d4a640246f33bf30af3be56e1d4bd7b52ed83411ba0112cc0120d3415c7fe685

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42e5ed1af4c7c8df4f779a607b930447.exe
Size

13KB
MD5

42e5ed1af4c7c8df4f779a607b930447
SHA1

4152a0bcd88df5cfccfc96b6fa87397fac5f7342
SHA256

d4a640246f33bf30af3be56e1d4bd7b52ed83411ba0112cc0120d3415c7fe685
SHA512

c8bb3f741d154813c5117e0711ac1aa2bbb526afec5c37fc0875ec89fbaf7842a7114e304a31c437bab7d84b5f6a9c156910b90a0827af53e3f0bcadbbc2bfcf
SSDEEP

192:fUtROT4A9G5NKCESj2S+HO/IVUdITidEzF/zGC2cwhat1KcU2Yj/6rNpmorT:fm9NESStO/IVwRdENKC2thMKR2UyuorT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ubrgpkot.dll = "{DA56B183-A731-402b-9235-2CB8803E212D}"	42e5ed1af4c7c8df4f779a607b930447.exe

Deletes itself 1 IoCs

pid	Process
2820	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2968	42e5ed1af4c7c8df4f779a607b930447.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ubrgpkot.tmp	42e5ed1af4c7c8df4f779a607b930447.exe
File opened for modification	C:\Windows\SysWOW64\ubrgpkot.nls	42e5ed1af4c7c8df4f779a607b930447.exe
File created	C:\Windows\SysWOW64\ubrgpkot.tmp	42e5ed1af4c7c8df4f779a607b930447.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}	42e5ed1af4c7c8df4f779a607b930447.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}\InProcServer32	42e5ed1af4c7c8df4f779a607b930447.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}\InProcServer32\ = "C:\\Windows\\SysWow64\\ubrgpkot.dll"	42e5ed1af4c7c8df4f779a607b930447.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}\InProcServer32\ThreadingModel = "Apartment"	42e5ed1af4c7c8df4f779a607b930447.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	42e5ed1af4c7c8df4f779a607b930447.exe
2968	42e5ed1af4c7c8df4f779a607b930447.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2968	42e5ed1af4c7c8df4f779a607b930447.exe
2968	42e5ed1af4c7c8df4f779a607b930447.exe
2968	42e5ed1af4c7c8df4f779a607b930447.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2820	2968	42e5ed1af4c7c8df4f779a607b930447.exe	29
PID 2968 wrote to memory of 2820	2968	42e5ed1af4c7c8df4f779a607b930447.exe	29
PID 2968 wrote to memory of 2820	2968	42e5ed1af4c7c8df4f779a607b930447.exe	29
PID 2968 wrote to memory of 2820	2968	42e5ed1af4c7c8df4f779a607b930447.exe	29

C:\Users\Admin\AppData\Local\Temp\42e5ed1af4c7c8df4f779a607b930447.exe
"C:\Users\Admin\AppData\Local\Temp\42e5ed1af4c7c8df4f779a607b930447.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\B193.tmp.bat
  2⤵
  - Deletes itself
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B193.tmp.bat

Filesize
179B

MD5
dd47bbc018400e159660af65178c6dbf

SHA1
7ea28999ed365b3c6f201cbe71fb2583aa8525fd

SHA256
6ce4dea25cfb36fdb9b020938cd7b2850d5270c081e9e1a25748a6fb244a0e73

SHA512
3eb2af15279723ed36dbd28faac19997f4d13268080046b7011dcd27ec406c4f914d6745a29f20294fe4fb49351b2d95e78cbe27c132a2d70ba7adf44d395ccf

Download Submit
C:\Windows\SysWOW64\ubrgpkot.tmp

Filesize
14KB

MD5
2a9b39dae05ea51a6ccc861b02dd8fca

SHA1
0d93b9d94d1f86bd28a664dfc94906e23b630929

SHA256
b77dec88b35173efbedcb397ea90a34ec6d62bf3dca178e4723c7b5c80331acf

SHA512
5ea9a567a29210527dbc24caca18ecd76807cc9bef2f82cb2a97201afb017702110eb7dd689a5a956d266e7dd4e2d0a7c496c12e3250d195b3c7ea4b1af1bc77

Download Submit
\Windows\SysWOW64\ubrgpkot.dll

Filesize
45KB

MD5
804e0c1d53e51b5150ff84189649dc0d

SHA1
2a97d632c50a67c1a46abe0e0d2ddb281aaaad3f

SHA256
582c832a9548519c68e75ed86170e0d163311a1d02b0e34fb411825bbe0f03cb

SHA512
4e490d0adfbca24be3f25a90e8a3c5e4b39091f4b193ba46ab1bfbc87dc52e171b829733a654f55fcf4fcb6510806cb424c0187e3fe02f4fc55cda6583b45777

Download Submit
memory/2968-12-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2968-21-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download