c3fd1d8be21120142bd880f090c4d02f24fadb74f753b0f9212ceaa07dcf42b8

General

Target

382c489410511abc86039d7710bbfc33.exe
Size

14KB
MD5

382c489410511abc86039d7710bbfc33
SHA1

32fc855d07061b86bf8b8e637e5dfcdb023cc8af
SHA256

c3fd1d8be21120142bd880f090c4d02f24fadb74f753b0f9212ceaa07dcf42b8
SHA512

3294f228f7ca1b092a43cf02c61f821a5a055a0b7160ff572f8d5dba7ab1673ed51059c6d193f6a22e302f3a949778859f861721fc1e9d803a982fba1bf7eb7a
SSDEEP

384:8/lqp149VsU7zvzebqJerRzsp90XPsWs1q9myB:8/cp1QVDv9Gz40XPsWaq9mO

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dispexcb.dll = "{76D44356-B494-443a-BEDC-AA68DE4255E6}"	382c489410511abc86039d7710bbfc33.exe

Deletes itself 1 IoCs

pid	Process
2480	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
3012	382c489410511abc86039d7710bbfc33.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dispexcb.tmp	382c489410511abc86039d7710bbfc33.exe
File opened for modification	C:\Windows\SysWOW64\dispexcb.tmp	382c489410511abc86039d7710bbfc33.exe
File opened for modification	C:\Windows\SysWOW64\dispexcb.nls	382c489410511abc86039d7710bbfc33.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32	382c489410511abc86039d7710bbfc33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ = "C:\\Windows\\SysWow64\\dispexcb.dll"	382c489410511abc86039d7710bbfc33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ThreadingModel = "Apartment"	382c489410511abc86039d7710bbfc33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}	382c489410511abc86039d7710bbfc33.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3012	382c489410511abc86039d7710bbfc33.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3012	382c489410511abc86039d7710bbfc33.exe
3012	382c489410511abc86039d7710bbfc33.exe
3012	382c489410511abc86039d7710bbfc33.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2480	3012	382c489410511abc86039d7710bbfc33.exe	29
PID 3012 wrote to memory of 2480	3012	382c489410511abc86039d7710bbfc33.exe	29
PID 3012 wrote to memory of 2480	3012	382c489410511abc86039d7710bbfc33.exe	29
PID 3012 wrote to memory of 2480	3012	382c489410511abc86039d7710bbfc33.exe	29

C:\Users\Admin\AppData\Local\Temp\382c489410511abc86039d7710bbfc33.exe
"C:\Users\Admin\AppData\Local\Temp\382c489410511abc86039d7710bbfc33.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\19D7.tmp.bat
  2⤵
  - Deletes itself
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19D7.tmp.bat

Filesize
179B

MD5
956c465cbc3768f4ef102d44f462a816

SHA1
a225c7f0d65abb5ff8b86371264db3d4a3d3fa28

SHA256
bbbd43e1b09ea96fa07a1566f19acd498090c44b8516ee0f950bc518a1707887

SHA512
62d27ea98621140260c8bf8c59d07768bb0b676f9c38b1f57846f1abd63c44d0f7cba25edc0851d14e30a643d43fd6a5da7a3509f848dfcc7bdff195a335b375

Download Submit
C:\Windows\SysWOW64\dispexcb.nls

Filesize
428B

MD5
1559c516e3eab80c9231c51bd6a615d5

SHA1
7b1b244c8643d6b0a36661c74d83cb5dee91b520

SHA256
fbffffc2ad7d38774d52ab3543e8e5a2d2082f9e7ab86c96f3c13360bc79648f

SHA512
12d4c01a58fa6cc912d1b5248bd570cf1e7fe5a91610d226a5f094062cd121ff68bf988a5b45d97517a6388faed6a4487e1a0d328b4e755bb6ec32f6181b9b03

Download Submit
C:\Windows\SysWOW64\dispexcb.tmp

Filesize
516KB

MD5
e92fc3c72481764682a5d800499166eb

SHA1
b0e6f3c9fe43f637e945c65b8d4633b64a73ff51

SHA256
ab971b6371f9ab99ea3644b7574cca1885ff103d60dac7123ecd2a9538487e9d

SHA512
79b0608cb510bf27df28e25deccb482d7e9d7cce452bd67bbce35fbb00e8be2a4b283b3602da88eb6dc9ef82eae63b01fc9e8685f54c0a4c67f386b7748c0e2b

Download Submit
\Windows\SysWOW64\dispexcb.dll

Filesize
457KB

MD5
ed6d04318c94835d01ae75afdf9091c8

SHA1
84596af85a535eb95a71b043c726d42a54146cac

SHA256
f41ec19e9f0e50211a7fea157771c8df7c67984359734269f66547bbb1f1e5cf

SHA512
1f4e47caa43a5d5837663c5ae041bd5961e377e71c4ecd1f2f0e3bd806b3b5db9c6564afa00834b5ce2756fdc2ea3ef7cabf35c76a9c04206f6aa0359c03e569

Download Submit
memory/3012-16-0x0000000020000000-0x000000002006C000-memory.dmp

Filesize
432KB

Download
memory/3012-26-0x0000000020000000-0x000000002006C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads