f0a9f6be1726f7a26db65e18de759bddfc5e12525f8248c6e55bef3ca2c17eda

Analysis

max time kernel
140s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5773b698d1b14ff6a5fac616ba1a84c4.exe
Size

14KB
MD5

5773b698d1b14ff6a5fac616ba1a84c4
SHA1

6b5e2f26c43c00ccb11635a29382da6735f7b0b6
SHA256

f0a9f6be1726f7a26db65e18de759bddfc5e12525f8248c6e55bef3ca2c17eda
SHA512

b8e9a0aa0fae628b7f262f2f285539227adb7573b4a0a3f265b2b50398db25dd9755cf0565a3147801e164371142f8d216b6fd48e0825310ca1145aedee1b613
SSDEEP

384:yIdbB9J1I8hwt06WbORqhXWXrkE3bZXAwB:yON1RhbJORqhXWXrkabZXd

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\slbiopfs2.dll = "{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}"	5773b698d1b14ff6a5fac616ba1a84c4.exe

Loads dropped DLL 1 IoCs

pid	Process
4804	5773b698d1b14ff6a5fac616ba1a84c4.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\slbiopfs2.nls	5773b698d1b14ff6a5fac616ba1a84c4.exe
File created	C:\Windows\SysWOW64\slbiopfs2.tmp	5773b698d1b14ff6a5fac616ba1a84c4.exe
File opened for modification	C:\Windows\SysWOW64\slbiopfs2.tmp	5773b698d1b14ff6a5fac616ba1a84c4.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}	5773b698d1b14ff6a5fac616ba1a84c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32	5773b698d1b14ff6a5fac616ba1a84c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ = "C:\\Windows\\SysWow64\\slbiopfs2.dll"	5773b698d1b14ff6a5fac616ba1a84c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ThreadingModel = "Apartment"	5773b698d1b14ff6a5fac616ba1a84c4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4804	5773b698d1b14ff6a5fac616ba1a84c4.exe
4804	5773b698d1b14ff6a5fac616ba1a84c4.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4804	5773b698d1b14ff6a5fac616ba1a84c4.exe
4804	5773b698d1b14ff6a5fac616ba1a84c4.exe
4804	5773b698d1b14ff6a5fac616ba1a84c4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 3156	4804	5773b698d1b14ff6a5fac616ba1a84c4.exe	99
PID 4804 wrote to memory of 3156	4804	5773b698d1b14ff6a5fac616ba1a84c4.exe	99
PID 4804 wrote to memory of 3156	4804	5773b698d1b14ff6a5fac616ba1a84c4.exe	99

C:\Users\Admin\AppData\Local\Temp\5773b698d1b14ff6a5fac616ba1a84c4.exe
"C:\Users\Admin\AppData\Local\Temp\5773b698d1b14ff6a5fac616ba1a84c4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\6136.tmp.bat
  2⤵
  PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6136.tmp.bat

Filesize
179B

MD5
d6388cc19ab7bc2f01b42b083cda8f6f

SHA1
fc1825a64a13907cbb99d219461ca03025aa09aa

SHA256
3b1eacec4f3d0da3882fda1a92ad3f7f29648f29333f5be66f7396442e41a055

SHA512
b3a5add200276322b8c03d3fe82701c9bc63fb7eba9bb61cd55cbd063363bf33f6294c6cb4617ff0d4ff04cb25bfcb12048c7604879892b4c4c0f35381b28b54

Download Submit
C:\Windows\SysWOW64\slbiopfs2.nls

Filesize
428B

MD5
03c4c07f5c3b949b48d7cc1933513e76

SHA1
0cc63305b8a81ae1b21224d44fa25fd6e0c03387

SHA256
1f2c6a868d8a9ff14e1a0ec7ae133fd808d6c259676d36ecd8392f228a731a59

SHA512
e96119e1a98de59a042511001ae00d88044771ad1214d0ba3b786c1e0fadc4342730e747ed831ceeae5bbc663e44360792804c71800aeac2af2bb586e3816219

Download Submit
C:\Windows\SysWOW64\slbiopfs2.tmp

Filesize
2.1MB

MD5
b940988c77a5c7bc268affed5f01c681

SHA1
036bb51c78165eb83449097de2314dcf023a2512

SHA256
04eaad5e67d8e93a313e7f69087d3cb01319fe31bebdf81e8c0719c67806420e

SHA512
a93de7cd3ce64b0603e4cf2590f25491db809fec9698c07d01c72af4a97d7f19bedff2f869a5f3536420c136ae1efaa74559fcfcbee45d3e1433765eda02a9b3

Download Submit
memory/4804-17-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/4804-22-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download