30aecb1d0bb7c6f8de3f21937ff121ccfee96e0454a1e9a156fefbf8accc8770

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-01-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

3.3MB
MD5

e9511c52af792b25be4cc022154a8753
SHA1

9fb6b7306286ba00d05b045c37035da39026e5ed
SHA256

30aecb1d0bb7c6f8de3f21937ff121ccfee96e0454a1e9a156fefbf8accc8770
SHA512

8ff065e15a2e3ca5ab61b60d32cb1ecbbd34d9b45ff3947e2214d437f3f8d572b6b1c18abfe7a649f50892f17bfbbf4238a67562fdcf03ba72baac1cdd758d2a
SSDEEP

98304:8i++qX8iuivYw7Kx0tJI7dKeZIC5JkvEC:/cNuyYw7RtJI7ZZh5Jkl

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1352	file.exe
1352	file.exe
1352	file.exe

Registers COM server for autorun 1 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A9913F2-A81D-B117-47A9-288972925F22}\InProcServer32\ = "C:\\Program Files\\Windows Media Player\\Media Renderer\\Storage.dll"	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A9913F2-A81D-B117-47A9-288972925F22}\InProcServer32\ThreadingModel = "Apartment"	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E9913F2-A81D-B117-47A9-288972925F22}\InProcServer32\ = "C:\\Program Files\\Windows Media Player\\Media Renderer\\Storage.dll"	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E9913F2-A81D-B117-47A9-288972925F22}\InProcServer32	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A9913F2-A81D-B117-47A9-288972925F22}\InProcServer32	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{2E9913F2-A81D-B117-47A9-288972925F22}\InProcServer32	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F9913F2-A81D-B117-47A9-288972925F22}\InProcServer32\ = "C:\\Program Files\\Windows Media Player\\Media Renderer\\Storage.dll"	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F9913F2-A81D-B117-47A9-288972925F22}\InProcServer32\ThreadingModel = "Apartment"	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E9913F2-A81D-B117-47A9-288972925F22}\InProcServer32\ThreadingModel = "Apartment"	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F9913F2-A81D-B117-47A9-288972925F22}\InProcServer32	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{1F9913F2-A81D-B117-47A9-288972925F22}\InProcServer32	file.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ClocX\SumatraPDF.exe	file.exe
File created	C:\Program Files (x86)\ClocX\uninst.exe	file.exe
File created	C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg	file.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\Storage.dll	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A9913F2-A81D-B117-47A9-288972925F22}\InProcServer32\ThreadingModel = "Apartment"	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F9913F2-A81D-B117-47A9-288972925F22}\InProcServer32\ = "C:\\Program Files\\Windows Media Player\\Media Renderer\\Storage.dll"	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F9913F2-A81D-B117-47A9-288972925F22}\InProcServer32\ThreadingModel = "Apartment"	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E9913F2-A81D-B117-47A9-288972925F22}\InProcServer32\ThreadingModel = "Apartment"	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{1F9913F2-A81D-B117-47A9-288972925F22}	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A9913F2-A81D-B117-47A9-288972925F22}\InProcServer32\ = "C:\\Program Files\\Windows Media Player\\Media Renderer\\Storage.dll"	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx\ = "{2E9913F2-A81D-B117-47A9-288972925F22}"	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F9913F2-A81D-B117-47A9-288972925F22}\InProcServer32	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E9913F2-A81D-B117-47A9-288972925F22}	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{2E9913F2-A81D-B117-47A9-288972925F22}\InProcServer32	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A9913F2-A81D-B117-47A9-288972925F22}\InProcServer32	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F9913F2-A81D-B117-47A9-288972925F22}	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{1F9913F2-A81D-B117-47A9-288972925F22}\InProcServer32	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E9913F2-A81D-B117-47A9-288972925F22}\InProcServer32	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E9913F2-A81D-B117-47A9-288972925F22}\InProcServer32\ = "C:\\Program Files\\Windows Media Player\\Media Renderer\\Storage.dll"	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{2E9913F2-A81D-B117-47A9-288972925F22}	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A9913F2-A81D-B117-47A9-288972925F22}	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1A9913F2-A81D-B117-47A9-288972925F22}"	file.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1352	file.exe
1352	file.exe
1352	file.exe
1352	file.exe
1352	file.exe
1352	file.exe
1352	file.exe
1352	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\ClocX\SumatraPDF.exe

Filesize
6.2MB

MD5
a66c9054c372978b5752566361c27535

SHA1
527b8a0f9bffc41df878fb45e73f58e01e827e25

SHA256
54e19ff0a436f9806ff4dec14882a3391026751242b0e53330325e7c256d5155

SHA512
3114d24ccc0705cb722fd0a6ef135215e6475702d12073ab0567039a34d2cb279f7a6f6ffb58cc2a38dc87b3f97c71c245709ba6242813a0abd5ca0d0bb7e17e

Download Submit
\Users\Admin\AppData\Local\Temp\nso37F3.tmp\Checker.dll

Filesize
41KB

MD5
1ebcb7fe4d8f8f975dd404d1688d1e1a

SHA1
cff12da173ae6e6660870e6343aac823e013ebc3

SHA256
c78112c3da52d30b98c4cb34d3b9baf406f85a4dc975c40a6949672122c8ed37

SHA512
7ec29be35c39b8fb623eb1f624df984031bc26fb7c99d7375b754ac1bda383e318d01eeae2672a79db6e5b177e29d97a2eb0d60385a80f4a26a5006c7e0173fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso37F3.tmp\Zip.dll

Filesize
76KB

MD5
bd448b748b6fb2fc268f297363ef69e5

SHA1
0c33557703b39928d19520651001607724f5cf8d

SHA256
b3a67c05d7788b1310b342bea37d69a84d9c7997c729f489f9602148f9a6d708

SHA512
555f049387a924c1a3feb38582abb3c5b238df5975c4f739690e2bad06ce5bfce02c2deb46816aacbf73e76292382e8974484e9886f079de69ddad1268a0ea0d

Download Submit
memory/1352-13-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1352-17-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/1352-18-0x0000000003DE0000-0x0000000004A08000-memory.dmp

Filesize
12.2MB

Download
memory/1352-22-0x0000000001FA0000-0x0000000001FDA000-memory.dmp

Filesize
232KB

Download