debc15f63bd8ef318bbd77d65c8e3919fae086f501c4befe17e2010a45292d1a

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 23:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54e80a8d1e46f688f22db7ce8dc4a241.exe
Size

14KB
MD5

54e80a8d1e46f688f22db7ce8dc4a241
SHA1

4a35b87e0ecb231aa8ecddc9efb525ead4e03e2f
SHA256

debc15f63bd8ef318bbd77d65c8e3919fae086f501c4befe17e2010a45292d1a
SHA512

e4476d2ce22b96e298ec3aab749f3a90807dc5690803532f36e48703c43219dcdce4d87a13b1d291ea2e02a710a7d700835d011040be0c3e60ab63385c3b6fdd
SSDEEP

384:M/lNdn0Jp7lCqjYcMVerN3Zzj8vxbcfG9JLLc8S:M/tIbjYcMQzjkVWG9Nc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\cliconfgzx.dll = "{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}"	54e80a8d1e46f688f22db7ce8dc4a241.exe

Loads dropped DLL 1 IoCs

pid	Process
4228	54e80a8d1e46f688f22db7ce8dc4a241.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cliconfgzx.tmp	54e80a8d1e46f688f22db7ce8dc4a241.exe
File opened for modification	C:\Windows\SysWOW64\cliconfgzx.tmp	54e80a8d1e46f688f22db7ce8dc4a241.exe
File opened for modification	C:\Windows\SysWOW64\cliconfgzx.nls	54e80a8d1e46f688f22db7ce8dc4a241.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}	54e80a8d1e46f688f22db7ce8dc4a241.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32	54e80a8d1e46f688f22db7ce8dc4a241.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32\ = "C:\\Windows\\SysWow64\\cliconfgzx.dll"	54e80a8d1e46f688f22db7ce8dc4a241.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32\ThreadingModel = "Apartment"	54e80a8d1e46f688f22db7ce8dc4a241.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4228	54e80a8d1e46f688f22db7ce8dc4a241.exe
4228	54e80a8d1e46f688f22db7ce8dc4a241.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4228	54e80a8d1e46f688f22db7ce8dc4a241.exe
4228	54e80a8d1e46f688f22db7ce8dc4a241.exe
4228	54e80a8d1e46f688f22db7ce8dc4a241.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 2536	4228	54e80a8d1e46f688f22db7ce8dc4a241.exe	101
PID 4228 wrote to memory of 2536	4228	54e80a8d1e46f688f22db7ce8dc4a241.exe	101
PID 4228 wrote to memory of 2536	4228	54e80a8d1e46f688f22db7ce8dc4a241.exe	101

C:\Users\Admin\AppData\Local\Temp\54e80a8d1e46f688f22db7ce8dc4a241.exe
"C:\Users\Admin\AppData\Local\Temp\54e80a8d1e46f688f22db7ce8dc4a241.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\C6F.tmp.bat
  2⤵
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C6F.tmp.bat

Filesize
179B

MD5
f367ea006aa114991f41b27fb63180b7

SHA1
b9feea9cb8163062f97cde62384f56aa56ca4467

SHA256
70bcc8704aeba81bb8999702315626ca29656df9d1facd48c217544cabaacabf

SHA512
1738dc2cb54c307ea66ce2296a9e5c0a68a3a796dab99dd1ecb6d6d1429c194b63bd8aa49566783f8377d092a1dcacb3d30f0bb095d439c78c71b872307dfbc7

Download Submit
C:\Windows\SysWOW64\cliconfgzx.dll

Filesize
139KB

MD5
c651739631ab0083c210ff5d69cb0af0

SHA1
59171ddea2a7b57a32461d3d93325327a418eea5

SHA256
363ab3b78c831b210f4e33d13980af94487032112164912b504848a024a80283

SHA512
d7320f846112ad5c1e2aba371f8ea48ee3c269dbbe170a21b31724b6bea8ebcb1f28370ea9eaa7e8b9a3551897fa8c4c45ad81b0f2c3c248a668e3fe867820c5

Download Submit
C:\Windows\SysWOW64\cliconfgzx.dll

Filesize
412KB

MD5
f01e56de4310d36e344970dc28e30ec8

SHA1
9f8557fa74cdaedc75f76ee27dfc74c870e6344e

SHA256
3a2a1e4acf7431708c39d601ef6d144c9a50e646a6cc884633f554f493a3bb90

SHA512
6624c88f42c682b540e23283df561d06c16f70cdae39572be4323b7fc7968717566ce152f4aa036d2a4925ea80cf026a3789a65dbf427713f9f164e56e8f5ad2

Download Submit
memory/4228-9-0x0000000020000000-0x000000002006C000-memory.dmp

Filesize
432KB

Download
memory/4228-13-0x0000000020000000-0x000000002006C000-memory.dmp

Filesize
432KB

Download