379bdeb78b9fd93f50.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32	41706e500793c5379bdeb78b9fd93f50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ = "C:\\Windows\\SysWow64\\lweurqhx.dll"	41706e500793c5379bdeb78b9fd93f50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ThreadingModel = "Apartment"	41706e500793c5379bdeb78b9fd93f50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}	41706e500793c5379bdeb78b9fd93f50.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2412	41706e500793c5379bdeb78b9fd93f50.exe
2412	41706e500793c5379bdeb78b9fd93f50.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2412	41706e500793c5379bdeb78b9fd93f50.exe
2412	41706e500793c5379bdeb78b9fd93f50.exe
2412	41706e500793c5379bdeb78b9fd93f50.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2556	2412	41706e500793c5379bdeb78b9fd93f50.exe	30
PID 2412 wrote to memory of 2556	2412	41706e500793c5379bdeb78b9fd93f50.exe	30
PID 2412 wrote to memory of 2556	2412	41706e500793c5379bdeb78b9fd93f50.exe	30
PID 2412 wrote to memory of 2556	2412	41706e500793c5379bdeb78b9fd93f50.exe	30

C:\Users\Admin\AppData\Local\Temp\41706e500793c5379bdeb78b9fd93f50.exe
"C:\Users\Admin\AppData\Local\Temp\41706e500793c5379bdeb78b9fd93f50.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\10E2.tmp.bat
  2⤵
  - Deletes itself
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10E2.tmp.bat

Filesize
179B

MD5
152ab291fb751862c223a34da297af11

SHA1
187c67a177ca5a9d13630542c784d855dea6a856

SHA256
aea82804c9246e93a65c53ce4c622cc11becb3b8454f8a24c5b02fe838157e74

SHA512
87150f31557365fe0391b4e9ca8589a5f4b81412fdb523965dd8cc99b1f32f7b0d3661be59ed5bb3a6325629965a7efa617f140f27e12d6f21a49447cc8cdde1

Download Submit
C:\Windows\SysWOW64\lweurqhx.nls

Filesize
428B

MD5
99a24facb7252a0fbdaee9c946244817

SHA1
e44eb6e99677926c372c9fd99326258f58b8da5a

SHA256
3e3309d3e67669ef8eefb00e032a4e0784ecf9b91482183bc5b494214f2f0156

SHA512
5dbb7e06df8ba7776b703da76c7087a996a7a092c34dfbb8fd7719f51bb29250875d27328331d0469c904f2c6305818cf4a695cbe51435cb3a88aa05139ba1c9

Download Submit
C:\Windows\SysWOW64\lweurqhx.tmp

Filesize
902KB

MD5
e8fa63a366617e059560934c8138f2bd

SHA1
051584f39032ea6f1e21e85fcd367f630a7eb3a8

SHA256
eac288d70730b582acd4db8ac3b580f99eff81268a6b6700e5b5da251c5d1af4

SHA512
806b2ad0e8e9aa827f68a4d2435dc592fe6e3a487c7f8a1b3927fd8269c9fbb6244f6b7d8194de4c4b7e492766c21229dac811f7742d9723f705ee4ef090e0d9

Download Submit
memory/2412-16-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/2412-26-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download