1f3a0db5b1ffda50f12154c1d2fef4c8758d58ed6b36a3b2d16c6a211dc7a0c7

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 11:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7d088018678fe2fb4dd30b644dd6bdb6.exe
Size

12KB
MD5

7d088018678fe2fb4dd30b644dd6bdb6
SHA1

bb6af4bfe8371b305a8db4cdf0d16099be1a342d
SHA256

1f3a0db5b1ffda50f12154c1d2fef4c8758d58ed6b36a3b2d16c6a211dc7a0c7
SHA512

fcbf83e2c2020681081cce216ee56fab50a65621505ee579c4b198c5e13891fbaee091711269cf64525ca99f47e73d68b9a53071e069e6c9f608c362aebea3f8
SSDEEP

384:0mpRz+iAwYw3bKI+mPxeZYoYZPg7RjlnZ7DC3:0mpV+HwtlvpAYFg7RjlZQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\imgutilhx2.dll = "{DA56B183-A731-402b-9235-2CB8803E212D}"	7d088018678fe2fb4dd30b644dd6bdb6.exe

Deletes itself 1 IoCs

pid	Process
2732	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2644	7d088018678fe2fb4dd30b644dd6bdb6.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\imgutilhx2.tmp	7d088018678fe2fb4dd30b644dd6bdb6.exe
File opened for modification	C:\Windows\SysWOW64\imgutilhx2.tmp	7d088018678fe2fb4dd30b644dd6bdb6.exe
File opened for modification	C:\Windows\SysWOW64\imgutilhx2.nls	7d088018678fe2fb4dd30b644dd6bdb6.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}	7d088018678fe2fb4dd30b644dd6bdb6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}\InProcServer32	7d088018678fe2fb4dd30b644dd6bdb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}\InProcServer32\ = "C:\\Windows\\SysWow64\\imgutilhx2.dll"	7d088018678fe2fb4dd30b644dd6bdb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}\InProcServer32\ThreadingModel = "Apartment"	7d088018678fe2fb4dd30b644dd6bdb6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2644	7d088018678fe2fb4dd30b644dd6bdb6.exe
2644	7d088018678fe2fb4dd30b644dd6bdb6.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2644	7d088018678fe2fb4dd30b644dd6bdb6.exe
2644	7d088018678fe2fb4dd30b644dd6bdb6.exe
2644	7d088018678fe2fb4dd30b644dd6bdb6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2732	2644	7d088018678fe2fb4dd30b644dd6bdb6.exe	30
PID 2644 wrote to memory of 2732	2644	7d088018678fe2fb4dd30b644dd6bdb6.exe	30
PID 2644 wrote to memory of 2732	2644	7d088018678fe2fb4dd30b644dd6bdb6.exe	30
PID 2644 wrote to memory of 2732	2644	7d088018678fe2fb4dd30b644dd6bdb6.exe	30

C:\Users\Admin\AppData\Local\Temp\7d088018678fe2fb4dd30b644dd6bdb6.exe
"C:\Users\Admin\AppData\Local\Temp\7d088018678fe2fb4dd30b644dd6bdb6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\FCC6.tmp.bat
  2⤵
  - Deletes itself
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FCC6.tmp.bat

Filesize
179B

MD5
38450ec85b1591c52713d3d33cc6a583

SHA1
2475ec97fa27b593f804dc7958d1b6c2c33c7674

SHA256
5188de33f4bf5e8e2c40de3b9ab7c8e70f47d8e46fbaffa29504854844300fc2

SHA512
ca9a2b8eb41e09cd838cf9627c57906e492ff2c8587883f49806f6cf3719cb02d376319a9b6b3d2bd73e023ca6dedcfa130d6a216e5ad98339d5e12a34be21a6

Download Submit
C:\Windows\SysWOW64\imgutilhx2.tmp

Filesize
795KB

MD5
0e1ee6202eb828d8bd54c615360c78e8

SHA1
afedf410361c21f52d9164c5f023764d4c00e3a9

SHA256
4b3ae893aa7a265bfcad4d6c081e26eeeb0010cb7d91086a327e4d2f33be021a

SHA512
bc4795278d29e511dbf2a0430e0edf25609ad55133c5b313d03e2767758cc9f722a972130ebdf2b0dd72808a850c5bde22a0885dfaf2402a14ef88a29417b4ff

Download Submit
memory/2644-8-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/2644-17-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download