cde444333157f30cfaa31fcdad039531e8e8d946c5d8a9caddd62c4bc803ce7b

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

752302309497646363f619488093f832.exe
Size

14KB
MD5

752302309497646363f619488093f832
SHA1

fc805f7582296a14ce8d40783822d3c19576484b
SHA256

cde444333157f30cfaa31fcdad039531e8e8d946c5d8a9caddd62c4bc803ce7b
SHA512

9dcd5f33cfbe39d5fcf9b217f444e751d28739fb5ccfbf05e82c544d3097f9f8fceb2099e9e4e3700935a8ec5a6683c950d374baaa32fed7c40c126727051858
SSDEEP

192:gtlcxmimwFXVW7Gc99Int6fN9NjU5cn6ck3BZvFE5nlf1Uriwzk7gvgjy9kG2:gjcWQlW7GcDmEfNcK2LvF0d6k0vAy93

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmx32.exe

pid process

2036 cmx32.exe
Executes dropped EXE 1 IoCs

Processes:

cmx32.exe

pid process

2036 cmx32.exe
Loads dropped DLL 2 IoCs

Processes:

752302309497646363f619488093f832.exe

pid process

1652 752302309497646363f619488093f832.exe
1652 752302309497646363f619488093f832.exe

pid	process
2036	cmx32.exe

pid	process
2036	cmx32.exe

pid	process
1652	752302309497646363f619488093f832.exe
1652	752302309497646363f619488093f832.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cmx32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cmx32 = "c:\\windows\\syswow64\\cmx32.exe"	cmx32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cmx32 = "c:\\windows\\syswow64\\cmx32.exe"	cmx32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

752302309497646363f619488093f832.exe

description	ioc	process
File created	C:\Windows\SysWOW64\cmx32.exe	752302309497646363f619488093f832.exe
File opened for modification	C:\Windows\SysWOW64\cmx32.exe	752302309497646363f619488093f832.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

752302309497646363f619488093f832.exe

description	pid	process	target process
PID 1652 wrote to memory of 2036	1652	752302309497646363f619488093f832.exe	cmx32.exe
PID 1652 wrote to memory of 2036	1652	752302309497646363f619488093f832.exe	cmx32.exe
PID 1652 wrote to memory of 2036	1652	752302309497646363f619488093f832.exe	cmx32.exe
PID 1652 wrote to memory of 2036	1652	752302309497646363f619488093f832.exe	cmx32.exe

C:\Users\Admin\AppData\Local\Temp\752302309497646363f619488093f832.exe
"C:\Users\Admin\AppData\Local\Temp\752302309497646363f619488093f832.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\cmx32.exe
C:\Windows\system32\cmx32.exe 5EA1355FD8066C91 c:\users\admin\appdata\local\temp\752302309497646363f619488093f832.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cmx32

Filesize
12B

MD5
ad1f2b7906dc3035da82c4674815ed38

SHA1
fa008f6e5a8d4cabfd9a4a46d370ced6ed929755

SHA256
84a83557137739b084602f39ac8cfea65c458df5e90604cb49541c6e7bf659d0

SHA512
e889f2723171d9e9b588d31cf4efd4be2365da6c91b460f664f56666df20d370ed8d73b48c016603e48d9b57f12ee3aae3a9acee7b75eca7672573e824e8e123

Download Submit
C:\Windows\SysWOW64\cmx32.exe

Filesize
14KB

MD5
752302309497646363f619488093f832

SHA1
fc805f7582296a14ce8d40783822d3c19576484b

SHA256
cde444333157f30cfaa31fcdad039531e8e8d946c5d8a9caddd62c4bc803ce7b

SHA512
9dcd5f33cfbe39d5fcf9b217f444e751d28739fb5ccfbf05e82c544d3097f9f8fceb2099e9e4e3700935a8ec5a6683c950d374baaa32fed7c40c126727051858

Download Submit
memory/1652-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1652-7-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download
memory/1652-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2036-16-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2036-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2036-29-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download