e228b02a89470c2c470b0e86a024f3d2cd9c2281c342b9162f6c373d5bbdaea5

Analysis

max time kernel
159s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 01:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

52305108158949f2c1327a1e76a37f83.exe
Size

16KB
MD5

52305108158949f2c1327a1e76a37f83
SHA1

4df80c4e0425072cc2054cc724ce29f0382e0e6a
SHA256

e228b02a89470c2c470b0e86a024f3d2cd9c2281c342b9162f6c373d5bbdaea5
SHA512

f9620b0b54199ba4267be664e8b4978d3e005e81140f8002ef7dc1c965e0fc3f9bd528967194792e8da628fa19f283792ef02190614621c028355aa1466648db
SSDEEP

384:URI+8HVj4t1tnBL3ULPK43IwNfWCW2FUW0/jEHH0:wuj4tTnZUz13IPVud0/jEHH

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3736	52305108158949f2c1327a1e76a37f83.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinForm = "C:\\Windows\\WinForm.exE"	52305108158949f2c1327a1e76a37f83.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinForm.dll	52305108158949f2c1327a1e76a37f83.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\WinForm.exE	52305108158949f2c1327a1e76a37f83.exe
File opened for modification	C:\Windows\WinForm.exE	52305108158949f2c1327a1e76a37f83.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3736	52305108158949f2c1327a1e76a37f83.exe
3736	52305108158949f2c1327a1e76a37f83.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3736	52305108158949f2c1327a1e76a37f83.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 3464	3736	52305108158949f2c1327a1e76a37f83.exe	58
PID 3736 wrote to memory of 3464	3736	52305108158949f2c1327a1e76a37f83.exe	58

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\52305108158949f2c1327a1e76a37f83.exe
  "C:\Users\Admin\AppData\Local\Temp\52305108158949f2c1327a1e76a37f83.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WinForm.dll

Filesize
27KB

MD5
c06531ad3289f0d25c0f045ca1e40972

SHA1
bda52d645f52923cd486826bde189741404e14f7

SHA256
0ca3e230a944749d7c8f6513bb24e4d32341b84baf8d3e1088900e764717b395

SHA512
b0400e44d73ed287f4bd6ef8c1827e64e1a1dfba8717892e209d2398ae819867d2447e2a6dbb6e56b79aba397bb1ba9d31c518286fd73f54b818f24b2f75001c

Download Submit
memory/3464-3-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/3736-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3736-5-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3736-9-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download