a1ceddc9d7da293f5407e7a5ade3e15c3469f2edcb34571e1d013faad18a005b

General

Target

4887672fa6fd896dbf012cfa1bae2a01.exe
Size

13KB
MD5

4887672fa6fd896dbf012cfa1bae2a01
SHA1

cd859d5971869a7e0525c4d6dc4af83a52347f95
SHA256

a1ceddc9d7da293f5407e7a5ade3e15c3469f2edcb34571e1d013faad18a005b
SHA512

eff6ae3ac8dc94741ff984901d5ba2bec329a24fcaef5bfea9b30c64271d1bd9a0018ec4e987aa222a9d9256cfee2ee4ec1fb088f733cef407ac9d3fc141a431
SSDEEP

384:81a5rf+4/Q748EUZXORGGLno3T9oqjbZI6ufkZ87T5f:81a5wVlcRG4avy6FZ87TJ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\catsrvwl.dll = "{AF976DCD-754F-4ac2-BE49-951DC7AA57D2}"	4887672fa6fd896dbf012cfa1bae2a01.exe

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2400	4887672fa6fd896dbf012cfa1bae2a01.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\catsrvwl.tmp	4887672fa6fd896dbf012cfa1bae2a01.exe
File opened for modification	C:\Windows\SysWOW64\catsrvwl.tmp	4887672fa6fd896dbf012cfa1bae2a01.exe
File opened for modification	C:\Windows\SysWOW64\catsrvwl.nls	4887672fa6fd896dbf012cfa1bae2a01.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF976DCD-754F-4ac2-BE49-951DC7AA57D2}	4887672fa6fd896dbf012cfa1bae2a01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF976DCD-754F-4ac2-BE49-951DC7AA57D2}\InProcServer32	4887672fa6fd896dbf012cfa1bae2a01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF976DCD-754F-4ac2-BE49-951DC7AA57D2}\InProcServer32\ = "C:\\Windows\\SysWow64\\catsrvwl.dll"	4887672fa6fd896dbf012cfa1bae2a01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF976DCD-754F-4ac2-BE49-951DC7AA57D2}\InProcServer32\ThreadingModel = "Apartment"	4887672fa6fd896dbf012cfa1bae2a01.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2400	4887672fa6fd896dbf012cfa1bae2a01.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2400	4887672fa6fd896dbf012cfa1bae2a01.exe
2400	4887672fa6fd896dbf012cfa1bae2a01.exe
2400	4887672fa6fd896dbf012cfa1bae2a01.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2616	2400	4887672fa6fd896dbf012cfa1bae2a01.exe	28
PID 2400 wrote to memory of 2616	2400	4887672fa6fd896dbf012cfa1bae2a01.exe	28
PID 2400 wrote to memory of 2616	2400	4887672fa6fd896dbf012cfa1bae2a01.exe	28
PID 2400 wrote to memory of 2616	2400	4887672fa6fd896dbf012cfa1bae2a01.exe	28

C:\Users\Admin\AppData\Local\Temp\4887672fa6fd896dbf012cfa1bae2a01.exe
"C:\Users\Admin\AppData\Local\Temp\4887672fa6fd896dbf012cfa1bae2a01.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\CA61.tmp.bat
  2⤵
  - Deletes itself
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CA61.tmp.bat

Filesize
179B

MD5
2d3af247c02b5cf355a1024ab024053d

SHA1
481ac1a5d35c9265858fde7de27222f42349d76a

SHA256
fe2330884fc1694223c87f0d9b26a69481a91624ce98387b912fdd7970c14a81

SHA512
7ffe10be0b02870e206f5c5bedb19e490dc8ad49cc701919bc24219e02ab3327a61a2bf04b2a7e6d1d9654687ef5dd337ff222c7b752b22c2a416798b65ef0ea

Download Submit
C:\Windows\SysWOW64\catsrvwl.nls

Filesize
428B

MD5
bf4b1e3f06909ab8e6db92588c0c18f3

SHA1
35b033da3ddc8e693599e985d1c9799f582b5922

SHA256
e09567d98ed6fa4c3c31828a2744fc8142c9e934d6cbab55050f4759789ef30f

SHA512
eaa42b06298cc0cf675d7275bf7061a6f96b5b1abb1049e8015effc01439d7f52be5eb4574fdcff45e6a68edbe478c88ff218a51d33b933cc279b14f67ed963b

Download Submit
C:\Windows\SysWOW64\catsrvwl.tmp

Filesize
593KB

MD5
1f485f4f91189fc6b043e617a4999341

SHA1
64094ebdd8c87e40ad0f8902dda79aeac83df31b

SHA256
585cd173becc0d6b200e70dfb892b0c8e3b30ad1fce147cff0eb3fa0fdefbc9b

SHA512
55b8abccb9360c752d0106219535c818358ad5fd87553a6c3825eeb2b04b3ef5c57e60195fd91c350d9f2f0dbf1ed578d51377790cf369a6b7b097ef99278af7

Download Submit
\Windows\SysWOW64\catsrvwl.dll

Filesize
495KB

MD5
df0150661d20a3033f23b6acf825e767

SHA1
b94335e56fa9a158cf45b7a1b849ba38a97a8b9f

SHA256
0dba3cd21b119a65c20127f12a1e6a2448c785e30689ac88656a6e6846e13f45

SHA512
6686871b6287a2b9d62a580a597398931cb4c4ef2705d1959b5559b9094837fafd2995f85af1044c1827737e9d0a36b96f6d39af0cbe4789d915fe4a914edac4

Download Submit
memory/2400-16-0x0000000020000000-0x000000002000A000-memory.dmp

Filesize
40KB

Download
memory/2400-25-0x0000000020000000-0x000000002000A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads