1f84244da87662b6d41a06813eb61555be431a309fc5c8c84ee73e6ed91bfe44

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

752142f0f208d06c7e69ea8f8477d935.exe
Size

12KB
MD5

752142f0f208d06c7e69ea8f8477d935
SHA1

9ea7b731ffa01945fe075cdc65c0af2114254e90
SHA256

1f84244da87662b6d41a06813eb61555be431a309fc5c8c84ee73e6ed91bfe44
SHA512

9a1e513b5bc94337e6217bc7bf039291ae689a74fdc2afd2d7cbd8e3b6af91f76a800c3d90a8cc14d398f9a28c4729631f2423c533b9fe9403e375f1de455ec9
SSDEEP

384:1KmdoHf3Rep0AAGXAvj2T8dZsrSSQmf0A:Um2/NeXx8UrShm8A

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

752142f0f208d06c7e69ea8f8477d935.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\fsusdtd.dll = "{B7F5682F-1D2C-49b5-8723-E75ED258CA0D}"	752142f0f208d06c7e69ea8f8477d935.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2808 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

752142f0f208d06c7e69ea8f8477d935.exe

pid process

2232 752142f0f208d06c7e69ea8f8477d935.exe

pid	process
2808	cmd.exe

pid	process
2232	752142f0f208d06c7e69ea8f8477d935.exe

Drops file in System32 directory 3 IoCs

Processes:

752142f0f208d06c7e69ea8f8477d935.exe

description	ioc	process
File created	C:\Windows\SysWOW64\fsusdtd.tmp	752142f0f208d06c7e69ea8f8477d935.exe
File opened for modification	C:\Windows\SysWOW64\fsusdtd.tmp	752142f0f208d06c7e69ea8f8477d935.exe
File opened for modification	C:\Windows\SysWOW64\fsusdtd.nls	752142f0f208d06c7e69ea8f8477d935.exe

Modifies registry class 4 IoCs

Processes:

752142f0f208d06c7e69ea8f8477d935.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7F5682F-1D2C-49b5-8723-E75ED258CA0D}\InProcServer32\ThreadingModel = "Apartment"	752142f0f208d06c7e69ea8f8477d935.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7F5682F-1D2C-49b5-8723-E75ED258CA0D}	752142f0f208d06c7e69ea8f8477d935.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7F5682F-1D2C-49b5-8723-E75ED258CA0D}\InProcServer32	752142f0f208d06c7e69ea8f8477d935.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7F5682F-1D2C-49b5-8723-E75ED258CA0D}\InProcServer32\ = "C:\\Windows\\SysWow64\\fsusdtd.dll"	752142f0f208d06c7e69ea8f8477d935.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

752142f0f208d06c7e69ea8f8477d935.exe

pid process

2232 752142f0f208d06c7e69ea8f8477d935.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

752142f0f208d06c7e69ea8f8477d935.exe

pid process

2232 752142f0f208d06c7e69ea8f8477d935.exe
2232 752142f0f208d06c7e69ea8f8477d935.exe
2232 752142f0f208d06c7e69ea8f8477d935.exe

pid	process
2232	752142f0f208d06c7e69ea8f8477d935.exe

pid	process
2232	752142f0f208d06c7e69ea8f8477d935.exe
2232	752142f0f208d06c7e69ea8f8477d935.exe
2232	752142f0f208d06c7e69ea8f8477d935.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

752142f0f208d06c7e69ea8f8477d935.exe

description	pid	process	target process
PID 2232 wrote to memory of 2808	2232	752142f0f208d06c7e69ea8f8477d935.exe	cmd.exe
PID 2232 wrote to memory of 2808	2232	752142f0f208d06c7e69ea8f8477d935.exe	cmd.exe
PID 2232 wrote to memory of 2808	2232	752142f0f208d06c7e69ea8f8477d935.exe	cmd.exe
PID 2232 wrote to memory of 2808	2232	752142f0f208d06c7e69ea8f8477d935.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\752142f0f208d06c7e69ea8f8477d935.exe
"C:\Users\Admin\AppData\Local\Temp\752142f0f208d06c7e69ea8f8477d935.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\CDBB.tmp.bat
2⤵
- Deletes itself
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CDBB.tmp.bat

Filesize
179B

MD5
74571ded4f3d3243fddc14e570b670ef

SHA1
23e85f4f0aa7a8020a95eaa2f157742db1d7ea51

SHA256
225d5bc73c5b3c8539ce0950299278f57177dfd98e9292b025b5b69a2287ca31

SHA512
d18eb7b9d0a778272dbcfe159093362a397bfcb046ca3571cd8e66d9a3fa422a4e282d70cd83c51997fab7f6dc45bbcf9b7f3f12013ebc474d208fb36042b574

Download Submit
C:\Windows\SysWOW64\fsusdtd.tmp

Filesize
977KB

MD5
4d54eee034c9ed85d6badc3de6a68a15

SHA1
5714a08a92998a687df4b584b03740c8559a0d09

SHA256
d107419123daeccf1f66d5e58e7335d561c36c8b2f771265254184653c759a4e

SHA512
79d4031c46673975d5c392b4f2c22836b1e1fcab7f7a480559cc3ff2d6988e21662797bbff1efd11fdf5a859deeab855cc3cb4ca6a0056cbe5237717830b3fee

Download Submit
memory/2232-12-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/2232-21-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download