bb65934aac6e453ff247d44e3c85e9a84645f45f63e56b15a50fb2f302f5a59f

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b48c9c0a5b082a4fbcfd0d2e23236277.exe
Size

14KB
MD5

b48c9c0a5b082a4fbcfd0d2e23236277
SHA1

bf269fd3a746af43fbf43359677e4ae2eaa68e14
SHA256

bb65934aac6e453ff247d44e3c85e9a84645f45f63e56b15a50fb2f302f5a59f
SHA512

617fde11e94ac2fbbe704d5a2e37744c77c22a0bb6f55795cad027e6fbf0dba392392a197553dd4bb3993df7f6614370e6a6f3436d06184619e0289dc62f4b1e
SSDEEP

384:5tLoqw7DpkFqQon+hJEVNnznQmO/VbALaqjN:3o2Fg6YNznQmO/q2c

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\otoweiyf.dll = "{F0930A2F-D971-4828-8209-B7DFD266ED44}"	b48c9c0a5b082a4fbcfd0d2e23236277.exe

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1376	b48c9c0a5b082a4fbcfd0d2e23236277.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\otoweiyf.tmp	b48c9c0a5b082a4fbcfd0d2e23236277.exe
File opened for modification	C:\Windows\SysWOW64\otoweiyf.tmp	b48c9c0a5b082a4fbcfd0d2e23236277.exe
File opened for modification	C:\Windows\SysWOW64\otoweiyf.nls	b48c9c0a5b082a4fbcfd0d2e23236277.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}	b48c9c0a5b082a4fbcfd0d2e23236277.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32	b48c9c0a5b082a4fbcfd0d2e23236277.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32\ = "C:\\Windows\\SysWow64\\otoweiyf.dll"	b48c9c0a5b082a4fbcfd0d2e23236277.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32\ThreadingModel = "Apartment"	b48c9c0a5b082a4fbcfd0d2e23236277.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1376	b48c9c0a5b082a4fbcfd0d2e23236277.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1376	b48c9c0a5b082a4fbcfd0d2e23236277.exe
1376	b48c9c0a5b082a4fbcfd0d2e23236277.exe
1376	b48c9c0a5b082a4fbcfd0d2e23236277.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 2544	1376	b48c9c0a5b082a4fbcfd0d2e23236277.exe	28
PID 1376 wrote to memory of 2544	1376	b48c9c0a5b082a4fbcfd0d2e23236277.exe	28
PID 1376 wrote to memory of 2544	1376	b48c9c0a5b082a4fbcfd0d2e23236277.exe	28
PID 1376 wrote to memory of 2544	1376	b48c9c0a5b082a4fbcfd0d2e23236277.exe	28

C:\Users\Admin\AppData\Local\Temp\b48c9c0a5b082a4fbcfd0d2e23236277.exe
"C:\Users\Admin\AppData\Local\Temp\b48c9c0a5b082a4fbcfd0d2e23236277.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\C005.tmp.bat
  2⤵
  - Deletes itself
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C005.tmp.bat

Filesize
179B

MD5
352fa648a4270e1241b79c9b2c8751c8

SHA1
5e6aa1a78ef0910eed1f8cf62f19421fd61b55b5

SHA256
062794ba1fb2203d42044d5b1d1cca457a903b1bb4e909bbee482d9d8bff1315

SHA512
a40f257ec126fd293de3443c98b098664d6c224b5ad8a50a96d65f6ebff688f6978ca55a6fd630d905302321323e5822e6b7146692b57d01d64d4540db9ed497

Download Submit
C:\Windows\SysWOW64\otoweiyf.nls

Filesize
428B

MD5
eaa2d01393468099db7fc87c82bb69cf

SHA1
e6a772519c9b288512ba3821949b4b625bf40985

SHA256
0cea64c5dbfc930766d4ad2aaa634646a9625dcc6b7e4db8afc230e428121d9d

SHA512
b92a98b25f37e27b1452929b4e59d2d2bafee2185e3b441e8f1d164b4ea942206b5efa84f2639839b79625f702e03e52fd8940946f87c0dd6b83e70166624a02

Download Submit
\Windows\SysWOW64\otoweiyf.dll

Filesize
2.3MB

MD5
09395e83759534bffcefc529e7a5e8c1

SHA1
f02edeac28260806546dbb45f6a61b238fcee7a4

SHA256
d677cd39a45270e69c5cf86792aed6d451e57467e4462630675d6e493271cc7c

SHA512
d3baa2e2056c41b0d59affa6e7dfe5be9d8ef191a9b737a0b1a889a8db8292079c014c924e004d4c7eed4f2050e736e7f85a74871a54b1616e946076a8bb5603

Download Submit
memory/1376-16-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1376-26-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download