Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
497d07be55c7691971ef55c818214601.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
497d07be55c7691971ef55c818214601.exe
Resource
win10v2004-20231215-en
General
-
Target
497d07be55c7691971ef55c818214601.exe
-
Size
14KB
-
MD5
497d07be55c7691971ef55c818214601
-
SHA1
0cdc19b5988663f1ef1b7759c2536c80b9cb33d2
-
SHA256
8c91fcab97a80bc4331131ac99bfc9dc2debe1dde4f5525f7b170fda02f2a7e5
-
SHA512
06d78be040a3310b6b55f715f2a586448ce9840d0dd5852792cb41e586e70799661db96f26efb7bf154ecff1e88f7dbedf291692c94a057da11de8f315edef6b
-
SSDEEP
384:Xuf1IbgVUAhI5gDQx73Z3LguBHTh9vJEPNnB:IdOAhIKY3JLzh9qB
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\lweurqhx.dll = "{71A78CD4-E470-4a18-8457-E0E0283DD507}" 497d07be55c7691971ef55c818214601.exe -
Deletes itself 1 IoCs
pid Process 2588 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2528 497d07be55c7691971ef55c818214601.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\lweurqhx.tmp 497d07be55c7691971ef55c818214601.exe File opened for modification C:\Windows\SysWOW64\lweurqhx.tmp 497d07be55c7691971ef55c818214601.exe File opened for modification C:\Windows\SysWOW64\lweurqhx.nls 497d07be55c7691971ef55c818214601.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ThreadingModel = "Apartment" 497d07be55c7691971ef55c818214601.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507} 497d07be55c7691971ef55c818214601.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32 497d07be55c7691971ef55c818214601.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ = "C:\\Windows\\SysWow64\\lweurqhx.dll" 497d07be55c7691971ef55c818214601.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2528 497d07be55c7691971ef55c818214601.exe 2528 497d07be55c7691971ef55c818214601.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2528 497d07be55c7691971ef55c818214601.exe 2528 497d07be55c7691971ef55c818214601.exe 2528 497d07be55c7691971ef55c818214601.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2588 2528 497d07be55c7691971ef55c818214601.exe 29 PID 2528 wrote to memory of 2588 2528 497d07be55c7691971ef55c818214601.exe 29 PID 2528 wrote to memory of 2588 2528 497d07be55c7691971ef55c818214601.exe 29 PID 2528 wrote to memory of 2588 2528 497d07be55c7691971ef55c818214601.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\497d07be55c7691971ef55c818214601.exe"C:\Users\Admin\AppData\Local\Temp\497d07be55c7691971ef55c818214601.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\9DC5.tmp.bat2⤵
- Deletes itself
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
428B
MD5b002bc9852c2dfb2103f25c632d0519f
SHA1684e5464c61d02c4dac8b5d1849fb688a288a675
SHA2567bbc8fb18996628f01b355f28571159e9155d57dfd48ee039b0924e019990497
SHA51264b7aa8aa735fe142f68610a1c154992d59b67b2ffc936a552467d28cfb29c1d49139852b7b540cbfa39e041c9be1bc73d7b929aeed9f7c9d691687bd42d5956