68fe1d115283079e7dfcb475bd8e52d2b975679baf052ee05ecfa0c59061a137

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 07:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

485a26a9a3d993caa6f83ab747460518.exe
Size

15KB
MD5

485a26a9a3d993caa6f83ab747460518
SHA1

71a21ebf532dbca4a6fbc8db7335e32cab9b08b3
SHA256

68fe1d115283079e7dfcb475bd8e52d2b975679baf052ee05ecfa0c59061a137
SHA512

ce3f27c811a27b0bf17bf20dab4383ff661b374969c468173927f03bf3e44ad49ebaad133e0c3ae1c1ef05186f7a26fd3d8d9dabafe83dc317ff27f97a1f8983
SSDEEP

384:WqPKe+qWpQsSV/PpHgbcWP8Zxr25sG3I+wNAhYp+5:WTUYQ/P0VP8Zcg+waCm

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kswqencg.dll = "{AF976DCD-754F-4ac2-BE49-951DC7AA57D2}"	485a26a9a3d993caa6f83ab747460518.exe

Loads dropped DLL 1 IoCs

pid	Process
924	485a26a9a3d993caa6f83ab747460518.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kswqencg.tmp	485a26a9a3d993caa6f83ab747460518.exe
File opened for modification	C:\Windows\SysWOW64\kswqencg.tmp	485a26a9a3d993caa6f83ab747460518.exe
File opened for modification	C:\Windows\SysWOW64\kswqencg.nls	485a26a9a3d993caa6f83ab747460518.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF976DCD-754F-4ac2-BE49-951DC7AA57D2}	485a26a9a3d993caa6f83ab747460518.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF976DCD-754F-4ac2-BE49-951DC7AA57D2}\InProcServer32	485a26a9a3d993caa6f83ab747460518.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF976DCD-754F-4ac2-BE49-951DC7AA57D2}\InProcServer32\ = "C:\\Windows\\SysWow64\\kswqencg.dll"	485a26a9a3d993caa6f83ab747460518.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF976DCD-754F-4ac2-BE49-951DC7AA57D2}\InProcServer32\ThreadingModel = "Apartment"	485a26a9a3d993caa6f83ab747460518.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
924	485a26a9a3d993caa6f83ab747460518.exe
924	485a26a9a3d993caa6f83ab747460518.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
924	485a26a9a3d993caa6f83ab747460518.exe
924	485a26a9a3d993caa6f83ab747460518.exe
924	485a26a9a3d993caa6f83ab747460518.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 4208	924	485a26a9a3d993caa6f83ab747460518.exe	103
PID 924 wrote to memory of 4208	924	485a26a9a3d993caa6f83ab747460518.exe	103
PID 924 wrote to memory of 4208	924	485a26a9a3d993caa6f83ab747460518.exe	103

C:\Users\Admin\AppData\Local\Temp\485a26a9a3d993caa6f83ab747460518.exe
"C:\Users\Admin\AppData\Local\Temp\485a26a9a3d993caa6f83ab747460518.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BC99.tmp.bat
  2⤵
  PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\kswqencg.dll

Filesize
92KB

MD5
8defed5aaabb84c7e0a4a498e6bb3323

SHA1
22aa1563c7710c3ddb95ba4fbd4e820864c428c6

SHA256
558af215dd989159b70063be774e742987a698abd8764226833fefd8ef123eb0

SHA512
6626dc0d1a456ad5975cef9462885b1ad871130b3b2aae0d2fb506d40e383a3d08f0fd3aaf571fa410d249e8ca43947f69a140c69c50ab3cac689ccc19756229

Download Submit
C:\Windows\SysWOW64\kswqencg.nls

Filesize
428B

MD5
6938467f580348fdb6687074700927d8

SHA1
93c41d063f9c72b8a8d1c95a9189e63235c5d092

SHA256
49647f4510645df74e6adf738774455251911c6f6206668a4a725634b5597586

SHA512
fee5928d8f56cae57e82194b6d1ebcfa69124b78020e4a2cbf6c9f2c8f73fcbbb7fd88928327c27c83e62e35e3e0f13d32cccaf9e28ec25aa40beeff2846fe06

Download Submit
C:\Windows\SysWOW64\kswqencg.tmp

Filesize
382KB

MD5
9c0a7af1da3426cf30fb156f8b8dac29

SHA1
327e49f3cc622abeed51b1435514d6e1b117cc28

SHA256
60d4bfa774864128d2f04a2629577145648c9a6388e9b6e4e1bf9481656ca409

SHA512
d35dec11d16171915ebbf4d7d2c55d141f0ad96e5eb641e30a5502511a4b5077b633d35690a649b14284a3224ef0d1ccde431d7bcc135984283c053b24e75776

Download Submit
memory/924-17-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/924-21-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download