1c38f3734fa38bff173deba60dc2b061462a0f30b79bca465c703efb20836632

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa91c6a8bd844e71f9597a470383b3ad.exe
Size

14KB
MD5

aa91c6a8bd844e71f9597a470383b3ad
SHA1

c97df0ffb42334ed36f4ebc502c094ac07132590
SHA256

1c38f3734fa38bff173deba60dc2b061462a0f30b79bca465c703efb20836632
SHA512

ab0baf08574ef6e7c0db180d5cf864aa8dcb87734247a0e05d00a566f9dba54570bfe7dd1dcad6f684ff8c3fb6b8397f43cd03f5e6b07b4a07d14caa5926acfc
SSDEEP

384:Ja3jSvKQM4EydAqO2K7gnXYz78vz+/87Uy1:JazSvKQM459K7gnMgrk4Uy1

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\fdqvfbrg.dll = "{DA56B183-A731-402b-9235-2CB8803E212D}"	aa91c6a8bd844e71f9597a470383b3ad.exe

Deletes itself 1 IoCs

pid	Process
2668	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2264	aa91c6a8bd844e71f9597a470383b3ad.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fdqvfbrg.tmp	aa91c6a8bd844e71f9597a470383b3ad.exe
File opened for modification	C:\Windows\SysWOW64\fdqvfbrg.tmp	aa91c6a8bd844e71f9597a470383b3ad.exe
File opened for modification	C:\Windows\SysWOW64\fdqvfbrg.nls	aa91c6a8bd844e71f9597a470383b3ad.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}	aa91c6a8bd844e71f9597a470383b3ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}\InProcServer32	aa91c6a8bd844e71f9597a470383b3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}\InProcServer32\ = "C:\\Windows\\SysWow64\\fdqvfbrg.dll"	aa91c6a8bd844e71f9597a470383b3ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA56B183-A731-402b-9235-2CB8803E212D}\InProcServer32\ThreadingModel = "Apartment"	aa91c6a8bd844e71f9597a470383b3ad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2264	aa91c6a8bd844e71f9597a470383b3ad.exe
2264	aa91c6a8bd844e71f9597a470383b3ad.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2264	aa91c6a8bd844e71f9597a470383b3ad.exe
2264	aa91c6a8bd844e71f9597a470383b3ad.exe
2264	aa91c6a8bd844e71f9597a470383b3ad.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2668	2264	aa91c6a8bd844e71f9597a470383b3ad.exe	28
PID 2264 wrote to memory of 2668	2264	aa91c6a8bd844e71f9597a470383b3ad.exe	28
PID 2264 wrote to memory of 2668	2264	aa91c6a8bd844e71f9597a470383b3ad.exe	28
PID 2264 wrote to memory of 2668	2264	aa91c6a8bd844e71f9597a470383b3ad.exe	28

C:\Users\Admin\AppData\Local\Temp\aa91c6a8bd844e71f9597a470383b3ad.exe
"C:\Users\Admin\AppData\Local\Temp\aa91c6a8bd844e71f9597a470383b3ad.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\7FBB.tmp.bat
  2⤵
  - Deletes itself
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7FBB.tmp.bat

Filesize
179B

MD5
500e543f1a63d7770814f5307ecd4f91

SHA1
301f1869ebff09f6ae848ce96729a43c479d57ec

SHA256
a54ad6af2c48b64bee3ab1385dcdeaced296adcb989f97cfb2400bd4c868d1e1

SHA512
7434084c2a832b28a3a28210d220848dcbb4469717c03e44c63dc7dd28ba73d8112820adf35f4f0181877cf1e8ac9a7cc565d5dde8a27aaa637fa3baede8e27d

Download Submit
C:\Windows\SysWOW64\fdqvfbrg.tmp

Filesize
633KB

MD5
c1d963a4f6bd42e60c55cb516205b68f

SHA1
fee9ea6a7ad6cb94718e6cc545675bd011845e0e

SHA256
e78a69c2ec068cc9f9562ce8cca783ac00b8289de5c0c9ca3840a52340c18518

SHA512
63961ec466a487c50a0ad1135b768ff97da167944a8aca12215d0f589123f23217f6bb56e3d53706a0ed4249d3b9838a8e60cfcabe4e39a99b6c5a82524dc1ad

Download Submit
\Windows\SysWOW64\fdqvfbrg.dll

Filesize
64KB

MD5
9144c6da561275153bedfb09e7904a3e

SHA1
21bce7038d2d79047de40b216cbc26e51d46b34b

SHA256
eef7ac2d05f7e65060101338f1266de1cc01b0bec8f0c26c768f825a20a2736b

SHA512
3da97321f46c41f21d73718ef94d05c60451f7c20babb14d3f249f9ecce83f0ad500491fc5f95490219c9997418433b90ada9adcf3e3b87a4fbb957bae55b247

Download Submit
memory/2264-12-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2264-21-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download