Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
497d07be55c7691971ef55c818214601.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
497d07be55c7691971ef55c818214601.exe
Resource
win10v2004-20231215-en
General
-
Target
497d07be55c7691971ef55c818214601.exe
-
Size
14KB
-
MD5
497d07be55c7691971ef55c818214601
-
SHA1
0cdc19b5988663f1ef1b7759c2536c80b9cb33d2
-
SHA256
8c91fcab97a80bc4331131ac99bfc9dc2debe1dde4f5525f7b170fda02f2a7e5
-
SHA512
06d78be040a3310b6b55f715f2a586448ce9840d0dd5852792cb41e586e70799661db96f26efb7bf154ecff1e88f7dbedf291692c94a057da11de8f315edef6b
-
SSDEEP
384:Xuf1IbgVUAhI5gDQx73Z3LguBHTh9vJEPNnB:IdOAhIKY3JLzh9qB
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\lweurqhx.dll = "{71A78CD4-E470-4a18-8457-E0E0283DD507}" 497d07be55c7691971ef55c818214601.exe -
Loads dropped DLL 1 IoCs
pid Process 3204 497d07be55c7691971ef55c818214601.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\lweurqhx.nls 497d07be55c7691971ef55c818214601.exe File created C:\Windows\SysWOW64\lweurqhx.tmp 497d07be55c7691971ef55c818214601.exe File opened for modification C:\Windows\SysWOW64\lweurqhx.tmp 497d07be55c7691971ef55c818214601.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507} 497d07be55c7691971ef55c818214601.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32 497d07be55c7691971ef55c818214601.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ = "C:\\Windows\\SysWow64\\lweurqhx.dll" 497d07be55c7691971ef55c818214601.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ThreadingModel = "Apartment" 497d07be55c7691971ef55c818214601.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3204 497d07be55c7691971ef55c818214601.exe 3204 497d07be55c7691971ef55c818214601.exe 3204 497d07be55c7691971ef55c818214601.exe 3204 497d07be55c7691971ef55c818214601.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3204 497d07be55c7691971ef55c818214601.exe 3204 497d07be55c7691971ef55c818214601.exe 3204 497d07be55c7691971ef55c818214601.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3204 wrote to memory of 3100 3204 497d07be55c7691971ef55c818214601.exe 104 PID 3204 wrote to memory of 3100 3204 497d07be55c7691971ef55c818214601.exe 104 PID 3204 wrote to memory of 3100 3204 497d07be55c7691971ef55c818214601.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\497d07be55c7691971ef55c818214601.exe"C:\Users\Admin\AppData\Local\Temp\497d07be55c7691971ef55c818214601.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\C5F0.tmp.bat2⤵PID:3100
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD52e2e7c8edc157b8f743b101c5f297aee
SHA1da26c1ecc164a6d5926eff1ca60e98a38852f9ee
SHA256bc6956550d3bfcf5e5fbfb4ad1f2cfbd94b5adcdb8014b6c857ac3f65e27559a
SHA512958558c6c13417d6c9b0f82cd77c58e659299b1d608b9c635edad71f052e04049a900080fb783e93c94ea21d68fb7566584c271fdc07f6b86597ebb831b5761e
-
Filesize
428B
MD5b002bc9852c2dfb2103f25c632d0519f
SHA1684e5464c61d02c4dac8b5d1849fb688a288a675
SHA2567bbc8fb18996628f01b355f28571159e9155d57dfd48ee039b0924e019990497
SHA51264b7aa8aa735fe142f68610a1c154992d59b67b2ffc936a552467d28cfb29c1d49139852b7b540cbfa39e041c9be1bc73d7b929aeed9f7c9d691687bd42d5956
-
Filesize
690KB
MD521e3eddfe73b682e779b4f9d030e720c
SHA1bfa46e5c3852b07e7ecf6aa9006377c2e6adb181
SHA2560ebf803d1770b541986b5dc231f17d33111190e0ac1cea7c17dbd564bf04ddc2
SHA512bc6ba85122334e0010cd713af9cdfd7003fbd7e888b8df8490e6b5a56edcdf9118c37c83b8cce0fc028a3c264ad085b6713b4887a71974d7dad38a231d5744a1