Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 19:20

General

  • Target

    497d07be55c7691971ef55c818214601.exe

  • Size

    14KB

  • MD5

    497d07be55c7691971ef55c818214601

  • SHA1

    0cdc19b5988663f1ef1b7759c2536c80b9cb33d2

  • SHA256

    8c91fcab97a80bc4331131ac99bfc9dc2debe1dde4f5525f7b170fda02f2a7e5

  • SHA512

    06d78be040a3310b6b55f715f2a586448ce9840d0dd5852792cb41e586e70799661db96f26efb7bf154ecff1e88f7dbedf291692c94a057da11de8f315edef6b

  • SSDEEP

    384:Xuf1IbgVUAhI5gDQx73Z3LguBHTh9vJEPNnB:IdOAhIKY3JLzh9qB

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\497d07be55c7691971ef55c818214601.exe
    "C:\Users\Admin\AppData\Local\Temp\497d07be55c7691971ef55c818214601.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\C5F0.tmp.bat
      2⤵
        PID:3100

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\lweurqhx.dll

            Filesize

            94KB

            MD5

            2e2e7c8edc157b8f743b101c5f297aee

            SHA1

            da26c1ecc164a6d5926eff1ca60e98a38852f9ee

            SHA256

            bc6956550d3bfcf5e5fbfb4ad1f2cfbd94b5adcdb8014b6c857ac3f65e27559a

            SHA512

            958558c6c13417d6c9b0f82cd77c58e659299b1d608b9c635edad71f052e04049a900080fb783e93c94ea21d68fb7566584c271fdc07f6b86597ebb831b5761e

          • C:\Windows\SysWOW64\lweurqhx.nls

            Filesize

            428B

            MD5

            b002bc9852c2dfb2103f25c632d0519f

            SHA1

            684e5464c61d02c4dac8b5d1849fb688a288a675

            SHA256

            7bbc8fb18996628f01b355f28571159e9155d57dfd48ee039b0924e019990497

            SHA512

            64b7aa8aa735fe142f68610a1c154992d59b67b2ffc936a552467d28cfb29c1d49139852b7b540cbfa39e041c9be1bc73d7b929aeed9f7c9d691687bd42d5956

          • C:\Windows\SysWOW64\lweurqhx.tmp

            Filesize

            690KB

            MD5

            21e3eddfe73b682e779b4f9d030e720c

            SHA1

            bfa46e5c3852b07e7ecf6aa9006377c2e6adb181

            SHA256

            0ebf803d1770b541986b5dc231f17d33111190e0ac1cea7c17dbd564bf04ddc2

            SHA512

            bc6ba85122334e0010cd713af9cdfd7003fbd7e888b8df8490e6b5a56edcdf9118c37c83b8cce0fc028a3c264ad085b6713b4887a71974d7dad38a231d5744a1

          • memory/3204-17-0x0000000020000000-0x0000000020009000-memory.dmp

            Filesize

            36KB

          • memory/3204-21-0x0000000020000000-0x0000000020009000-memory.dmp

            Filesize

            36KB