0c592badffac069106571a026ff58ba0499c5121aee9de485e95727fcdfe4893

Analysis

max time kernel
122s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 00:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54f13c04272f8bd0675ebd98906a7390.exe
Size

14KB
MD5

54f13c04272f8bd0675ebd98906a7390
SHA1

4061b27dea0a845502a4b0ac3d4d4251b41982bd
SHA256

0c592badffac069106571a026ff58ba0499c5121aee9de485e95727fcdfe4893
SHA512

8e2a82ecf6bc4a479e73e1a3a65c565f071cb9a2288b799412a01bdddde73f16cb0146031f351b74357aae645e61ef89f77fa7217761aecc03406d1f6910511a
SSDEEP

384:7AcMTQ+lTFyranBKF3Q2Ah71o7cYRvnDgZsFT:7YeunBU3vApecYRvnDgZoT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\cliconfgzx.dll = "{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}"	54f13c04272f8bd0675ebd98906a7390.exe

Deletes itself 1 IoCs

pid	Process
2884	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
368	54f13c04272f8bd0675ebd98906a7390.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cliconfgzx.tmp	54f13c04272f8bd0675ebd98906a7390.exe
File opened for modification	C:\Windows\SysWOW64\cliconfgzx.tmp	54f13c04272f8bd0675ebd98906a7390.exe
File opened for modification	C:\Windows\SysWOW64\cliconfgzx.nls	54f13c04272f8bd0675ebd98906a7390.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}	54f13c04272f8bd0675ebd98906a7390.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32	54f13c04272f8bd0675ebd98906a7390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32\ = "C:\\Windows\\SysWow64\\cliconfgzx.dll"	54f13c04272f8bd0675ebd98906a7390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32\ThreadingModel = "Apartment"	54f13c04272f8bd0675ebd98906a7390.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
368	54f13c04272f8bd0675ebd98906a7390.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
368	54f13c04272f8bd0675ebd98906a7390.exe
368	54f13c04272f8bd0675ebd98906a7390.exe
368	54f13c04272f8bd0675ebd98906a7390.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 2884	368	54f13c04272f8bd0675ebd98906a7390.exe	28
PID 368 wrote to memory of 2884	368	54f13c04272f8bd0675ebd98906a7390.exe	28
PID 368 wrote to memory of 2884	368	54f13c04272f8bd0675ebd98906a7390.exe	28
PID 368 wrote to memory of 2884	368	54f13c04272f8bd0675ebd98906a7390.exe	28

C:\Users\Admin\AppData\Local\Temp\54f13c04272f8bd0675ebd98906a7390.exe
"C:\Users\Admin\AppData\Local\Temp\54f13c04272f8bd0675ebd98906a7390.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\C552.tmp.bat
  2⤵
  - Deletes itself
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C552.tmp.bat

Filesize
179B

MD5
ba5e39a0f56c607a9055edae87d1e589

SHA1
31e52a586e61a9b0a3373e47b48ad6dcac012abc

SHA256
0f5954086f68e9a065c819f9306c4a2904fee6374f6396c437ecd57ad000cab8

SHA512
5b82a486a5e7070a74ce63f7948c655e859d3c9ae262c024099c9aecf58cfedc75b461ef94b57b73034472aa51ae5564ff32084e5d7eb6457c76cac823120433

Download Submit
C:\Windows\SysWOW64\cliconfgzx.tmp

Filesize
2.4MB

MD5
893c6d383667152f9276184a4048e23f

SHA1
7b9b7e01a86e8bbaf53ff85bbd24b8997481452d

SHA256
6ef9dc4f4d5f3a2a80779cbbe022362b1cdf31a1361ee6ed92a93186e361c0a2

SHA512
86b9a32f6db15dea97a4865b99876badb0e0850d611be74d9fe1b9121c0380faf50b97b52d4a5a9f705be0b7c970343891c9e999dd251991c83d0a721f9f54de

Download Submit
memory/368-8-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/368-17-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download