842e3e2b82891cf3b7908dfe43a1840b18040094ebda71313d856850c518e5b9

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

389dd6774199531cb7f8ef9e9d4a7e25.exe
Size

14KB
MD5

389dd6774199531cb7f8ef9e9d4a7e25
SHA1

d90df6efdd4e2694af60894689ac952aae59b982
SHA256

842e3e2b82891cf3b7908dfe43a1840b18040094ebda71313d856850c518e5b9
SHA512

9f2dc536d0293a469bd3d8775ba15728cff7c6f6ad8b00b37966629a5a98bbaf3c41a48022d10c20c891d1d39b233029c586ac1933bbd3576c4265102513bf3d
SSDEEP

384:qqPKe+NmiOtoCOQFuZqhYE1Ff4zvekexbb10s1Ga:qTHmiOtDOQD7Dfm2kg0s/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\cnuxexvl.dll = "{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}"	389dd6774199531cb7f8ef9e9d4a7e25.exe

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2336	389dd6774199531cb7f8ef9e9d4a7e25.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cnuxexvl.tmp	389dd6774199531cb7f8ef9e9d4a7e25.exe
File opened for modification	C:\Windows\SysWOW64\cnuxexvl.nls	389dd6774199531cb7f8ef9e9d4a7e25.exe
File created	C:\Windows\SysWOW64\cnuxexvl.tmp	389dd6774199531cb7f8ef9e9d4a7e25.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}	389dd6774199531cb7f8ef9e9d4a7e25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}\InProcServer32	389dd6774199531cb7f8ef9e9d4a7e25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}\InProcServer32\ = "C:\\Windows\\SysWow64\\cnuxexvl.dll"	389dd6774199531cb7f8ef9e9d4a7e25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}\InProcServer32\ThreadingModel = "Apartment"	389dd6774199531cb7f8ef9e9d4a7e25.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2336	389dd6774199531cb7f8ef9e9d4a7e25.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2336	389dd6774199531cb7f8ef9e9d4a7e25.exe
2336	389dd6774199531cb7f8ef9e9d4a7e25.exe
2336	389dd6774199531cb7f8ef9e9d4a7e25.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2712	2336	389dd6774199531cb7f8ef9e9d4a7e25.exe	28
PID 2336 wrote to memory of 2712	2336	389dd6774199531cb7f8ef9e9d4a7e25.exe	28
PID 2336 wrote to memory of 2712	2336	389dd6774199531cb7f8ef9e9d4a7e25.exe	28
PID 2336 wrote to memory of 2712	2336	389dd6774199531cb7f8ef9e9d4a7e25.exe	28

C:\Users\Admin\AppData\Local\Temp\389dd6774199531cb7f8ef9e9d4a7e25.exe
"C:\Users\Admin\AppData\Local\Temp\389dd6774199531cb7f8ef9e9d4a7e25.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\DBCE.tmp.bat
  2⤵
  - Deletes itself
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DBCE.tmp.bat

Filesize
179B

MD5
7f8972907473fcaedc874c83bc4f38f3

SHA1
2927b19fd39a97da171f0d602b07afadb78b9459

SHA256
f9f2c64d967be9ba4835ccc1128e481eff329faef86c0c0564f87f090bb9970f

SHA512
2e4ac0f31e58b1edb0e37b998cde7caef14c928278366904f345b0e6fb288dfef042ba99d166f0d31cb4f88454e62bb9a924506bf9d944997944e00d9b7593a0

Download Submit
C:\Windows\SysWOW64\cnuxexvl.nls

Filesize
428B

MD5
1be6c1c1dae4d2fb4092c80889f37e0c

SHA1
5afd8914e6652cbc05ccbd2d71a3f535e6cbc06f

SHA256
74e2e2c719f37b49938b580f607024e57f2518edb12b1fc3970aa4fc38966517

SHA512
33721e8f06ec2986a60e5ac1db7c7666a0f48ff2fcd5e0608da58ae52d69826f3762c7757450e96f05341f1190d3ab1693d4170fb9b7a4545d358f2887e12290

Download Submit
C:\Windows\SysWOW64\cnuxexvl.tmp

Filesize
2.1MB

MD5
324eb7871ee9e60ca952bf3c5d724f24

SHA1
6a68fd4c04ab1a16b4f205a323dac55a2702d585

SHA256
59f8b08b5ba75548f2230c2cb5c7377bc808433ee35f20fb0b8d101b083e964c

SHA512
04d7cf82b04865f03579d878d36b091cf7210b6bc851c8402fe44411b60ba553f84766674700318725c7ff28dd28bfc217edc46b2e9c92b82a81b49d1e3de898

Download Submit
memory/2336-16-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/2336-25-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download