de87df1a5dc0b97f73cc098106700198675adafc502c312747e96d164dd78e53

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72b78b6161e328091a70c8b34701e3b1.exe
Size

17KB
MD5

72b78b6161e328091a70c8b34701e3b1
SHA1

47125c5ac807de0fa0118f18678fed9b189c2d75
SHA256

de87df1a5dc0b97f73cc098106700198675adafc502c312747e96d164dd78e53
SHA512

5c50ee2f9469506b8aa5702360e733c6f06b4e0b8bde86001b1b558d3aa12f5050795fae864c6a25bc3a482f57416cb24686693fb23aa0caff2799212f42877d
SSDEEP

384:dUKap8Sy/68c1nrDDOOOUxFPgLna6FFeSiuIEV4FuJSJ/Mqx:dFiIc1rPgeae6FFEuI1FuJ6rx

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\uetxghqn.dll = "{71A78CD4-E470-4a18-8457-E0E0283DD507}"	72b78b6161e328091a70c8b34701e3b1.exe

Deletes itself 1 IoCs

pid	Process
2592	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2376	72b78b6161e328091a70c8b34701e3b1.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\uetxghqn.nls	72b78b6161e328091a70c8b34701e3b1.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\uetxghqn.tmp	72b78b6161e328091a70c8b34701e3b1.exe
File opened for modification	C:\Windows\system\uetxghqn.tmp	72b78b6161e328091a70c8b34701e3b1.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}	72b78b6161e328091a70c8b34701e3b1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32	72b78b6161e328091a70c8b34701e3b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ = "C:\\Windows\\SysWow64\\uetxghqn.dll"	72b78b6161e328091a70c8b34701e3b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ThreadingModel = "Apartment"	72b78b6161e328091a70c8b34701e3b1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2376	72b78b6161e328091a70c8b34701e3b1.exe
2376	72b78b6161e328091a70c8b34701e3b1.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2376	72b78b6161e328091a70c8b34701e3b1.exe
2376	72b78b6161e328091a70c8b34701e3b1.exe
2376	72b78b6161e328091a70c8b34701e3b1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2592	2376	72b78b6161e328091a70c8b34701e3b1.exe	28
PID 2376 wrote to memory of 2592	2376	72b78b6161e328091a70c8b34701e3b1.exe	28
PID 2376 wrote to memory of 2592	2376	72b78b6161e328091a70c8b34701e3b1.exe	28
PID 2376 wrote to memory of 2592	2376	72b78b6161e328091a70c8b34701e3b1.exe	28

C:\Users\Admin\AppData\Local\Temp\72b78b6161e328091a70c8b34701e3b1.exe
"C:\Users\Admin\AppData\Local\Temp\72b78b6161e328091a70c8b34701e3b1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\86CC.tmp.bat
  2⤵
  - Deletes itself
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\86CC.tmp.bat

Filesize
179B

MD5
c7d3c9b8c0b7c84b225e867fea03aa62

SHA1
5a74fbc5839696b48b3350c5b362ac1a734e1d19

SHA256
e5837b0a6db459eb2f86d2bcc6475bad11da9171e7cbc6f46c4988e4851206ee

SHA512
e374f259bceea3cda58aca2eee8def013d70db8475cb274a63b97784eafd96931e64bffe5d41dab896952766a880bd3748972f64cb2fdc42b7c09b97f1da44ee

Download Submit
C:\Windows\SysWOW64\uetxghqn.dll

Filesize
2.0MB

MD5
e2e2062e3e80a144acc5b67788233a83

SHA1
c137cc2a643629aae7a94c049a997e24be47e275

SHA256
b41ace6a72683c813a2253de8b5d6f00d6bdf00bfc0333d59ca4a0d144559c87

SHA512
48dc581ad89f4a2e2932d69f2999e7bf7724d5c8436a55d38bd05db4c154162c518440d1164ffeee030ba8cc1b3b1912b67bb3f3ecfb447baffbc3c08b7e30ee

Download Submit
\Windows\SysWOW64\uetxghqn.dll

Filesize
1.4MB

MD5
170b9014fa07e479d19bd4aa09a93683

SHA1
78d1e2e5129302530a964d7cbbea154bf2baa0f1

SHA256
3d7b71d986ff970afaeb1cc2e167538bdf312726b60fda91be048919b6627db4

SHA512
986d639d95d95e79d539daa5d47b9e0b05ca7e909ec1c1819bd345d1632c0a817eb5e382fc3f36adfbfc2678bbe89d8b9c2267f9adf8faf02bc52525048820c8

Download Submit
memory/2376-8-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2376-17-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download