8e61cb0bba0bd8ae420b2f6c30d8a65caa862ca2476f1f7107125793f2d3b41d

Analysis

max time kernel
88s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7aa7fc632ccfac14698818beed61e0b2.exe
Size

14KB
MD5

7aa7fc632ccfac14698818beed61e0b2
SHA1

edc300d5f80467cd868f4cb4a91e5ddfc3a5c69b
SHA256

8e61cb0bba0bd8ae420b2f6c30d8a65caa862ca2476f1f7107125793f2d3b41d
SHA512

0cb0d6e9dd30274270055a77c72bf985ed151e4f8a6a8798a4cd8fffee37586328330617cbe7b8257d75c314a264a50b57937eba2f2157c6f32bec4bfa509e81
SSDEEP

384:qyBOLizJwC3nMrnho7XMm0GxsylWXdRlHpp3T9XUM+B:sIwunanh20GxfgdDpp3TGR

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tscfgwmijxsj.dll = "{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}"	7aa7fc632ccfac14698818beed61e0b2.exe

Loads dropped DLL 1 IoCs

pid	Process
1364	7aa7fc632ccfac14698818beed61e0b2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tscfgwmijxsj.tmp	7aa7fc632ccfac14698818beed61e0b2.exe
File opened for modification	C:\Windows\SysWOW64\tscfgwmijxsj.tmp	7aa7fc632ccfac14698818beed61e0b2.exe
File opened for modification	C:\Windows\SysWOW64\tscfgwmijxsj.nls	7aa7fc632ccfac14698818beed61e0b2.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}	7aa7fc632ccfac14698818beed61e0b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}\InProcServer32	7aa7fc632ccfac14698818beed61e0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}\InProcServer32\ = "C:\\Windows\\SysWow64\\tscfgwmijxsj.dll"	7aa7fc632ccfac14698818beed61e0b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}\InProcServer32\ThreadingModel = "Apartment"	7aa7fc632ccfac14698818beed61e0b2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1364	7aa7fc632ccfac14698818beed61e0b2.exe
1364	7aa7fc632ccfac14698818beed61e0b2.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1364	7aa7fc632ccfac14698818beed61e0b2.exe
1364	7aa7fc632ccfac14698818beed61e0b2.exe
1364	7aa7fc632ccfac14698818beed61e0b2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 4820	1364	7aa7fc632ccfac14698818beed61e0b2.exe	97
PID 1364 wrote to memory of 4820	1364	7aa7fc632ccfac14698818beed61e0b2.exe	97
PID 1364 wrote to memory of 4820	1364	7aa7fc632ccfac14698818beed61e0b2.exe	97

C:\Users\Admin\AppData\Local\Temp\7aa7fc632ccfac14698818beed61e0b2.exe
"C:\Users\Admin\AppData\Local\Temp\7aa7fc632ccfac14698818beed61e0b2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\B4F8.tmp.bat
  2⤵
  PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B4F8.tmp.bat

Filesize
179B

MD5
9ee0621d578c6a21e06d5fdd32e88962

SHA1
67d025ca516041e1274d7280e438478869cfdd4b

SHA256
3e595feb193f53b4582f619796a0c39175b7e90dd03a66ae2f9007322843fb72

SHA512
df1bb95a3450951ed6544465a6cf81a7a67afbf2a2a7b58b2d63fbddf63146c1c13065dd5fb8df3c43cba0c914a9b5ec45488c697d53ce400b82e209fced6226

Download Submit
C:\Windows\SysWOW64\tscfgwmijxsj.nls

Filesize
428B

MD5
fe5c2f283dbe60e4d4a9984fc096382f

SHA1
fe928759fdc257642a31f138f7a00455312ad9c1

SHA256
05aa99136ef8d1a41ef1f1cf9753ee34d3722ba1330d8049c968048ae2c58c5a

SHA512
6b85465d57c461e9fc3eef0119456511718d75ac93b7f5bd5013c61430801cf83a1186d3b7e58508231480ec1de30c79cfabe17d6b3fc26f159ee078c7923eba

Download Submit
C:\Windows\SysWOW64\tscfgwmijxsj.tmp

Filesize
2.2MB

MD5
a3ae141621028a7132eb68b690324af3

SHA1
2400cfe95f36020ff9abb58668ebf0c97ba43bc2

SHA256
2cb5ab87ae9073c245821f9cef2c3ca2ec16765be74ae2e9a4b9222b7e97f409

SHA512
9274b0c4d6835fc202478d133208fed702cad4ca0259b9ff3d5f136235cf8b896d4fb39e028c7b3e7a12ea6eed414b0e2ea4d7cd8eb2e8adebd7200d7fd98f09

Download Submit
memory/1364-17-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1364-21-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download