d8ed600341106198bee27f4b4ca45a999d98e809eef395f5c53442ae19d71334

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 15:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4bd0236b9dfa730307c84c513d4e12ce.exe
Size

14KB
MD5

4bd0236b9dfa730307c84c513d4e12ce
SHA1

3892f695838852af809e5fe66440c3c3f0fc0a21
SHA256

d8ed600341106198bee27f4b4ca45a999d98e809eef395f5c53442ae19d71334
SHA512

3a7801e4ef99727f9ec4479540780e987a4b1e104491900c88afe56e488bc2a02861a5fe5869deef91cdab0d6458b6ffef3bc78918f289724d144f70544c4e8c
SSDEEP

192:Cu9ld3a8+nzZXjnq0j/RS5pxCp9c8+meV//BmgTXM9a8Taw25gRlmeLhNfSJpdZF:X9XcTqYM5pA/+vxbTeFL2eridZ5pvV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\uwgipuap.dll = "{319675CC-4129-497f-8C7F-E2F48251019E}"	4bd0236b9dfa730307c84c513d4e12ce.exe

Loads dropped DLL 1 IoCs

pid	Process
3884	4bd0236b9dfa730307c84c513d4e12ce.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\uwgipuap.tmp	4bd0236b9dfa730307c84c513d4e12ce.exe
File opened for modification	C:\Windows\SysWOW64\uwgipuap.tmp	4bd0236b9dfa730307c84c513d4e12ce.exe
File opened for modification	C:\Windows\SysWOW64\uwgipuap.nls	4bd0236b9dfa730307c84c513d4e12ce.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{319675CC-4129-497f-8C7F-E2F48251019E}	4bd0236b9dfa730307c84c513d4e12ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{319675CC-4129-497f-8C7F-E2F48251019E}\InProcServer32	4bd0236b9dfa730307c84c513d4e12ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{319675CC-4129-497f-8C7F-E2F48251019E}\InProcServer32\ = "C:\\Windows\\SysWow64\\uwgipuap.dll"	4bd0236b9dfa730307c84c513d4e12ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{319675CC-4129-497f-8C7F-E2F48251019E}\InProcServer32\ThreadingModel = "Apartment"	4bd0236b9dfa730307c84c513d4e12ce.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3884	4bd0236b9dfa730307c84c513d4e12ce.exe
3884	4bd0236b9dfa730307c84c513d4e12ce.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3884	4bd0236b9dfa730307c84c513d4e12ce.exe
3884	4bd0236b9dfa730307c84c513d4e12ce.exe
3884	4bd0236b9dfa730307c84c513d4e12ce.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3884 wrote to memory of 5108	3884	4bd0236b9dfa730307c84c513d4e12ce.exe	101
PID 3884 wrote to memory of 5108	3884	4bd0236b9dfa730307c84c513d4e12ce.exe	101
PID 3884 wrote to memory of 5108	3884	4bd0236b9dfa730307c84c513d4e12ce.exe	101

C:\Users\Admin\AppData\Local\Temp\4bd0236b9dfa730307c84c513d4e12ce.exe
"C:\Users\Admin\AppData\Local\Temp\4bd0236b9dfa730307c84c513d4e12ce.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\AE12.tmp.bat
  2⤵
  PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AE12.tmp.bat

Filesize
179B

MD5
8546037a5e720fe847ed4eda81d75b45

SHA1
dfc1b48960978f20afb0f3667e4fea159d168f31

SHA256
bc25a49b1fe3a22e8df3d27125af49d204abb26879d6ea9ab9de434524507930

SHA512
29c22a450ba098c290057e294189002a640256bbc84c0aa6707cf0aa1804709912889e9a714cc56e360e530e467c503d5aa927baea09799b747f912a8392f2b3

Download Submit
C:\Windows\SysWOW64\uwgipuap.dll

Filesize
96KB

MD5
8ff507a8060af6057848daeaaa338911

SHA1
0d52186520a16276af6bc57df48f101ddb61379d

SHA256
8bf282029f759ec1764118c8605293498d9f5c4d924b9335388e22b43b7c9e5b

SHA512
385e8e2b70347c1b0ff3ed4027967f80bf44a26f3d4f063dcaa3c99675b3d9008d12fc006b0ac926029a0331ed2147635160e43bee8f0b96478691a2ad3c8f01

Download Submit
C:\Windows\SysWOW64\uwgipuap.dll

Filesize
93KB

MD5
066a74b84bc16279f7125ca88f753b5d

SHA1
09754db6cdee0ad3bbd1006a92bd54a974fa538b

SHA256
ee9f1b489b525dffa01bc83e7b65b2c683cfce4a6f1e4786e10fdcd1005a989b

SHA512
7d25582c31899295dc39b06b388a3559e797bc7acaf3068fd03e7585e4162fc3af16c9a2b2dbdf54f5d438c96648a729e97a2b0ff89dcd9dd7a8aeb84c784e26

Download Submit
memory/3884-9-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/3884-13-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download