Analysis Overview
SHA256
9c827fd486fcee65b93a58241b455a89be45b56046d3b78e695f4d6cd1b29e2c
Threat Level: Known bad
The file b24fa78084497f1d9208787d96f9b6ea was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Deletes itself
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-04 14:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-04 14:03
Reported
2024-03-04 14:05
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vmutgpyw.dll = "{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}" | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\vmutgpyw.nls | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
| File created | C:\Windows\SysWOW64\vmutgpyw.tmp | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vmutgpyw.tmp | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9} | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ = "C:\\Windows\\SysWow64\\vmutgpyw.dll" | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3008 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3008 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3008 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3008 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe
"C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\96E3.tmp.bat
Network
Files
C:\Windows\SysWOW64\vmutgpyw.tmp
| MD5 | b5b9b49c77d4582f4d6329634a214406 |
| SHA1 | 74393ae410e0eec2de220e3b2a2522844549466f |
| SHA256 | 9935a45f977fdfdd9f0fe641420ff550d302ee62981b430bcb248038f826e3a3 |
| SHA512 | b47b5a8d19011d0538304b184e76feb9e6d0a4ddf6aacf38e626b73dd283ad054602a86121dd29e1828918b802ab0b05383d5b469a8b85d7635bf4b83c7a1bb2 |
C:\Windows\SysWOW64\vmutgpyw.nls
| MD5 | 76a3016d1defcd1798f893e3859616dd |
| SHA1 | 5a8f2f3c94f8aec0dd573e54083a6c6d3b09d047 |
| SHA256 | f9a7e55649b01160bea0a1daf490dd85e5d25e8ff038434d381b2053fab40b74 |
| SHA512 | 812649bf9278a938c2d87d3b9f0ed1c5177a4f9464750ee22f178399d948d45c9dff1e28db3eb1edd0673b775fdf7246635f684332a413ef64e3d67a9295b977 |
memory/3008-16-0x0000000010000000-0x0000000010009000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\96E3.tmp.bat
| MD5 | bc2c7a46b8faafa782a38495979dffc2 |
| SHA1 | a4f2c3a6b109ef2f174e59ec6286cc1044dac2a4 |
| SHA256 | 07c5c747b0b199326070ab07d4c72977367dd7bb0588eca3dac145f2a96c8a9a |
| SHA512 | 025109f02c5705e96a19adff95c8cbce475a8b2c57806a1896d623fcbd5df5633b65320b23985063e2b59a9ab4cfb269bd46f98c6c45685e6eac6c23b3562065 |
memory/3008-25-0x0000000010000000-0x0000000010009000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-04 14:03
Reported
2024-03-04 14:05
Platform
win10v2004-20240226-en
Max time kernel
91s
Max time network
115s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bzrljqjr.dll = "{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}" | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\bzrljqjr.tmp | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bzrljqjr.tmp | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bzrljqjr.nls | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9} | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}\InProcServer32\ = "C:\\Windows\\SysWow64\\bzrljqjr.dll" | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 904 wrote to memory of 748 | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 904 wrote to memory of 748 | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 904 wrote to memory of 748 | N/A | C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe
"C:\Users\Admin\AppData\Local\Temp\b24fa78084497f1d9208787d96f9b6ea.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BAA5.tmp.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\bzrljqjr.tmp
| MD5 | 7ec881dcfb336244abb3d5257be23959 |
| SHA1 | c86a7171239cc46e1054e8199f70777ff50b198f |
| SHA256 | d22baaa57d5e54c02bd28a5269ee9815f7b8c7576d7851a4e40e06e7f878371e |
| SHA512 | c047523ef8b4cae110b4e45231a7684f73e37b4e3e1c82534d5d341da15023053a8a3f6208c6a90262cd6dbd19aab577fd023306aa969700d466283b0cc767ba |
C:\Windows\SysWOW64\bzrljqjr.nls
| MD5 | 76a3016d1defcd1798f893e3859616dd |
| SHA1 | 5a8f2f3c94f8aec0dd573e54083a6c6d3b09d047 |
| SHA256 | f9a7e55649b01160bea0a1daf490dd85e5d25e8ff038434d381b2053fab40b74 |
| SHA512 | 812649bf9278a938c2d87d3b9f0ed1c5177a4f9464750ee22f178399d948d45c9dff1e28db3eb1edd0673b775fdf7246635f684332a413ef64e3d67a9295b977 |
memory/904-17-0x0000000010000000-0x0000000010009000-memory.dmp
memory/904-21-0x0000000010000000-0x0000000010009000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BAA5.tmp.bat
| MD5 | bc2c7a46b8faafa782a38495979dffc2 |
| SHA1 | a4f2c3a6b109ef2f174e59ec6286cc1044dac2a4 |
| SHA256 | 07c5c747b0b199326070ab07d4c72977367dd7bb0588eca3dac145f2a96c8a9a |
| SHA512 | 025109f02c5705e96a19adff95c8cbce475a8b2c57806a1896d623fcbd5df5633b65320b23985063e2b59a9ab4cfb269bd46f98c6c45685e6eac6c23b3562065 |