70c6e805880c290aec8fc81e515f35b2f60a48477448c799038b379c5099d97f

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

875d4a82dba03dcb88074d4eaf305359.exe
Size

18KB
MD5

875d4a82dba03dcb88074d4eaf305359
SHA1

44f9e7bf71cb81a6ef582cb0ebe20e6d64d34d89
SHA256

70c6e805880c290aec8fc81e515f35b2f60a48477448c799038b379c5099d97f
SHA512

7230a59f75880c95af4940462c8a68561066d1bd511424e1a863dbbcb620da262d6e9d7f5d74dafc21fa46fe527c571626944a933e5584ec011fca0a7f4a6a85
SSDEEP

384:SJ8hSrMNjOe7QzX1b/YWi+eSQtcPcEln4sjNXoIMzKcIpL2P:0gSgN0PGE1FwKvpL2P

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1204	875d4a82dba03dcb88074d4eaf305359.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tdggrz.dll	875d4a82dba03dcb88074d4eaf305359.exe
File created	C:\Windows\SysWOW64\tf0	875d4a82dba03dcb88074d4eaf305359.exe
File opened for modification	C:\Windows\SysWOW64\tdggrz.dll.LoG	875d4a82dba03dcb88074d4eaf305359.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D165A2A-4BC1-4CA8-8299-08E05AAAB5A4}	875d4a82dba03dcb88074d4eaf305359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D165A2A-4BC1-4CA8-8299-08E05AAAB5A4}\ = "MICROSOFT"	875d4a82dba03dcb88074d4eaf305359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D165A2A-4BC1-4CA8-8299-08E05AAAB5A4}\InProcServer32\ = "C:\\Windows\\SysWow64\\tdggrz.dll"	875d4a82dba03dcb88074d4eaf305359.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION	875d4a82dba03dcb88074d4eaf305359.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER	875d4a82dba03dcb88074d4eaf305359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\	875d4a82dba03dcb88074d4eaf305359.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D165A2A-4BC1-4CA8-8299-08E05AAAB5A4}\InProcServer32	875d4a82dba03dcb88074d4eaf305359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D165A2A-4BC1-4CA8-8299-08E05AAAB5A4}\InProcServer32\ThreadingModel = "Apartment"	875d4a82dba03dcb88074d4eaf305359.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	875d4a82dba03dcb88074d4eaf305359.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE	875d4a82dba03dcb88074d4eaf305359.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT	875d4a82dba03dcb88074d4eaf305359.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS	875d4a82dba03dcb88074d4eaf305359.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1204	875d4a82dba03dcb88074d4eaf305359.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	1204	875d4a82dba03dcb88074d4eaf305359.exe
Token: SeRestorePrivilege	1204	875d4a82dba03dcb88074d4eaf305359.exe
Token: SeBackupPrivilege	1204	875d4a82dba03dcb88074d4eaf305359.exe
Token: SeRestorePrivilege	1204	875d4a82dba03dcb88074d4eaf305359.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1204	875d4a82dba03dcb88074d4eaf305359.exe
1204	875d4a82dba03dcb88074d4eaf305359.exe
1204	875d4a82dba03dcb88074d4eaf305359.exe

C:\Users\Admin\AppData\Local\Temp\875d4a82dba03dcb88074d4eaf305359.exe
"C:\Users\Admin\AppData\Local\Temp\875d4a82dba03dcb88074d4eaf305359.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\tdggrz.dll

Filesize
213KB

MD5
5cce5d45097fb3aa743825b39c9dbc4c

SHA1
b21ef68c4162edf9981b43df46de4ad781e51e84

SHA256
4bd48e38163de90b02c1b677939f869a1563ae8e07a5ee266c34349bfacc3422

SHA512
4cb81f27342ef2a5c1240e71b571c499401f38461d20d50ca9f3e1c6c8ec0fe73c12bee9fe9387a136cef51a3e5e4cc35de8c5a169bc19ba377f4313b76915bd

Download Submit
memory/1204-2-0x0000000000280000-0x000000000028D000-memory.dmp

Filesize
52KB

Download
memory/1204-5-0x0000000000280000-0x000000000028D000-memory.dmp

Filesize
52KB

Download