90321be8cee235e44256be0128519bca1eaebf5b52880a1c0d9b3d087795c489

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4770b1b34dd46ebbf01d2aae352cd199.exe
Size

11KB
MD5

4770b1b34dd46ebbf01d2aae352cd199
SHA1

ad4d4e37a5c071c3f0ca064bae415a5f1e7f53bb
SHA256

90321be8cee235e44256be0128519bca1eaebf5b52880a1c0d9b3d087795c489
SHA512

7ff45339d8d1f1a91e8388d27c94672d9989b20eb65c147d6e0d0ca64cccc5f66295ba4e2dab4cff46e8665c71208f304b7a2d3579714cd22346f9004dff4b30
SSDEEP

192:Iuh4jDHPGc0eFNzdXYmpE3pTmTIWU8HWqOANOXMde61EattPmXFNYf+553N5kVmm:mjDOc0eb6m8ZmT3U4Wq9O9+EUtPSFNYn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kbdswjr.dll = "{00120012-0012-0012-0012-00120012BB15}"	4770b1b34dd46ebbf01d2aae352cd199.exe

Loads dropped DLL 1 IoCs

pid	Process
2464	4770b1b34dd46ebbf01d2aae352cd199.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kbdswjr.tmp	4770b1b34dd46ebbf01d2aae352cd199.exe
File opened for modification	C:\Windows\SysWOW64\kbdswjr.tmp	4770b1b34dd46ebbf01d2aae352cd199.exe
File opened for modification	C:\Windows\SysWOW64\kbdswjr.nls	4770b1b34dd46ebbf01d2aae352cd199.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00120012-0012-0012-0012-00120012BB15}	4770b1b34dd46ebbf01d2aae352cd199.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00120012-0012-0012-0012-00120012BB15}\InProcServer32	4770b1b34dd46ebbf01d2aae352cd199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00120012-0012-0012-0012-00120012BB15}\InProcServer32\ = "C:\\Windows\\SysWow64\\kbdswjr.dll"	4770b1b34dd46ebbf01d2aae352cd199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00120012-0012-0012-0012-00120012BB15}\InProcServer32\ThreadingModel = "Apartment"	4770b1b34dd46ebbf01d2aae352cd199.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2464	4770b1b34dd46ebbf01d2aae352cd199.exe
2464	4770b1b34dd46ebbf01d2aae352cd199.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2464	4770b1b34dd46ebbf01d2aae352cd199.exe
2464	4770b1b34dd46ebbf01d2aae352cd199.exe
2464	4770b1b34dd46ebbf01d2aae352cd199.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 4964	2464	4770b1b34dd46ebbf01d2aae352cd199.exe	99
PID 2464 wrote to memory of 4964	2464	4770b1b34dd46ebbf01d2aae352cd199.exe	99
PID 2464 wrote to memory of 4964	2464	4770b1b34dd46ebbf01d2aae352cd199.exe	99

C:\Users\Admin\AppData\Local\Temp\4770b1b34dd46ebbf01d2aae352cd199.exe
"C:\Users\Admin\AppData\Local\Temp\4770b1b34dd46ebbf01d2aae352cd199.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\EF32.tmp.bat
  2⤵
  PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EF32.tmp.bat

Filesize
179B

MD5
cc18dd1180d972b944d9adb3627fcab8

SHA1
8c75b492b1e3b9ccf3d60d9abdd90bc8136e4009

SHA256
7f5b3f0020be23a8b657d8649688fb70fc24b90497074cf6c100a7296b97303e

SHA512
1569074aabf4dd6d39487ca142baba9dbeaf04ec4a40d161ebcb806137fa9dd003543568fa9461fac4c5ea1f2808d41c6ba6dfbcf0562657e69b8edf19a5107f

Download Submit
C:\Windows\SysWOW64\kbdswjr.dll

Filesize
370KB

MD5
9e92f8a6ebbee1ed68f58cd9a7c48cf6

SHA1
1885dcd1899ba640719ac24c37b332cddfd382f2

SHA256
d165199c2e1da9dbb08abf76119cb7f18092c6778686f9ef4477fd97f3c693d5

SHA512
c4244c1478f462d59598b6fc278a78dd35f451cffb39b159dcbafd14f53c9c04b0169cea0c5f290961a5f9ecd7f7f80629686f237d734c19abd956590ad26d79

Download Submit
C:\Windows\SysWOW64\kbdswjr.tmp

Filesize
461KB

MD5
911895399d0abeb869242783e5de09f9

SHA1
63f73fea40e8e656b7c99bb4514eddc69a8e5fd0

SHA256
38325dc64e58b8b81427a5920ecc648b951148e19ee0f723f1987580205cfe6a

SHA512
1182d5e1cf79d541dc6d9d2d3ac541f61cf402d3eca585df38260451759f6237b034b9bac3f9c533f0fa010f8b33294cec5a72938608cbc65491f4df1e197377

Download Submit
memory/2464-13-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/2464-17-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download