8e61cb0bba0bd8ae420b2f6c30d8a65caa862ca2476f1f7107125793f2d3b41d

General

Target

7aa7fc632ccfac14698818beed61e0b2.exe
Size

14KB
MD5

7aa7fc632ccfac14698818beed61e0b2
SHA1

edc300d5f80467cd868f4cb4a91e5ddfc3a5c69b
SHA256

8e61cb0bba0bd8ae420b2f6c30d8a65caa862ca2476f1f7107125793f2d3b41d
SHA512

0cb0d6e9dd30274270055a77c72bf985ed151e4f8a6a8798a4cd8fffee37586328330617cbe7b8257d75c314a264a50b57937eba2f2157c6f32bec4bfa509e81
SSDEEP

384:qyBOLizJwC3nMrnho7XMm0GxsylWXdRlHpp3T9XUM+B:sIwunanh20GxfgdDpp3TGR

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tscfgwmijxsj.dll = "{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}"	7aa7fc632ccfac14698818beed61e0b2.exe

Deletes itself 1 IoCs

pid	Process
2484	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2932	7aa7fc632ccfac14698818beed61e0b2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tscfgwmijxsj.nls	7aa7fc632ccfac14698818beed61e0b2.exe
File created	C:\Windows\SysWOW64\tscfgwmijxsj.tmp	7aa7fc632ccfac14698818beed61e0b2.exe
File opened for modification	C:\Windows\SysWOW64\tscfgwmijxsj.tmp	7aa7fc632ccfac14698818beed61e0b2.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}	7aa7fc632ccfac14698818beed61e0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}\InProcServer32	7aa7fc632ccfac14698818beed61e0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}\InProcServer32\ = "C:\\Windows\\SysWow64\\tscfgwmijxsj.dll"	7aa7fc632ccfac14698818beed61e0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}\InProcServer32\ThreadingModel = "Apartment"	7aa7fc632ccfac14698818beed61e0b2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2932	7aa7fc632ccfac14698818beed61e0b2.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2932	7aa7fc632ccfac14698818beed61e0b2.exe
2932	7aa7fc632ccfac14698818beed61e0b2.exe
2932	7aa7fc632ccfac14698818beed61e0b2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2484	2932	7aa7fc632ccfac14698818beed61e0b2.exe	28
PID 2932 wrote to memory of 2484	2932	7aa7fc632ccfac14698818beed61e0b2.exe	28
PID 2932 wrote to memory of 2484	2932	7aa7fc632ccfac14698818beed61e0b2.exe	28
PID 2932 wrote to memory of 2484	2932	7aa7fc632ccfac14698818beed61e0b2.exe	28

C:\Users\Admin\AppData\Local\Temp\7aa7fc632ccfac14698818beed61e0b2.exe
"C:\Users\Admin\AppData\Local\Temp\7aa7fc632ccfac14698818beed61e0b2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\87F5.tmp.bat
  2⤵
  - Deletes itself
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\87F5.tmp.bat

Filesize
179B

MD5
9ee0621d578c6a21e06d5fdd32e88962

SHA1
67d025ca516041e1274d7280e438478869cfdd4b

SHA256
3e595feb193f53b4582f619796a0c39175b7e90dd03a66ae2f9007322843fb72

SHA512
df1bb95a3450951ed6544465a6cf81a7a67afbf2a2a7b58b2d63fbddf63146c1c13065dd5fb8df3c43cba0c914a9b5ec45488c697d53ce400b82e209fced6226

Download Submit
C:\Windows\SysWOW64\tscfgwmijxsj.nls

Filesize
428B

MD5
fe5c2f283dbe60e4d4a9984fc096382f

SHA1
fe928759fdc257642a31f138f7a00455312ad9c1

SHA256
05aa99136ef8d1a41ef1f1cf9753ee34d3722ba1330d8049c968048ae2c58c5a

SHA512
6b85465d57c461e9fc3eef0119456511718d75ac93b7f5bd5013c61430801cf83a1186d3b7e58508231480ec1de30c79cfabe17d6b3fc26f159ee078c7923eba

Download Submit
C:\Windows\SysWOW64\tscfgwmijxsj.tmp

Filesize
965KB

MD5
ffcc599191c402adb8acdd1778cb67dd

SHA1
7a02262e5a042d462cfb7c2fe080d0e0839f07ae

SHA256
3d25a3f24455be705df0d5e2def5039932ce85e4fb60d2d05f8238f9dec20720

SHA512
8befa3a2b9fcec0ebff68fdcf454a8277f0d5363c5f61a5bd85a4585a398c4a8c0b11f659caf57537a8286cd08824d6169c270450a71885475a2cd8391d6c330

Download Submit
\Windows\SysWOW64\tscfgwmijxsj.dll

Filesize
453KB

MD5
6ee6fb2c14a94bcfdcac30be3f55d017

SHA1
7ddcc7b79cfbb688b2e0941ba0294545c8888260

SHA256
6b831ca3e99286b6b36031ded8df9d5822ec54478d16f89fd13717df5f9bb614

SHA512
345a1131e0cbbb39ce18ea2fcf910f4d86b98f3afbfd39a6918d3e8d79411c77ab48902c6361899be57bd2b01b56e94777bbed647b1e58f227ab6bd253a84e95

Download Submit
memory/2932-16-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2932-25-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads