c3f9be30085f8a6a334ab6757c4337c91067537409da17211b7c15520de2806d

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 09:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

744e4eb6c8f21fd9d9289253ca0a39a2.exe
Size

13KB
MD5

744e4eb6c8f21fd9d9289253ca0a39a2
SHA1

581eb76e8cf9ec0d8c3beaa45ccf9b7b9f76f081
SHA256

c3f9be30085f8a6a334ab6757c4337c91067537409da17211b7c15520de2806d
SHA512

7a4eb8369bfe963f0e4fa7cfb5ccf44a06b21cc9bc95ec67cb86f0f2b234a01ebfb6a23e13a4557d3e0731c58851ac000d35d598d4f0060b1a7e783e2db20896
SSDEEP

384:Xk3RPRZLnRcrr2hBapX2qVRc3OSWbpy8lXxcyvW01Y:XCN/Gd5VRc3PWbc8Rxcye02

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dispexcb.dll = "{76D44356-B494-443a-BEDC-AA68DE4255E6}"	744e4eb6c8f21fd9d9289253ca0a39a2.exe

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2176	744e4eb6c8f21fd9d9289253ca0a39a2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dispexcb.tmp	744e4eb6c8f21fd9d9289253ca0a39a2.exe
File opened for modification	C:\Windows\SysWOW64\dispexcb.nls	744e4eb6c8f21fd9d9289253ca0a39a2.exe
File created	C:\Windows\SysWOW64\dispexcb.tmp	744e4eb6c8f21fd9d9289253ca0a39a2.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ThreadingModel = "Apartment"	744e4eb6c8f21fd9d9289253ca0a39a2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}	744e4eb6c8f21fd9d9289253ca0a39a2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32	744e4eb6c8f21fd9d9289253ca0a39a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ = "C:\\Windows\\SysWow64\\dispexcb.dll"	744e4eb6c8f21fd9d9289253ca0a39a2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2176	744e4eb6c8f21fd9d9289253ca0a39a2.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2176	744e4eb6c8f21fd9d9289253ca0a39a2.exe
2176	744e4eb6c8f21fd9d9289253ca0a39a2.exe
2176	744e4eb6c8f21fd9d9289253ca0a39a2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2796	2176	744e4eb6c8f21fd9d9289253ca0a39a2.exe	28
PID 2176 wrote to memory of 2796	2176	744e4eb6c8f21fd9d9289253ca0a39a2.exe	28
PID 2176 wrote to memory of 2796	2176	744e4eb6c8f21fd9d9289253ca0a39a2.exe	28
PID 2176 wrote to memory of 2796	2176	744e4eb6c8f21fd9d9289253ca0a39a2.exe	28

C:\Users\Admin\AppData\Local\Temp\744e4eb6c8f21fd9d9289253ca0a39a2.exe
"C:\Users\Admin\AppData\Local\Temp\744e4eb6c8f21fd9d9289253ca0a39a2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\B4FD.tmp.bat
  2⤵
  - Deletes itself
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B4FD.tmp.bat

Filesize
179B

MD5
5829dc8587e3c1fad014462934e88e8a

SHA1
d312b19cb2c54e840f92286b8abca42305c8d834

SHA256
618b7fa33a47bde2aa0fae49c17d8feaab3f3e514492225a8216b8b84e76abb5

SHA512
ae0c627ecf84882bb52580213bd8c72e086341b30a244a473ea74ec21f7fd6f03d6e3a596ff472c8b0ed856636cc4688e999ae968b38c4a5a44d23ce1efe2bc4

Download Submit
C:\Windows\SysWOW64\dispexcb.nls

Filesize
428B

MD5
ff77e53159f703a78b1e930f0262e14d

SHA1
7d968e2138db42637c3210f26aec04d40add885b

SHA256
218718ded88d55e369f2c21655e8b6c2c86d785ed72ed0bca0579a53fb86552a

SHA512
3ac09c4a9ba32e6357af2e98c38b0a0c2ff8c6c7b9633575c8ad90ab650c46be50bb83dfd8faf34319e9dc73503891e5cf86c248cb6f6c02879f70e3d89ef765

Download Submit
C:\Windows\SysWOW64\dispexcb.tmp

Filesize
882KB

MD5
40a379f420638bec215402bb5d693001

SHA1
524c47bd527f6f428983c675d7139602624e2855

SHA256
42735027c909f51e7824ebb50a69c29878a80996a86421ee69d3118e45ea0488

SHA512
a7e5d629bed585bd3f107708d2577e612d90609f0b5ee6fb3ba5548cd04a032fe05570f4ee3567dd891335a715d426797eb1d9cee84757b70c1ddfb4e4e7dfbc

Download Submit
memory/2176-16-0x0000000020000000-0x000000002006C000-memory.dmp

Filesize
432KB

Download
memory/2176-26-0x0000000020000000-0x000000002006C000-memory.dmp

Filesize
432KB

Download