4a3545fa71e922368a8fc1d44df15c2c7a0663097a0ecf2837ccb7e3180d537b

Analysis

max time kernel
143s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bb9fc0e4ec53cfa456fc85c64585033.exe
Size

13KB
MD5

4bb9fc0e4ec53cfa456fc85c64585033
SHA1

262f241238b7b357e6a40149b9e020517a71d9a5
SHA256

4a3545fa71e922368a8fc1d44df15c2c7a0663097a0ecf2837ccb7e3180d537b
SHA512

609a288f625aae48eb42cbb8b22ea71fae25e6cae66ea7b3947621a6b125a1e194429cf1f5b368027d044a8fde3312d8c5662dc0558a2d782c0e7a8fe701c2c8
SSDEEP

384:eFXIsq05yJVqt7TBfCCY4ul9hWp5zySMBqPjsrE2C:eFTIVw7TBfCAu7mzySMBi8Er

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vzpdfcjs.dll = "{D3112B69-A745-4805-874E-ABD480EA1299}"	4bb9fc0e4ec53cfa456fc85c64585033.exe

Loads dropped DLL 1 IoCs

pid	Process
4980	4bb9fc0e4ec53cfa456fc85c64585033.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vzpdfcjs.nls	4bb9fc0e4ec53cfa456fc85c64585033.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3112B69-A745-4805-874E-ABD480EA1299}\InProcServer32\ThreadingModel = "Apartment"	4bb9fc0e4ec53cfa456fc85c64585033.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3112B69-A745-4805-874E-ABD480EA1299}	4bb9fc0e4ec53cfa456fc85c64585033.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3112B69-A745-4805-874E-ABD480EA1299}\InProcServer32	4bb9fc0e4ec53cfa456fc85c64585033.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3112B69-A745-4805-874E-ABD480EA1299}\InProcServer32\ = "C:\\Windows\\SysWow64\\vzpdfcjs.dll"	4bb9fc0e4ec53cfa456fc85c64585033.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4980	4bb9fc0e4ec53cfa456fc85c64585033.exe
4980	4bb9fc0e4ec53cfa456fc85c64585033.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4980	4bb9fc0e4ec53cfa456fc85c64585033.exe
4980	4bb9fc0e4ec53cfa456fc85c64585033.exe
4980	4bb9fc0e4ec53cfa456fc85c64585033.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 4148	4980	4bb9fc0e4ec53cfa456fc85c64585033.exe	103
PID 4980 wrote to memory of 4148	4980	4bb9fc0e4ec53cfa456fc85c64585033.exe	103
PID 4980 wrote to memory of 4148	4980	4bb9fc0e4ec53cfa456fc85c64585033.exe	103

C:\Users\Admin\AppData\Local\Temp\4bb9fc0e4ec53cfa456fc85c64585033.exe
"C:\Users\Admin\AppData\Local\Temp\4bb9fc0e4ec53cfa456fc85c64585033.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\B517.tmp.bat
  2⤵
  PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B517.tmp.bat

Filesize
179B

MD5
683aaba2a44c47af9d9307055db0fa70

SHA1
9136c5e30d36f233072108c2f187a1ce76424770

SHA256
b000c463ae6bbb6f50f4e9db43aa04a22d467ed4e1e3584d8157ece845b17cec

SHA512
9931226170641a1c59f1e2627ecbc86fd22d2392c33b9e5a0856d70b36fd06f9c6717d8d0af0dc99873bd9e6fc915774275b87fa61ac38edfa467b2a29f2f61b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vzpdfcjs.tmp

Filesize
104KB

MD5
67ac199dc10b884cc1a544802f315463

SHA1
9622740bd719f3de557d100b7a27de52e72a7baa

SHA256
0ded046e58a78ae0d22ff39e532daa5d1fef5726676037efe712e09c54dbb72b

SHA512
d744bce04bd0419664f1e5904b2babd1a071e09e28e7dc00fe024684882bb606bbefc83f7f57121125aaa87a409c8668b0e679ebbcf9585bab550c65d24af13e

Download Submit
C:\Windows\SysWOW64\vzpdfcjs.dll

Filesize
378KB

MD5
317e99f462f1dcd02a75a3da84b4f2bc

SHA1
16b772d00f3449592c91337ad937cd2543b37e63

SHA256
a8030e03b65271f1cfa04d0eb73ff1ecc15689713dd8187d68c55ff71bde7b96

SHA512
1ab3a526cb14b895aac1dfbd8596a086a0d4d21e20a05eef0adaccff83c42a4d5ab298c105e981e879f43f45958f4aaac3e010d3cb6200c701ade1dc5e4a2c82

Download Submit
memory/4980-17-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/4980-21-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download