059868802debc37b232027336a6980d2fcba2c6cd0e3ec73dfbe7459c7222626

Analysis

max time kernel
121s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

446824e505af8e341e4cbe8b48b416bc.exe
Size

9KB
MD5

446824e505af8e341e4cbe8b48b416bc
SHA1

64c013a01c2a42d87003c420da334355f70c3a79
SHA256

059868802debc37b232027336a6980d2fcba2c6cd0e3ec73dfbe7459c7222626
SHA512

15276ee4445cb7b2f1acff284e798640771ad61658f32cb9c85167657491708996413accb6a2f1bba5ed8f24632ac2fbbfa838bf2d865851196faebe164725a9
SSDEEP

192:UAhUJOeBfmrRlTf5nATOSQKEPRDsjnhVIFHaG9:UAhU4FVj5Dsjnh0H9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\midimaptl = "{4F4F0064-71E0-4f0d-0017-708476C7815F}"	446824e505af8e341e4cbe8b48b416bc.exe

Deletes itself 1 IoCs

pid	Process
2752	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1796	446824e505af8e341e4cbe8b48b416bc.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\midimaptl.tmp	446824e505af8e341e4cbe8b48b416bc.exe
File opened for modification	C:\Windows\SysWOW64\midimaptl.dat	446824e505af8e341e4cbe8b48b416bc.exe
File created	C:\Windows\SysWOW64\midimaptl.tmp	446824e505af8e341e4cbe8b48b416bc.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F4F0064-71E0-4f0d-0017-708476C7815F}\InProcServer32	446824e505af8e341e4cbe8b48b416bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F4F0064-71E0-4f0d-0017-708476C7815F}\InProcServer32\ = "C:\\Windows\\SysWow64\\midimaptl.dll"	446824e505af8e341e4cbe8b48b416bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F4F0064-71E0-4f0d-0017-708476C7815F}\InProcServer32\ThreadingModel = "Apartment"	446824e505af8e341e4cbe8b48b416bc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F4F0064-71E0-4f0d-0017-708476C7815F}	446824e505af8e341e4cbe8b48b416bc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1796	446824e505af8e341e4cbe8b48b416bc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1796	446824e505af8e341e4cbe8b48b416bc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2752	1796	446824e505af8e341e4cbe8b48b416bc.exe	28
PID 1796 wrote to memory of 2752	1796	446824e505af8e341e4cbe8b48b416bc.exe	28
PID 1796 wrote to memory of 2752	1796	446824e505af8e341e4cbe8b48b416bc.exe	28
PID 1796 wrote to memory of 2752	1796	446824e505af8e341e4cbe8b48b416bc.exe	28

C:\Users\Admin\AppData\Local\Temp\446824e505af8e341e4cbe8b48b416bc.exe
"C:\Users\Admin\AppData\Local\Temp\446824e505af8e341e4cbe8b48b416bc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\563B.tmp.bat
  2⤵
  - Deletes itself
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\563B.tmp.bat

Filesize
179B

MD5
5f75b8cc1bd086ec994a0eb945e21cda

SHA1
a333c9c30d7f7686d9d4eedbccaf663b93286076

SHA256
6025a80b0d9b537caec446ac58179a966ab43ab3cec516c191297cc38515b33e

SHA512
845f40d663e029b38a48319267f022b5ab7b62e5ee602c1398d3b6342f65956395bdbf2d2fb0df662faf340243b59275ab0ec3ea4fd883f9a206bde8ccd2c06b

Download Submit
C:\Windows\SysWOW64\midimaptl.tmp

Filesize
1.0MB

MD5
36cf6d0e77cd7ca5733dbd2130258e9c

SHA1
eb54774df620c2a6c805d1d297e38a18432701c9

SHA256
5edc6b2668dd1c479bd23bcfa137cfa1434ad09d9637672163e08e8626a03e87

SHA512
71bd50db14360d84fbbffb3acacc57f086c0ed682925edc2fd325fd0acab1b33a1899728530d09d9917bebd28720e1fca664d743f26ed5ac147b3f2e1f84e7d2

Download Submit