7361df98c7cd1e56e0345e61cf68c1d5818d4064269f9b234511c7060e97ad9f

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Size

3.3MB
MD5

a6fc2d8611cae0eda7fc1b53495a6b3b
SHA1

0a8a58bc8bfa8eeb98dca98af8b55aa780f52b10
SHA256

7361df98c7cd1e56e0345e61cf68c1d5818d4064269f9b234511c7060e97ad9f
SHA512

0d519183d97402f68f4db2df3955cf2aa7053fa1546392acc3e13532848bc6aab8a73d2e30165f2c88c6640ac815a285280cd2cff4bd48440bf2568e130468ce
SSDEEP

98304:qi++qX8iuivYw7Kx0tJI7dKeZICTTTr1jjxS:xcNuyYw7RtJI7ZZhTTtjQ

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2712	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
2712	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
2712	a6fc2d8611cae0eda7fc1b53495a6b3b.exe

Registers COM server for autorun 1 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\CLSID\{2EC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\lua51.dll"	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\lua51.dll"	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32\ThreadingModel = "Apartment"	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\CLSID\{1FC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32\ThreadingModel = "Apartment"	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\lua51.dll"	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32\ThreadingModel = "Apartment"	a6fc2d8611cae0eda7fc1b53495a6b3b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lua51.dll	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
File created	C:\Program Files (x86)\ClocX\SumatraPDF.exe	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
File created	C:\Program Files (x86)\ClocX\uninst.exe	a6fc2d8611cae0eda7fc1b53495a6b3b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\lua51.dll"	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32\ThreadingModel = "Apartment"	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\lua51.dll"	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\CLSID	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32\ThreadingModel = "Apartment"	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\SharingEx	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1AC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}"	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32\ThreadingModel = "Apartment"	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\CLSID\{1FC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\CLSID\{1FC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\lua51.dll"	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\SharingEx\ = "{2EC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}"	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\CLSID\{2EC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}\InProcServer32	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\CLSID\{2EC61FE7-FF3D-0836-77DC-F2BD6C6E35B0}	a6fc2d8611cae0eda7fc1b53495a6b3b.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2712	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
2712	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
2712	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
2712	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
2712	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
2712	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
2712	a6fc2d8611cae0eda7fc1b53495a6b3b.exe
2712	a6fc2d8611cae0eda7fc1b53495a6b3b.exe

C:\Users\Admin\AppData\Local\Temp\a6fc2d8611cae0eda7fc1b53495a6b3b.exe
"C:\Users\Admin\AppData\Local\Temp\a6fc2d8611cae0eda7fc1b53495a6b3b.exe"
1⤵
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi3479.tmp\Checker.dll

Filesize
41KB

MD5
15d08cdf9b65dd72719cba1465e43739

SHA1
49023d696e3fe9141f22a4b88e67f1e05deaacc1

SHA256
a34cdbe03e066f4ffb7431c806c0600e5e7d4dba239174c373b2445dba3f66ae

SHA512
34af6a638e538703af3ef9b52b2a68a48daec1be14f77b6e464882f8f6d2ad670903cfe8d310c750d39624facf14184d6222196aec92231253ba868585b9f885

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi3479.tmp\Zip.dll

Filesize
76KB

MD5
542567398f77e95808afac5f96083c11

SHA1
d85c2129928188bee8fd48c5549aa3db4aebc462

SHA256
e5234c4c4b82edcf6936eea28b0f9a447423c9358c4c5a4f230897296f3f2d42

SHA512
3ae6c87d543d8822bcc26e327365218b6cb16d711ba1def06f8b796760badcab248bccc74309d8eb27e363d65af92307f76f38f013966188f1f1463152ea8b19

Download Submit
\Program Files (x86)\ClocX\SumatraPDF.exe

Filesize
6.2MB

MD5
a66c9054c372978b5752566361c27535

SHA1
527b8a0f9bffc41df878fb45e73f58e01e827e25

SHA256
54e19ff0a436f9806ff4dec14882a3391026751242b0e53330325e7c256d5155

SHA512
3114d24ccc0705cb722fd0a6ef135215e6475702d12073ab0567039a34d2cb279f7a6f6ffb58cc2a38dc87b3f97c71c245709ba6242813a0abd5ca0d0bb7e17e

Download Submit
memory/2712-13-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2712-17-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2712-18-0x0000000003C40000-0x0000000004868000-memory.dmp

Filesize
12.2MB

Download
memory/2712-22-0x0000000002B80000-0x0000000002BBA000-memory.dmp

Filesize
232KB

Download