096be1382aa2c1fb2dbf9ba721741a9a26f6527d521864d56dd2af8c1bbdc6c7

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a340b979cbca16353c7f40ad38fa8e04.exe
Size

10KB
MD5

a340b979cbca16353c7f40ad38fa8e04
SHA1

4c459b92e92f452b9f2808e1c2bd6e2df7b9b611
SHA256

096be1382aa2c1fb2dbf9ba721741a9a26f6527d521864d56dd2af8c1bbdc6c7
SHA512

0b9a0ce4aafe991ed2b64ef0a3bf140fd1b61cda44741e81f03339d545a4e1d863a39a6f6e4fbf98a0ba34fed17d9c5a18ed4fa9b9489ecb1a79913cff4df511
SSDEEP

192:9muDGimTHdRxpgj/7jSS6qiYsBLIEM4uhVFKvIW8Jt3q1Wap:9muDGTHdRPgX2xqhsVfM4u1KvIW8JUAY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\slbiopfs2.dll = "{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}"	a340b979cbca16353c7f40ad38fa8e04.exe

Loads dropped DLL 1 IoCs

pid	Process
4056	a340b979cbca16353c7f40ad38fa8e04.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\slbiopfs2.tmp	a340b979cbca16353c7f40ad38fa8e04.exe
File opened for modification	C:\Windows\SysWOW64\slbiopfs2.tmp	a340b979cbca16353c7f40ad38fa8e04.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}	a340b979cbca16353c7f40ad38fa8e04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32	a340b979cbca16353c7f40ad38fa8e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ = "C:\\Windows\\SysWow64\\slbiopfs2.dll"	a340b979cbca16353c7f40ad38fa8e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ThreadingModel = "Apartment"	a340b979cbca16353c7f40ad38fa8e04.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4056	a340b979cbca16353c7f40ad38fa8e04.exe
4056	a340b979cbca16353c7f40ad38fa8e04.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4056	a340b979cbca16353c7f40ad38fa8e04.exe
4056	a340b979cbca16353c7f40ad38fa8e04.exe
4056	a340b979cbca16353c7f40ad38fa8e04.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 4984	4056	a340b979cbca16353c7f40ad38fa8e04.exe	92
PID 4056 wrote to memory of 4984	4056	a340b979cbca16353c7f40ad38fa8e04.exe	92
PID 4056 wrote to memory of 4984	4056	a340b979cbca16353c7f40ad38fa8e04.exe	92

C:\Users\Admin\AppData\Local\Temp\a340b979cbca16353c7f40ad38fa8e04.exe
"C:\Users\Admin\AppData\Local\Temp\a340b979cbca16353c7f40ad38fa8e04.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\681B.tmp.bat
  2⤵
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\681B.tmp.bat

Filesize
179B

MD5
b38d7a282c92c874e11e2f8f68ae70be

SHA1
648181ff9315587c08f1822430897ee7e57c4941

SHA256
27022a73dcdaf2ffaafa6c0701c62db1a96a30684e1f970842ae1c0a0c51d4e2

SHA512
7915f9bad3fb9fd4d2df643b3618ec29857e0c96859e97238f8805fa98b0919695f2e44d6796b10ade2c905ce6f9723099e2f251fb72fbe51b7f95bfd8ad7f42

Download Submit
C:\Windows\SysWOW64\slbiopfs2.dll

Filesize
943KB

MD5
5367d7f9afa7d1dc4b2161af29d0303f

SHA1
0367823c0c6adf454114ede6e851120d19dda64a

SHA256
c30a9b8a50c0f15a07190eec8d7f23d494b55317d50899c5f94b0a42d26dcbfc

SHA512
bd12d710ba6fec5a147f3478a314b0a8fc66366d5bce8424ff680529455e87f2518b1af7a3fc027eba48f11f0b62a95e6286e0585590e699fce1d889dd5dc501

Download Submit
memory/4056-6-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/4056-11-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download