f869a87d5df71401afaa492563c04cf11331e43dea06b47b5fc2b19a314f89bb

Analysis

max time kernel
106s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1255b5fb7ac50c5a787a9463b1bf501.exe
Size

9KB
MD5

a1255b5fb7ac50c5a787a9463b1bf501
SHA1

175b9c8ca94b9ff1e37ae294ae3f5a8cea8049bf
SHA256

f869a87d5df71401afaa492563c04cf11331e43dea06b47b5fc2b19a314f89bb
SHA512

3da142f5d07e9ebe067fe0156eb75c616a093bb846be29ddc5bcc183e59c98af8f859eea4f9a9e461badfe6e9085282111556feda6666a3ef997d0cce848a456
SSDEEP

192:cjfO4JtTSaX7T/bOvbrnVCcFilDL9oc50FD8IyKOad:cjxJ11nbK3nVCcFIDecrn0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\midimapjr = "{4F4F0064-71E0-4f0d-0012-708476C7815F}"	a1255b5fb7ac50c5a787a9463b1bf501.exe

Loads dropped DLL 1 IoCs

pid	Process
3832	a1255b5fb7ac50c5a787a9463b1bf501.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\midimapjr.tmp	a1255b5fb7ac50c5a787a9463b1bf501.exe
File opened for modification	C:\Windows\SysWOW64\midimapjr.tmp	a1255b5fb7ac50c5a787a9463b1bf501.exe
File opened for modification	C:\Windows\SysWOW64\midimapjr.dat	a1255b5fb7ac50c5a787a9463b1bf501.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F4F0064-71E0-4f0d-0012-708476C7815F}	a1255b5fb7ac50c5a787a9463b1bf501.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F4F0064-71E0-4f0d-0012-708476C7815F}\InProcServer32	a1255b5fb7ac50c5a787a9463b1bf501.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F4F0064-71E0-4f0d-0012-708476C7815F}\InProcServer32\ = "C:\\Windows\\SysWow64\\midimapjr.dll"	a1255b5fb7ac50c5a787a9463b1bf501.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F4F0064-71E0-4f0d-0012-708476C7815F}\InProcServer32\ThreadingModel = "Apartment"	a1255b5fb7ac50c5a787a9463b1bf501.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3832	a1255b5fb7ac50c5a787a9463b1bf501.exe
3832	a1255b5fb7ac50c5a787a9463b1bf501.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3832	a1255b5fb7ac50c5a787a9463b1bf501.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 2820	3832	a1255b5fb7ac50c5a787a9463b1bf501.exe	91
PID 3832 wrote to memory of 2820	3832	a1255b5fb7ac50c5a787a9463b1bf501.exe	91
PID 3832 wrote to memory of 2820	3832	a1255b5fb7ac50c5a787a9463b1bf501.exe	91

C:\Users\Admin\AppData\Local\Temp\a1255b5fb7ac50c5a787a9463b1bf501.exe
"C:\Users\Admin\AppData\Local\Temp\a1255b5fb7ac50c5a787a9463b1bf501.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\C89F.tmp.bat
  2⤵
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C89F.tmp.bat

Filesize
179B

MD5
75af2cbb6062d82f6e1ce1f0e469262f

SHA1
e46ae894d5fc1fbd8e627ec07e44f35c4378db69

SHA256
535c05e2aa1d8ae10cd487abf28eaa00082ac43f1df0b2a4870dc010caa41bcb

SHA512
d2e72191cb1b5527ae1cffb0d00657bbf5392bffe0bbff4b62d7042ddf9acd99f2e137c79dd25d4b4fcbe5df9fb0c6963fbcaa5ce90ecc20ca10bfbfe8c70b0d

Download Submit
C:\Windows\SysWOW64\midimapjr.tmp

Filesize
1.0MB

MD5
76762af7d72bbacd6abfab097a1aedaf

SHA1
4fc6b7d5a98eaae332f28d51baba08792d3cd9a8

SHA256
e0e63efffa445f57929d5186777155e4b981f47b994dfbc7d5d537e5944a27c6

SHA512
fe1f38749912f6935ab56158c73e1966408a3303fd653b643ad7bce9405706228125a5ef0111bf2ef9e3d07fdf2a37f86ce6a19985e28c1c9a9edd1786146762

Download Submit