0c592badffac069106571a026ff58ba0499c5121aee9de485e95727fcdfe4893

Analysis

max time kernel
135s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 00:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54f13c04272f8bd0675ebd98906a7390.exe
Size

14KB
MD5

54f13c04272f8bd0675ebd98906a7390
SHA1

4061b27dea0a845502a4b0ac3d4d4251b41982bd
SHA256

0c592badffac069106571a026ff58ba0499c5121aee9de485e95727fcdfe4893
SHA512

8e2a82ecf6bc4a479e73e1a3a65c565f071cb9a2288b799412a01bdddde73f16cb0146031f351b74357aae645e61ef89f77fa7217761aecc03406d1f6910511a
SSDEEP

384:7AcMTQ+lTFyranBKF3Q2Ah71o7cYRvnDgZsFT:7YeunBU3vApecYRvnDgZoT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\cliconfgzx.dll = "{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}"	54f13c04272f8bd0675ebd98906a7390.exe

Loads dropped DLL 1 IoCs

pid	Process
4444	54f13c04272f8bd0675ebd98906a7390.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cliconfgzx.tmp	54f13c04272f8bd0675ebd98906a7390.exe
File opened for modification	C:\Windows\SysWOW64\cliconfgzx.nls	54f13c04272f8bd0675ebd98906a7390.exe
File created	C:\Windows\SysWOW64\cliconfgzx.tmp	54f13c04272f8bd0675ebd98906a7390.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}	54f13c04272f8bd0675ebd98906a7390.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32	54f13c04272f8bd0675ebd98906a7390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32\ = "C:\\Windows\\SysWow64\\cliconfgzx.dll"	54f13c04272f8bd0675ebd98906a7390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}\InProcServer32\ThreadingModel = "Apartment"	54f13c04272f8bd0675ebd98906a7390.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4444	54f13c04272f8bd0675ebd98906a7390.exe
4444	54f13c04272f8bd0675ebd98906a7390.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4444	54f13c04272f8bd0675ebd98906a7390.exe
4444	54f13c04272f8bd0675ebd98906a7390.exe
4444	54f13c04272f8bd0675ebd98906a7390.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 4472	4444	54f13c04272f8bd0675ebd98906a7390.exe	102
PID 4444 wrote to memory of 4472	4444	54f13c04272f8bd0675ebd98906a7390.exe	102
PID 4444 wrote to memory of 4472	4444	54f13c04272f8bd0675ebd98906a7390.exe	102

C:\Users\Admin\AppData\Local\Temp\54f13c04272f8bd0675ebd98906a7390.exe
"C:\Users\Admin\AppData\Local\Temp\54f13c04272f8bd0675ebd98906a7390.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\C265.tmp.bat
  2⤵
  PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C265.tmp.bat

Filesize
179B

MD5
ba5e39a0f56c607a9055edae87d1e589

SHA1
31e52a586e61a9b0a3373e47b48ad6dcac012abc

SHA256
0f5954086f68e9a065c819f9306c4a2904fee6374f6396c437ecd57ad000cab8

SHA512
5b82a486a5e7070a74ce63f7948c655e859d3c9ae262c024099c9aecf58cfedc75b461ef94b57b73034472aa51ae5564ff32084e5d7eb6457c76cac823120433

Download Submit
C:\Windows\SysWOW64\cliconfgzx.dll

Filesize
1.6MB

MD5
5337cef00614997a481133eefaf5bd72

SHA1
e83879cacddd82748d53b9e7c9d2f777677b3e0c

SHA256
3559c7a966e862df01d3bd4485aac8a391d2ef1ea524defc45f1ef05af1a3332

SHA512
0dc309e12cb8e0a0cdaab9b80a703b3d8334c397d2dda3115883fc7614d1b7aee90a396f092261b2de56993792703a0aa6263c0736063e4b58205dad92258d40

Download Submit
C:\Windows\SysWOW64\cliconfgzx.dll

Filesize
1.5MB

MD5
759546419ace39a8672e7639b7a8b6bf

SHA1
fb379b22e1f263990a955a98c71ee5c7d973d93f

SHA256
f3d51260d48cfd0aad305e8cf0770a05143af800df25d79d442c00b34f3f716e

SHA512
542c7bdde73cf9ee71dce44da9c13a863c9fb7f4631d01b3c455751f0624f9a2ea7a9be8f665fa2f93b5fa62f1714d4d549fcc42c648e135dbc2b68e25f9a473

Download Submit
memory/4444-9-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/4444-13-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download