abe4902b2130041a548ba1c3c76232dba67452cc8451a1d33c7947fcc405dd8c

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-01-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

774c10b6cd1c3bea63e7523008404cab.exe
Size

11KB
MD5

774c10b6cd1c3bea63e7523008404cab
SHA1

93edd712e041cae8122f70651d5a06cfe4dcec6b
SHA256

abe4902b2130041a548ba1c3c76232dba67452cc8451a1d33c7947fcc405dd8c
SHA512

6819332009569585d448984d6425a6624ad7a296083a726d2861d4fb8d7d64fc6b4a69860b371b0ce677b6baf9c0466cf013978aaf043efcf8a47e4b5c39825a
SSDEEP

192:IksyBcw4O2iEkJGZOp3ygMrlZhJhyFNRYRmMm0GUysycM87Xdac+C1Zi7Y:qyBOLizJwC3nMrnho7XMm0GxsylWXdMe

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tscfgwmijxsj.dll = "{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}"	774c10b6cd1c3bea63e7523008404cab.exe

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
776	774c10b6cd1c3bea63e7523008404cab.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tscfgwmijxsj.tmp	774c10b6cd1c3bea63e7523008404cab.exe
File opened for modification	C:\Windows\SysWOW64\tscfgwmijxsj.tmp	774c10b6cd1c3bea63e7523008404cab.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}\InProcServer32\ThreadingModel = "Apartment"	774c10b6cd1c3bea63e7523008404cab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}	774c10b6cd1c3bea63e7523008404cab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}\InProcServer32	774c10b6cd1c3bea63e7523008404cab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}\InProcServer32\ = "C:\\Windows\\SysWow64\\tscfgwmijxsj.dll"	774c10b6cd1c3bea63e7523008404cab.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
776	774c10b6cd1c3bea63e7523008404cab.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
776	774c10b6cd1c3bea63e7523008404cab.exe
776	774c10b6cd1c3bea63e7523008404cab.exe
776	774c10b6cd1c3bea63e7523008404cab.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 2660	776	774c10b6cd1c3bea63e7523008404cab.exe	28
PID 776 wrote to memory of 2660	776	774c10b6cd1c3bea63e7523008404cab.exe	28
PID 776 wrote to memory of 2660	776	774c10b6cd1c3bea63e7523008404cab.exe	28
PID 776 wrote to memory of 2660	776	774c10b6cd1c3bea63e7523008404cab.exe	28

C:\Users\Admin\AppData\Local\Temp\774c10b6cd1c3bea63e7523008404cab.exe
"C:\Users\Admin\AppData\Local\Temp\774c10b6cd1c3bea63e7523008404cab.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\865F.tmp.bat
  2⤵
  - Deletes itself
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\865F.tmp.bat

Filesize
179B

MD5
4d299aa0c0e0cfded6878844de79e6da

SHA1
3bb9778683d74ad5ef71ddca94709d50da6f0ecd

SHA256
bd784e7a0e7c283607e318100c8ae697a4532410d676d23201df0e992879130f

SHA512
6ea74855d9cddfa612278de86a80cb87eeb32c4e3111c21c4bcaf9f60f0cc86c713965936132bdf94e5fb0438e9d1193e8a86e50d307bc6b1a5fcf4f3e167101

Download Submit
\Windows\SysWOW64\tscfgwmijxsj.dll

Filesize
2.2MB

MD5
410a7cfde074cf28d2649ef8a5c3a064

SHA1
a003ffe9e34f52ede1c2ae6bc3a5c684acc731aa

SHA256
f138866fad0448ff1b1ee3204b0c62bd9de2371e89a98a1120797cf6c8b32533

SHA512
5171fc86f0bc0325ae570307b5945c9cf35e46f8164950955dd0049d1187a61dfe7e7ee46a6bdd314a72ac9077785f06a897770e4f55eec732733a090c4f00c0

Download Submit
memory/776-5-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/776-14-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download