1704d3bc65cab3412bb9950c9fe80fa981952931654ac5387436aca25d24b5cf

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 17:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

41706e500793c5379bdeb78b9fd93f50.exe
Size

14KB
MD5

41706e500793c5379bdeb78b9fd93f50
SHA1

a0bf527b21764f56adb7742b1f829a5f689babb6
SHA256

1704d3bc65cab3412bb9950c9fe80fa981952931654ac5387436aca25d24b5cf
SHA512

22ad18e0fc456de912f1d2bb432946526cbf05408ea9187c4baaa2d4f6819031b78e71556f09e3a91cc646f8af771cc17157719b93ac562a396c25f2bd7d85de
SSDEEP

384:LTisU39l2k9kupsje9OxK7PKm3XUBHIYSMqXX4CfZ:LTp82k5uIOxwkBLSXnj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\lweurqhx.dll = "{71A78CD4-E470-4a18-8457-E0E0283DD507}"	41706e500793c5379bdeb78b9fd93f50.exe

Loads dropped DLL 1 IoCs

pid	Process
3644	41706e500793c5379bdeb78b9fd93f50.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lweurqhx.tmp	41706e500793c5379bdeb78b9fd93f50.exe
File opened for modification	C:\Windows\SysWOW64\lweurqhx.tmp	41706e500793c5379bdeb78b9fd93f50.exe
File opened for modification	C:\Windows\SysWOW64\lweurqhx.nls	41706e500793c5379bdeb78b9fd93f50.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}	41706e500793c5379bdeb78b9fd93f50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32	41706e500793c5379bdeb78b9fd93f50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ = "C:\\Windows\\SysWow64\\lweurqhx.dll"	41706e500793c5379bdeb78b9fd93f50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ThreadingModel = "Apartment"	41706e500793c5379bdeb78b9fd93f50.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3644	41706e500793c5379bdeb78b9fd93f50.exe
3644	41706e500793c5379bdeb78b9fd93f50.exe
3644	41706e500793c5379bdeb78b9fd93f50.exe
3644	41706e500793c5379bdeb78b9fd93f50.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3644	41706e500793c5379bdeb78b9fd93f50.exe
3644	41706e500793c5379bdeb78b9fd93f50.exe
3644	41706e500793c5379bdeb78b9fd93f50.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 5084	3644	41706e500793c5379bdeb78b9fd93f50.exe	95
PID 3644 wrote to memory of 5084	3644	41706e500793c5379bdeb78b9fd93f50.exe	95
PID 3644 wrote to memory of 5084	3644	41706e500793c5379bdeb78b9fd93f50.exe	95

C:\Users\Admin\AppData\Local\Temp\41706e500793c5379bdeb78b9fd93f50.exe
"C:\Users\Admin\AppData\Local\Temp\41706e500793c5379bdeb78b9fd93f50.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\E687.tmp.bat
  2⤵
  PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E687.tmp.bat

Filesize
179B

MD5
152ab291fb751862c223a34da297af11

SHA1
187c67a177ca5a9d13630542c784d855dea6a856

SHA256
aea82804c9246e93a65c53ce4c622cc11becb3b8454f8a24c5b02fe838157e74

SHA512
87150f31557365fe0391b4e9ca8589a5f4b81412fdb523965dd8cc99b1f32f7b0d3661be59ed5bb3a6325629965a7efa617f140f27e12d6f21a49447cc8cdde1

Download Submit
C:\Windows\SysWOW64\lweurqhx.nls

Filesize
428B

MD5
99a24facb7252a0fbdaee9c946244817

SHA1
e44eb6e99677926c372c9fd99326258f58b8da5a

SHA256
3e3309d3e67669ef8eefb00e032a4e0784ecf9b91482183bc5b494214f2f0156

SHA512
5dbb7e06df8ba7776b703da76c7087a996a7a092c34dfbb8fd7719f51bb29250875d27328331d0469c904f2c6305818cf4a695cbe51435cb3a88aa05139ba1c9

Download Submit
C:\Windows\SysWOW64\lweurqhx.tmp

Filesize
529KB

MD5
7fa44ff9cd4cf210113fe1d40090ec47

SHA1
3cdb651b4d296dfbc2e449d221a9c50a8c6fa566

SHA256
7aa920fc7ba55ab82981cf3c20c08d46414b02737678be7cdac8521e2062416f

SHA512
9f3b392847588c46c66560d4d64126ec3aa6e18286984338e1ee56ab3846f90634665f0807603c7e8e9c0c9001ab8ae109855606ab2bacd926ce988f23685a76

Download Submit
memory/3644-17-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/3644-21-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download