dc340e75d88e1a47be89a72bbef27df5a1102dc260935163381a5407e32d5e6e

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65eab444814a8e8876acbf7f2b54a00b.exe
Size

15KB
MD5

65eab444814a8e8876acbf7f2b54a00b
SHA1

dcc2b4dacc2f6da4c143d867af8a32d6e17c6604
SHA256

dc340e75d88e1a47be89a72bbef27df5a1102dc260935163381a5407e32d5e6e
SHA512

e8130f2d819884f38cd8de4de3f192e74aec12ec491ab007dd051d1ae28b82d474d904ef1eb594a10eee88c52c1ee06c45a41e6e20267d9aabfbddecc991b580
SSDEEP

384:5GbosCjVhlbgTfodB5phyUNtabHgg0918mglh:5GksCjvGfodqUEAgS8mglh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\adsntzt.dll = "{00010001-0001-0001-0001-00010001BB15}"	65eab444814a8e8876acbf7f2b54a00b.exe

Deletes itself 1 IoCs

pid	Process
2832	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2640	65eab444814a8e8876acbf7f2b54a00b.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\adsntzt.tmp	65eab444814a8e8876acbf7f2b54a00b.exe
File opened for modification	C:\Windows\SysWOW64\adsntzt.tmp	65eab444814a8e8876acbf7f2b54a00b.exe
File opened for modification	C:\Windows\SysWOW64\adsntzt.nls	65eab444814a8e8876acbf7f2b54a00b.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00010001-0001-0001-0001-00010001BB15}	65eab444814a8e8876acbf7f2b54a00b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00010001-0001-0001-0001-00010001BB15}\InProcServer32	65eab444814a8e8876acbf7f2b54a00b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00010001-0001-0001-0001-00010001BB15}\InProcServer32\ = "C:\\Windows\\SysWow64\\adsntzt.dll"	65eab444814a8e8876acbf7f2b54a00b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00010001-0001-0001-0001-00010001BB15}\InProcServer32\ThreadingModel = "Apartment"	65eab444814a8e8876acbf7f2b54a00b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2640	65eab444814a8e8876acbf7f2b54a00b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2640	65eab444814a8e8876acbf7f2b54a00b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2832	2640	65eab444814a8e8876acbf7f2b54a00b.exe	28
PID 2640 wrote to memory of 2832	2640	65eab444814a8e8876acbf7f2b54a00b.exe	28
PID 2640 wrote to memory of 2832	2640	65eab444814a8e8876acbf7f2b54a00b.exe	28
PID 2640 wrote to memory of 2832	2640	65eab444814a8e8876acbf7f2b54a00b.exe	28

C:\Users\Admin\AppData\Local\Temp\65eab444814a8e8876acbf7f2b54a00b.exe
"C:\Users\Admin\AppData\Local\Temp\65eab444814a8e8876acbf7f2b54a00b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\CF02.tmp.bat
  2⤵
  - Deletes itself
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CF02.tmp.bat

Filesize
179B

MD5
0f2970e03e919d8c4cc2717057dca9f9

SHA1
69771b0e2a4f1a20b69462f2877ab275fe8d7dc6

SHA256
b62e796734f042aa61f0fbc8a17f797c3de7c5c12de80e45d95f5f5f34a5f3e5

SHA512
d44eaa829257e193af48746655daac540f3b4f2d8171dd6498c2e46f2530602d8882e5db8e834b8716d9996d1a07c453fb91b4675d652b2c598cd5c409b8208d

Download Submit
C:\Windows\SysWOW64\adsntzt.tmp

Filesize
800KB

MD5
f356756f4965308ec762143c965669da

SHA1
9f60490612ef64161f6570f3f7f24fbda1d0a471

SHA256
3c6af5b6c269adb7ea24bc305aecec816b77ef1f90a494fb6a3606e8426c05f0

SHA512
1eb1c13c14ac7229ec3f568954e4d76144bf3a7dfabf5a5144a17a3dbca5238e4f4f3c7f461d8cb33eaca0718d58078dfd2454ce2697eff2f730b99b5703cf00

Download Submit