c2aaf8b48dc09f3c00ebbb33ff90549b87250cc5c9b0d8835b0c61ca166d5387

Analysis

max time kernel
119s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 15:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

46958cc6e5a2b5c6f8a23d65162d495b.exe
Size

14KB
MD5

46958cc6e5a2b5c6f8a23d65162d495b
SHA1

55a8d5f5d02d56582c1a09b5231c25a264467ea3
SHA256

c2aaf8b48dc09f3c00ebbb33ff90549b87250cc5c9b0d8835b0c61ca166d5387
SHA512

469e130459b347e1c46cb8fee3e8c60138d42abf2e0cee0817373be495ef7fc7b722a3b709f23c40b7244f2b7ae7fcc0de662ec4c9bf439762178e0c427e3184
SSDEEP

192:/d4INIET+U77Wib6bKspqmYREJpjfA6tpSLmCxTG+kX7j4D0pI8xaZmvkB3sgr:m8IPo7WiubtEhEHDbFCxa+/oZWlxtr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\cliconfgzx.dll = "{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}"	46958cc6e5a2b5c6f8a23d65162d495b.exe

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1972	46958cc6e5a2b5c6f8a23d65162d495b.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cliconfgzx.tmp	46958cc6e5a2b5c6f8a23d65162d495b.exe
File opened for modification	C:\Windows\SysWOW64\cliconfgzx.nls	46958cc6e5a2b5c6f8a23d65162d495b.exe
File created	C:\Windows\SysWOW64\cliconfgzx.tmp	46958cc6e5a2b5c6f8a23d65162d495b.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32	46958cc6e5a2b5c6f8a23d65162d495b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32\ = "C:\\Windows\\SysWow64\\cliconfgzx.dll"	46958cc6e5a2b5c6f8a23d65162d495b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32\ThreadingModel = "Apartment"	46958cc6e5a2b5c6f8a23d65162d495b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}	46958cc6e5a2b5c6f8a23d65162d495b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1972	46958cc6e5a2b5c6f8a23d65162d495b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1972	46958cc6e5a2b5c6f8a23d65162d495b.exe
1972	46958cc6e5a2b5c6f8a23d65162d495b.exe
1972	46958cc6e5a2b5c6f8a23d65162d495b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2608	1972	46958cc6e5a2b5c6f8a23d65162d495b.exe	30
PID 1972 wrote to memory of 2608	1972	46958cc6e5a2b5c6f8a23d65162d495b.exe	30
PID 1972 wrote to memory of 2608	1972	46958cc6e5a2b5c6f8a23d65162d495b.exe	30
PID 1972 wrote to memory of 2608	1972	46958cc6e5a2b5c6f8a23d65162d495b.exe	30

C:\Users\Admin\AppData\Local\Temp\46958cc6e5a2b5c6f8a23d65162d495b.exe
"C:\Users\Admin\AppData\Local\Temp\46958cc6e5a2b5c6f8a23d65162d495b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ADA.tmp.bat
  2⤵
  - Deletes itself
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADA.tmp.bat

Filesize
179B

MD5
cbc150dfb43405cce6ffedd6612ea199

SHA1
e0bda49b659e969e421e8d6f51b44f8ec2ccb4d5

SHA256
4b2cb17a3116c080a80676b6413b18adba8b6f34dae1f6aeeb1b4c87d2f0abcd

SHA512
e1f24b05b85b873cc2500deced4dd601613a5c4307507e033f85b27f558f3518a610e225dd9108c2d6570cece05ddb603bf0cdd781d17daeda84ce008311989f

Download Submit
C:\Windows\SysWOW64\cliconfgzx.dll

Filesize
2.2MB

MD5
70d012757a02cb9c6ea7905443cacacb

SHA1
3862280e3a6e089d0f17b6eb23af125cf003010f

SHA256
e5d8a6329fe9c80f76bca035738ba5e50df65722685bd5f6d8841f8a60f928ff

SHA512
1a74081899ec5da1783b3624b77fec6e567408c4a1c7974878f1b780cf0d85b1d8d911ee64d387f2e8ce35a4fb30f509ab672e17e024406a2939916e9f3e5b72

Download Submit
memory/1972-8-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/1972-17-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download