Analysis

  • max time kernel
    152s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2024, 21:53

General

  • Target

    8aa0c81d85cd15b6295dc749662c47b1.exe

  • Size

    351KB

  • MD5

    8aa0c81d85cd15b6295dc749662c47b1

  • SHA1

    76280cd27184645b1f6cc4b91e0382e1af642b87

  • SHA256

    8bea8d31f0bcf44ca920cfc577355bc889d79187e41593a3420c9d2aa27464f7

  • SHA512

    2dc24809a521a5a472b0a9bce79d2e48eb02ac19b68f6827c984e40d03424e6c02d5249624ff1f944af2905547a51d0a1a33800d4fcea344b27364c675d8d45c

  • SSDEEP

    6144:wbwOQj1Culcg/vOyOY1Sa7MUfA5aaRIxL09cpUTqs/J94JET3O+jNTOMy9Mg:wbwOQBx/TOrqMVKL09cqJzECe+hOMy9p

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 16 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe
    "C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe
      C:\Users\Admin\AppData\Local\Temp\8aa0c81d85cd15b6295dc749662c47b1.exe
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Installs/modifies Browser Helper Object
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3672

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\log.txt

          Filesize

          2KB

          MD5

          9a10ec1af465c9edda9a803825260cf9

          SHA1

          112717da5f03fc6d482ee006d6930c36271b3f52

          SHA256

          116b9949ece1091a1e300f0d3a6bd9533cfd2d3942a526dc6d02b583b6d10c2e

          SHA512

          c53648bae85fed65145cd08a1c5a649a01caa790303920c5391ed7fd1b7a9106c65dba62c133f432b7a0b494e56f4685f53533c71e6cb548066f40eb54b1fb04

        • C:\Windows\SysWOW64\log.txt

          Filesize

          3KB

          MD5

          7bc374f4cd77ab09ad587290011456b1

          SHA1

          80120a7094c94a0744ef7d1429465dcc3ea816bb

          SHA256

          d29c5dd3c2e6c70a4989eb065357e6676cf65ad6fab64426ea0466ec83dddbc6

          SHA512

          8381180074baec9eebd26e30252e3faaf43c5abb430388687864a9dbd0ae947f89946fb8a102c8425f29b26d0c4b4fed9d8f4ee2b226f082533400709ba21abf

        • C:\Windows\SysWOW64\ver19144-890258183.txt

          Filesize

          6KB

          MD5

          b57ea27c4cda34f095b1d6c7cdf6b4fd

          SHA1

          b9e533efebe39cbf7f5486c76d14cbf9031cfb72

          SHA256

          e3374cf3c674c183d74b213bfa31cc7ec194101b3c8b2bf95000d19fd32888ab

          SHA512

          b3ff4dcfbe262ec94752ea8c8581ca841fe90f154285c1b25ffdb3b854bca61bd9a2755da83094a7b1cc0deb80a78f5787df5c1619af9c943a380cbd94b2846b

        • C:\Windows\SysWOW64\ver19144-890258183.txt

          Filesize

          201B

          MD5

          e890e3f14947969c7881b3b85a087335

          SHA1

          79e4fb1aed296fd6e99998ed5fe035b5f697a16f

          SHA256

          ea7f4499ab15cb7e1b19712bce38b23a1bc5a1ff345f651e5d2675b6f9565456

          SHA512

          d1b0afb6389e8e5eacbc305d8fab87890de58a44198d6ff4180bc1b13f04f9093c5d050ca0f924a3f736e329a45e101075ed7f82fdafe00e1bb51e2bfff82d7d

        • C:\Windows\SysWOW64\ver19144-890258183.txt

          Filesize

          1014B

          MD5

          31c2432b92db95b25fdfa5d509e397f2

          SHA1

          8684a477112669789f9490383f2c9a4a3963adff

          SHA256

          d2788dc590dbbc71f069fb484b129bda9c7aebab56d5247675ce29d4b86be78b

          SHA512

          850426e1d7c87022cf01c351c6787b7edb5029005c406c0c2db6ab9907fc4040087e4c944599bf0a1f810cc6b91e474a650bd3a137c241e93424975a58b9733e

        • C:\Windows\SysWOW64\ver19144-890258183.txt

          Filesize

          2KB

          MD5

          68ed34f4855c533598db9dd5bd9ff790

          SHA1

          944338f3bee1dc28abe3a646a9d2d3cacb68e8ce

          SHA256

          810c4325aff30ff41d3fb19cade3073c60252c814ea6f15b78676e1e3d5d3e39

          SHA512

          cf5d2fdfe24f6e7831acbf60cc2e91b390a7b476d4ab5457561ef52d5763de1bd96cd44f5ec04e301d6dde71fda304e4104a95d25b85e7966519e0f824466a16

        • C:\Windows\SysWOW64\vmmreg32.dll

          Filesize

          214KB

          MD5

          6b03feb120f2b1ee8c813dd040e9d4ab

          SHA1

          e0dc0c7ad7c47787aa4771b3ee0a6d848c8666a2

          SHA256

          2f63c5f575bb8ac5a5346efd2dc2bfa232f36aedef5210dda334a066ffd3efe3

          SHA512

          7cfe70ff445190e1b64284718e0cb0dc5bcfaa20afe893647ece093993223d49a24139356434ac8a680dde63a9d93a0e115e298d0e3525f31a1b3850cc0158fe

        • C:\Windows\kwv.cfg

          Filesize

          8B

          MD5

          fd03887411dfd900c39337951e679b04

          SHA1

          42152a98048ce7705b7d41468fea303c30b7c28a

          SHA256

          526c508ecdc95803a98d14016d7299a88daa8b026096dc09e4f5692f5a794fd0

          SHA512

          69ed482297e2c3c0866e1292c2615de587b449559eb1fc3c2f0f30c65ed9a19c34018450d345ce0cd28feec6a5b26d1d4d4d1069f0f93fdedb396c7e5d62d3c7

        • memory/392-2-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

        • memory/392-0-0x0000000000400000-0x000000000046E000-memory.dmp

          Filesize

          440KB

        • memory/392-1-0x00000000001D0000-0x00000000001D2000-memory.dmp

          Filesize

          8KB

        • memory/3672-3-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

        • memory/3672-11-0x0000000000650000-0x0000000000695000-memory.dmp

          Filesize

          276KB

        • memory/3672-9-0x0000000010000000-0x0000000010054000-memory.dmp

          Filesize

          336KB

        • memory/3672-10-0x0000000000630000-0x0000000000632000-memory.dmp

          Filesize

          8KB

        • memory/3672-96-0x0000000000400000-0x000000000046A000-memory.dmp

          Filesize

          424KB

        • memory/3672-97-0x0000000010000000-0x0000000010054000-memory.dmp

          Filesize

          336KB

        • memory/3672-261-0x0000000010000000-0x0000000010054000-memory.dmp

          Filesize

          336KB