8f19caf741c100d22a0a79cf0a5b4ea981935590a665891ce966c4e2c85ebbac

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe
Size

13KB
MD5

4cd94e0fd2dc6a3bd64a65e9da27cfd4
SHA1

9a80cb88f62de342f9ccbfdfeb5955ba10b8288b
SHA256

8f19caf741c100d22a0a79cf0a5b4ea981935590a665891ce966c4e2c85ebbac
SHA512

ace824355e5df84c7b9c75db164e03d012f85d4a1a1993a3d16b638d3fa08a1a4e7c7f5b9078e4763cbff05af15898a9cf8588ee90dcaf2f2c5dfe309fc2a2a3
SSDEEP

192:aSHdXgKjjXxUMiglOL2qwQ0Az/W+IyLHyfzniiwy+kbCIHXaaYKPbjajCQ4irOTb:1dD/igEL2qwQ0g3fy+kpXkKngCQ4N2m

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\msobjstl.dll = "{319675CC-4129-497f-8C7F-E2F48251019E}"	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2232	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msobjstl.tmp	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe
File opened for modification	C:\Windows\SysWOW64\msobjstl.nls	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe
File created	C:\Windows\SysWOW64\msobjstl.tmp	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{319675CC-4129-497f-8C7F-E2F48251019E}\InProcServer32	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{319675CC-4129-497f-8C7F-E2F48251019E}\InProcServer32\ = "C:\\Windows\\SysWow64\\msobjstl.dll"	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{319675CC-4129-497f-8C7F-E2F48251019E}\InProcServer32\ThreadingModel = "Apartment"	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{319675CC-4129-497f-8C7F-E2F48251019E}	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2232	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2232	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe
2232	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe
2232	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2860	2232	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe	29
PID 2232 wrote to memory of 2860	2232	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe	29
PID 2232 wrote to memory of 2860	2232	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe	29
PID 2232 wrote to memory of 2860	2232	4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe	29

C:\Users\Admin\AppData\Local\Temp\4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe
"C:\Users\Admin\AppData\Local\Temp\4cd94e0fd2dc6a3bd64a65e9da27cfd4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\C9C5.tmp.bat
  2⤵
  - Deletes itself
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C9C5.tmp.bat

Filesize
179B

MD5
1860a067689ac3941bd8dbed19a9be78

SHA1
6f2a7db3b94b243a9149cdb02de58c1c113eb575

SHA256
8d58cc03edc805a93bc41cd24f01a1541485434a1bf583d638d98bd226cabfd3

SHA512
c590879ce17655176c23a4dee8f9f8160bd8cd2c123ac0fbcba657828b7fabeb2ca06f6cf7113aee5ad44b7ddb0ea940c7a4b603d1e52e417bb1c6c754fe2326

Download Submit
\Windows\SysWOW64\msobjstl.dll

Filesize
537KB

MD5
c5134c82323eeab6c9e79640d099bf01

SHA1
3ef75e27daeeed27e6f88074551cf2d8f54adb9e

SHA256
c729db070c594944c694ae68e79b110954ed5be1458ab5875e2578f2be3c26ba

SHA512
4fef165c9b8d737feef07da4fc91b1547c59a88b48865b8e96cdb1fbe77eae31b83b25bc7aff948405c3ecc3a99e2778c2f1fb64c4668fae3cb64ea98b838a54

Download Submit
memory/2232-12-0x0000000020000000-0x000000002000A000-memory.dmp

Filesize
40KB

Download
memory/2232-21-0x0000000020000000-0x000000002000A000-memory.dmp

Filesize
40KB

Download