553b3d184e504d3872cc5d5a61c18751ef6adb47e1c4f390b08a0b465b458cec

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 20:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

545b6571855a0d1fc7605b64f72ce8af.exe
Size

14KB
MD5

545b6571855a0d1fc7605b64f72ce8af
SHA1

f64cbacf224c82bba78c3a19d6bacd58047310ab
SHA256

553b3d184e504d3872cc5d5a61c18751ef6adb47e1c4f390b08a0b465b458cec
SHA512

e3a78592f12ead8fa576161a2b3442e878448ac1629a98b35685dd3be34fe43bc7b3300c0f3d35c0b76d9cb331d114a85a1ebba18392f967f4468644fccbaf6e
SSDEEP

384:tsSiHVosE1lxFQCEUSs677p9CAnNKX+r3rdgZvRaN5B:tj6E1i4631C+r3raZvRu

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bootvidgj.dll = "{D3112B69-A745-4805-874E-ABD480EA1299}"	545b6571855a0d1fc7605b64f72ce8af.exe

Loads dropped DLL 1 IoCs

pid	Process
4696	545b6571855a0d1fc7605b64f72ce8af.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bootvidgj.tmp	545b6571855a0d1fc7605b64f72ce8af.exe
File opened for modification	C:\Windows\SysWOW64\bootvidgj.tmp	545b6571855a0d1fc7605b64f72ce8af.exe
File opened for modification	C:\Windows\SysWOW64\bootvidgj.nls	545b6571855a0d1fc7605b64f72ce8af.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3112B69-A745-4805-874E-ABD480EA1299}	545b6571855a0d1fc7605b64f72ce8af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3112B69-A745-4805-874E-ABD480EA1299}\InProcServer32	545b6571855a0d1fc7605b64f72ce8af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3112B69-A745-4805-874E-ABD480EA1299}\InProcServer32\ = "C:\\Windows\\SysWow64\\bootvidgj.dll"	545b6571855a0d1fc7605b64f72ce8af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3112B69-A745-4805-874E-ABD480EA1299}\InProcServer32\ThreadingModel = "Apartment"	545b6571855a0d1fc7605b64f72ce8af.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4696	545b6571855a0d1fc7605b64f72ce8af.exe
4696	545b6571855a0d1fc7605b64f72ce8af.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4696	545b6571855a0d1fc7605b64f72ce8af.exe
4696	545b6571855a0d1fc7605b64f72ce8af.exe
4696	545b6571855a0d1fc7605b64f72ce8af.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 1156	4696	545b6571855a0d1fc7605b64f72ce8af.exe	101
PID 4696 wrote to memory of 1156	4696	545b6571855a0d1fc7605b64f72ce8af.exe	101
PID 4696 wrote to memory of 1156	4696	545b6571855a0d1fc7605b64f72ce8af.exe	101

C:\Users\Admin\AppData\Local\Temp\545b6571855a0d1fc7605b64f72ce8af.exe
"C:\Users\Admin\AppData\Local\Temp\545b6571855a0d1fc7605b64f72ce8af.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\B759.tmp.bat
  2⤵
  PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B759.tmp.bat

Filesize
179B

MD5
ff11ac5aacc06f205c76cc04554d5ca8

SHA1
e4e50069a8cb25f9d3b98ee12d413021fcfd0a0c

SHA256
36d63a64665f6022848b625d1bf52e78dc83db102fd514d105e9ad65182c5813

SHA512
b587cfff1f518ab4b1cadc9945e13cbb310d15111a3e2abb3d067eb6c5dfc643039f9dcbf011a211bd58ec68db63e88a34acdcf29c4cd9855a60296c444759aa

Download Submit
C:\Windows\SysWOW64\bootvidgj.tmp

Filesize
2.5MB

MD5
d6327d9aa7782373d7f48aa3af4de821

SHA1
9ab69af461c5cfaecd8e8f17f4ba642c170172b1

SHA256
6b56c501643aae67cf66499fdcc2198d22e30f41d2b48f31f27176a1f0a66296

SHA512
5de29d1b8d90ef3e4990296bc6aeb9451ff5a21621576aee925e39bb87e3803ed58e1e56281c96275b5471e99a17c147a24a93440754ffe896a0739785ded0b9

Download Submit
memory/4696-17-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/4696-21-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download