Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-01-2024 11:20
Static task
static1
Behavioral task
behavioral1
Sample
56510579af9892ccfeb0ae410fd6ccfd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
56510579af9892ccfeb0ae410fd6ccfd.exe
Resource
win10v2004-20231215-en
General
-
Target
56510579af9892ccfeb0ae410fd6ccfd.exe
-
Size
74KB
-
MD5
56510579af9892ccfeb0ae410fd6ccfd
-
SHA1
c91e30a4c3f3b19b75018b63c5e285ee221d914a
-
SHA256
adcd27ea55641811ad7a8e6b04af6cf7f408291a22e2e04a221a63ce92d3002b
-
SHA512
7594c53fbed3dc50c96d90b41a713f375f980fad11cbe94095ea7aefd003470d0b54e07cd5d98802fcbd4b37c2a6a3e62a9af1701fd82c34c20718c3d6942da1
-
SSDEEP
1536:V0/4AcnbOaEyS9pvoQ8iluOeB7Iybad2W9RKAyM7:iwAcClbbgopeB7IWad2GL7
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 56510579af9892ccfeb0ae410fd6ccfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Access Security = "{08B69561-A8E5-49C9-B562-074E59E1A562}" 56510579af9892ccfeb0ae410fd6ccfd.exe -
Contacts a large (700) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Protocol Security = "C:\\Windows\\system32\\npshp71d.exe" 56510579af9892ccfeb0ae410fd6ccfd.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vnetbsh.dll 56510579af9892ccfeb0ae410fd6ccfd.exe File created C:\Windows\SysWOW64\albekgaa.dll 56510579af9892ccfeb0ae410fd6ccfd.exe File opened for modification C:\Windows\SysWOW64\albekgaa.dll 56510579af9892ccfeb0ae410fd6ccfd.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08B69561-A8E5-49C9-B562-074E59E1A562}\InProcServer32\ = "C:\\Windows\\SysWow64\\msswbprn.dll" 56510579af9892ccfeb0ae410fd6ccfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08B69561-A8E5-49C9-B562-074E59E1A562}\InProcServer32 56510579af9892ccfeb0ae410fd6ccfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 56510579af9892ccfeb0ae410fd6ccfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 56510579af9892ccfeb0ae410fd6ccfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08B69561-A8E5-49C9-B562-074E59E1A562} 56510579af9892ccfeb0ae410fd6ccfd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56510579af9892ccfeb0ae410fd6ccfd.exe"C:\Users\Admin\AppData\Local\Temp\56510579af9892ccfeb0ae410fd6ccfd.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:1264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
573B
MD52fb80107f9d658302485d9596c2e01f9
SHA122b024eb3a1963ab925d631620423ddde78892e5
SHA256a2726a11bcf40014c7d9f45ba46775147c72c65e485d91cbbe5e308767563f1f
SHA512e7db0e853f745971e3b7ee5b7f66f13022f8c7db78693a400dc614f3fc1b6adab7eda57a13e6f9041d12729055262139069299038789d05b497efed5cf8f00c4