50aecbc7000c93d3c38cf68e77e0afaeb446fed99fc71e50c968feccf689223b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

508315df5d3268c24aea07bdb9405915.exe
Size

14KB
MD5

508315df5d3268c24aea07bdb9405915
SHA1

2823a1cf6620a4de01f29631b7cc21c0ed9b5fc5
SHA256

50aecbc7000c93d3c38cf68e77e0afaeb446fed99fc71e50c968feccf689223b
SHA512

7fa4a119b18c2888da68884ef829e03558d22d3d135b0d8467117f0cc57a437855e9c7e9de0edb54026e74e464a64c45b7ac12dba54ac00054baaa49ed05de9c
SSDEEP

384:hwAV8wyIKKL+yxB0PbzYOyZyyfBmann9bOuNP:jbKKLJxBMbuygmanNz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\uzhjjhfj.dll = "{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}"	508315df5d3268c24aea07bdb9405915.exe

Loads dropped DLL 1 IoCs

pid	Process
2404	508315df5d3268c24aea07bdb9405915.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\uzhjjhfj.tmp	508315df5d3268c24aea07bdb9405915.exe
File opened for modification	C:\Windows\SysWOW64\uzhjjhfj.tmp	508315df5d3268c24aea07bdb9405915.exe
File opened for modification	C:\Windows\SysWOW64\uzhjjhfj.nls	508315df5d3268c24aea07bdb9405915.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}\InProcServer32	508315df5d3268c24aea07bdb9405915.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}\InProcServer32\ = "C:\\Windows\\SysWow64\\uzhjjhfj.dll"	508315df5d3268c24aea07bdb9405915.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}\InProcServer32\ThreadingModel = "Apartment"	508315df5d3268c24aea07bdb9405915.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}	508315df5d3268c24aea07bdb9405915.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2404	508315df5d3268c24aea07bdb9405915.exe
2404	508315df5d3268c24aea07bdb9405915.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2404	508315df5d3268c24aea07bdb9405915.exe
2404	508315df5d3268c24aea07bdb9405915.exe
2404	508315df5d3268c24aea07bdb9405915.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 916	2404	508315df5d3268c24aea07bdb9405915.exe	100
PID 2404 wrote to memory of 916	2404	508315df5d3268c24aea07bdb9405915.exe	100
PID 2404 wrote to memory of 916	2404	508315df5d3268c24aea07bdb9405915.exe	100

C:\Users\Admin\AppData\Local\Temp\508315df5d3268c24aea07bdb9405915.exe
"C:\Users\Admin\AppData\Local\Temp\508315df5d3268c24aea07bdb9405915.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\C563.tmp.bat
  2⤵
  PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C563.tmp.bat

Filesize
179B

MD5
4fda88b48af3a95a1b4e3f2994e52f7c

SHA1
6bf1b9dd9d72e5c59a2b37ba00b3646191effb43

SHA256
ce4319bcd3b70c4888b29321e921b32ffe08f7dc387157631bf165419e7a28d1

SHA512
0c317354ee568f19aa84abb5c1f203c7139a77f829e7a4aade9df247af8272dfd5d3b2a1ba83cff9499ed9671ef05b288d8f3edcbecfe24d6ec745ca07469640

Download Submit
C:\Windows\SysWOW64\uzhjjhfj.dll

Filesize
382KB

MD5
2c1a0ec8f5dfa2501ecedd6ac0bdb2e0

SHA1
d80473cca1241a825ebb0c2f3a23db8b9382ef57

SHA256
3d5312c902b1b64a4699356dc0ed2c2352004e454b62068c9493de40d2e19acc

SHA512
605ff713576b26300a946009ce224e6a79e5592a7c8693badb4d2c4aa668be33d005a28a3703dff11d600e7d0596dd05bc7301e1d316c3315e6cf47a39b75c01

Download Submit
memory/2404-13-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2404-17-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download