bb65934aac6e453ff247d44e3c85e9a84645f45f63e56b15a50fb2f302f5a59f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b48c9c0a5b082a4fbcfd0d2e23236277.exe
Size

14KB
MD5

b48c9c0a5b082a4fbcfd0d2e23236277
SHA1

bf269fd3a746af43fbf43359677e4ae2eaa68e14
SHA256

bb65934aac6e453ff247d44e3c85e9a84645f45f63e56b15a50fb2f302f5a59f
SHA512

617fde11e94ac2fbbe704d5a2e37744c77c22a0bb6f55795cad027e6fbf0dba392392a197553dd4bb3993df7f6614370e6a6f3436d06184619e0289dc62f4b1e
SSDEEP

384:5tLoqw7DpkFqQon+hJEVNnznQmO/VbALaqjN:3o2Fg6YNznQmO/q2c

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\krurmhfv.dll = "{F0930A2F-D971-4828-8209-B7DFD266ED44}"	b48c9c0a5b082a4fbcfd0d2e23236277.exe

Loads dropped DLL 1 IoCs

pid	Process
1364	b48c9c0a5b082a4fbcfd0d2e23236277.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\krurmhfv.tmp	b48c9c0a5b082a4fbcfd0d2e23236277.exe
File opened for modification	C:\Windows\SysWOW64\krurmhfv.tmp	b48c9c0a5b082a4fbcfd0d2e23236277.exe
File opened for modification	C:\Windows\SysWOW64\krurmhfv.nls	b48c9c0a5b082a4fbcfd0d2e23236277.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32	b48c9c0a5b082a4fbcfd0d2e23236277.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32\ = "C:\\Windows\\SysWow64\\krurmhfv.dll"	b48c9c0a5b082a4fbcfd0d2e23236277.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}\InProcServer32\ThreadingModel = "Apartment"	b48c9c0a5b082a4fbcfd0d2e23236277.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0930A2F-D971-4828-8209-B7DFD266ED44}	b48c9c0a5b082a4fbcfd0d2e23236277.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1364	b48c9c0a5b082a4fbcfd0d2e23236277.exe
1364	b48c9c0a5b082a4fbcfd0d2e23236277.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1364	b48c9c0a5b082a4fbcfd0d2e23236277.exe
1364	b48c9c0a5b082a4fbcfd0d2e23236277.exe
1364	b48c9c0a5b082a4fbcfd0d2e23236277.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 856	1364	b48c9c0a5b082a4fbcfd0d2e23236277.exe	99
PID 1364 wrote to memory of 856	1364	b48c9c0a5b082a4fbcfd0d2e23236277.exe	99
PID 1364 wrote to memory of 856	1364	b48c9c0a5b082a4fbcfd0d2e23236277.exe	99

C:\Users\Admin\AppData\Local\Temp\b48c9c0a5b082a4fbcfd0d2e23236277.exe
"C:\Users\Admin\AppData\Local\Temp\b48c9c0a5b082a4fbcfd0d2e23236277.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\AF4B.tmp.bat
  2⤵
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AF4B.tmp.bat

Filesize
179B

MD5
352fa648a4270e1241b79c9b2c8751c8

SHA1
5e6aa1a78ef0910eed1f8cf62f19421fd61b55b5

SHA256
062794ba1fb2203d42044d5b1d1cca457a903b1bb4e909bbee482d9d8bff1315

SHA512
a40f257ec126fd293de3443c98b098664d6c224b5ad8a50a96d65f6ebff688f6978ca55a6fd630d905302321323e5822e6b7146692b57d01d64d4540db9ed497

Download Submit
C:\Windows\SysWOW64\krurmhfv.nls

Filesize
428B

MD5
eaa2d01393468099db7fc87c82bb69cf

SHA1
e6a772519c9b288512ba3821949b4b625bf40985

SHA256
0cea64c5dbfc930766d4ad2aaa634646a9625dcc6b7e4db8afc230e428121d9d

SHA512
b92a98b25f37e27b1452929b4e59d2d2bafee2185e3b441e8f1d164b4ea942206b5efa84f2639839b79625f702e03e52fd8940946f87c0dd6b83e70166624a02

Download Submit
C:\Windows\SysWOW64\krurmhfv.tmp

Filesize
2.5MB

MD5
b0ed010ebd995eb083402c72c1bec74d

SHA1
563396572b996b51177dd72bf89db03d53bc5fd9

SHA256
ff2402faa76657364676fe4d50b564567e961fde37f00d178642b203efcd8d49

SHA512
4f4ad552d54a96ee78749e7fd9bb2c8a30a534cf092c1be67f100b3a54e356bfe568be6bdc977e9e32b6d58f2b0b3b321c2e05f726bbb71c1f0e83b1ac9e1c9a

Download Submit
memory/1364-17-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1364-21-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download