9c61edd438ab73bff90522dc1a535f0bb43bf1f9e91594688a679b0983b74201

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96c370b328850504bf8da07037dcefb2.exe
Size

14KB
MD5

96c370b328850504bf8da07037dcefb2
SHA1

805bf24eabdb37a17a4730c0a38c8ef67aa17b81
SHA256

9c61edd438ab73bff90522dc1a535f0bb43bf1f9e91594688a679b0983b74201
SHA512

07624accb03ab360b98425e756ef2c540e2016ef7c7cf69e4637e0a45eece89662794425f525d33b3217911c492f07596b40edac747d00c82ae0fdb34bdb4e59
SSDEEP

384:NGNUNL6YjpQ/Et74EmYjfwDRYQ3g+Ovb10lDbeAvdOEVItnj8Q:8UNu/k4VYjfW70GlDbe49atnIQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\inetresdxc.dll = "{BB4E3499-0132-4d3f-849A-2BE1B26D84E1}"	96c370b328850504bf8da07037dcefb2.exe

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2248	96c370b328850504bf8da07037dcefb2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\inetresdxc.tmp	96c370b328850504bf8da07037dcefb2.exe
File opened for modification	C:\Windows\SysWOW64\inetresdxc.nls	96c370b328850504bf8da07037dcefb2.exe
File created	C:\Windows\SysWOW64\inetresdxc.tmp	96c370b328850504bf8da07037dcefb2.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB4E3499-0132-4d3f-849A-2BE1B26D84E1}	96c370b328850504bf8da07037dcefb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB4E3499-0132-4d3f-849A-2BE1B26D84E1}\InProcServer32	96c370b328850504bf8da07037dcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB4E3499-0132-4d3f-849A-2BE1B26D84E1}\InProcServer32\ = "C:\\Windows\\SysWow64\\inetresdxc.dll"	96c370b328850504bf8da07037dcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB4E3499-0132-4d3f-849A-2BE1B26D84E1}\InProcServer32\ThreadingModel = "Apartment"	96c370b328850504bf8da07037dcefb2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2248	96c370b328850504bf8da07037dcefb2.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2248	96c370b328850504bf8da07037dcefb2.exe
2248	96c370b328850504bf8da07037dcefb2.exe
2248	96c370b328850504bf8da07037dcefb2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2968	2248	96c370b328850504bf8da07037dcefb2.exe	28
PID 2248 wrote to memory of 2968	2248	96c370b328850504bf8da07037dcefb2.exe	28
PID 2248 wrote to memory of 2968	2248	96c370b328850504bf8da07037dcefb2.exe	28
PID 2248 wrote to memory of 2968	2248	96c370b328850504bf8da07037dcefb2.exe	28

C:\Users\Admin\AppData\Local\Temp\96c370b328850504bf8da07037dcefb2.exe
"C:\Users\Admin\AppData\Local\Temp\96c370b328850504bf8da07037dcefb2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\BD37.tmp.bat
  2⤵
  - Deletes itself
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BD37.tmp.bat

Filesize
179B

MD5
50cef47ad247bfbaefc0f892d053dfd0

SHA1
356b99922c4f73a5b46a8d1521da094d7b4b76e1

SHA256
cc9faedfc535a3371d035f18a05814dc5eaa503311b39b4d445ab4a824312664

SHA512
2b9185632ba1e4f997f0cf198c80bb940a15899c43421b8e18fe2f9e169de366b732a4ecc922280d4e53476017536e5cfb019eabe3c6b6867b86484ecfaa8f13

Download Submit
C:\Windows\SysWOW64\inetresdxc.tmp

Filesize
939KB

MD5
cb1eeb3e71cdf9019c898ab192278cf7

SHA1
4ba07896e186c38d2a0922c07781acdc7186ef36

SHA256
7bef6934d1e21b1ddaa4b5e634a96a3b39b8d0ef4863403a25538f8f99c2ca07

SHA512
d96bbf2bdf40ab859cac6824c6082da6c6ebbff5b9a0f92e6cf1bdd2abf283e8c40d4aa698aa037c89762ce6c233a51fcd1639c23103a2845afd684dcfea4f0e

Download Submit
memory/2248-12-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/2248-21-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download