c5d766f02faa195aece14f4db20d7c1786b7d2567ab317a7a11847fd3f33601a

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c5468f843ee4e063fb651afad963d2b.exe
Size

14KB
MD5

9c5468f843ee4e063fb651afad963d2b
SHA1

2955f753e1b30e3bd7294f7f9401468762d21a55
SHA256

c5d766f02faa195aece14f4db20d7c1786b7d2567ab317a7a11847fd3f33601a
SHA512

e16f20bf1eb158f564c2d89cd072959d3c8b4d63a410379af7331abeedc5c7376382ce5e86b552b6f82b6607c94e665fcfb4b4ea8cb45bdc9a80397026e5994d
SSDEEP

384:nnv83ZFtdH165n2eshUweNGbbDiPKU9RMuWybS0r//PA6Xjp:gdr6gFhUQbb2D3M7ybS0r/V

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\avicapwm.dll = "{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}"	9c5468f843ee4e063fb651afad963d2b.exe

Deletes itself 1 IoCs

pid	Process
2776	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2928	9c5468f843ee4e063fb651afad963d2b.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\avicapwm.tmp	9c5468f843ee4e063fb651afad963d2b.exe
File opened for modification	C:\Windows\SysWOW64\avicapwm.tmp	9c5468f843ee4e063fb651afad963d2b.exe
File opened for modification	C:\Windows\SysWOW64\avicapwm.nls	9c5468f843ee4e063fb651afad963d2b.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}\InProcServer32\ThreadingModel = "Apartment"	9c5468f843ee4e063fb651afad963d2b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}	9c5468f843ee4e063fb651afad963d2b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}\InProcServer32	9c5468f843ee4e063fb651afad963d2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}\InProcServer32\ = "C:\\Windows\\SysWow64\\avicapwm.dll"	9c5468f843ee4e063fb651afad963d2b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2928	9c5468f843ee4e063fb651afad963d2b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2928	9c5468f843ee4e063fb651afad963d2b.exe
2928	9c5468f843ee4e063fb651afad963d2b.exe
2928	9c5468f843ee4e063fb651afad963d2b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2776	2928	9c5468f843ee4e063fb651afad963d2b.exe	28
PID 2928 wrote to memory of 2776	2928	9c5468f843ee4e063fb651afad963d2b.exe	28
PID 2928 wrote to memory of 2776	2928	9c5468f843ee4e063fb651afad963d2b.exe	28
PID 2928 wrote to memory of 2776	2928	9c5468f843ee4e063fb651afad963d2b.exe	28

C:\Users\Admin\AppData\Local\Temp\9c5468f843ee4e063fb651afad963d2b.exe
"C:\Users\Admin\AppData\Local\Temp\9c5468f843ee4e063fb651afad963d2b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\AA34.tmp.bat
  2⤵
  - Deletes itself
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AA34.tmp.bat

Filesize
179B

MD5
7940507fc30036cb5f422a3dd8e34419

SHA1
e79ce42fb0b88dac8bd7d1d4219cf0edfa7dea1f

SHA256
8c45a5931a0826fde44a95a3f785c78dd9e348ec23e2bc0de7dad9c0633b4d4d

SHA512
6473325ac0d87ff5bda599c7840f0c08c4be89aa2d895a5da245e36d69a33595b1c8b2bdfa0e7342905b32246338a14f236777729fc6f1573d0ad643c4e64050

Download Submit
\Windows\SysWOW64\avicapwm.dll

Filesize
712KB

MD5
29d8805cf26f2f323877a53c168914d8

SHA1
6ccfbdc5d6b71d41828fbc98ccb351ed15c9e30e

SHA256
e9464dbce1bc1f43a4b58937904d2a2a0c0a0cb087b44141688a3a168f71e070

SHA512
22dca08e510c6145b893a6f664a98e3e9eff82a1ff7e52a4c61614f8a4897d3fe66f879a5c1fc115f3a9039256fee7a4d568b8f1dec6913093c88a237cd368be

Download Submit
memory/2928-12-0x0000000020000000-0x000000002006C000-memory.dmp

Filesize
432KB

Download
memory/2928-21-0x0000000020000000-0x000000002006C000-memory.dmp

Filesize
432KB

Download