3d7cfd928f425b90d5f70aa39a71f8d043750b1c4db23342001022d1d7faf938

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b51c7f2633cff83206582a60da4ec974.exe
Size

88KB
MD5

b51c7f2633cff83206582a60da4ec974
SHA1

034da2d9520ef8b266061a63d2ae92d18fa5f776
SHA256

3d7cfd928f425b90d5f70aa39a71f8d043750b1c4db23342001022d1d7faf938
SHA512

5ee2fb61f619ac5de26a49fb2286a60a82e373e7ef82d36a3055c42be8412dbca8f7b481a4e37f041c24dce2263e10f68d4e0f3dc311e1c7aba5443ebeae2501
SSDEEP

768:pn3/uyR05qzAWa1Uxv29b3jOmz+9wgwMdo6llDrwC3RdXW69vgW:pPuyR0g+oOb/DIlG69

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ottljqcu.dll = "{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}"	b51c7f2633cff83206582a60da4ec974.exe

Deletes itself 1 IoCs

pid	Process
2528	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	b51c7f2633cff83206582a60da4ec974.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ottljqcu.tmp	b51c7f2633cff83206582a60da4ec974.exe
File opened for modification	C:\Windows\SysWOW64\ottljqcu.tmp	b51c7f2633cff83206582a60da4ec974.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}	b51c7f2633cff83206582a60da4ec974.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32	b51c7f2633cff83206582a60da4ec974.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ = "C:\\Windows\\SysWow64\\ottljqcu.dll"	b51c7f2633cff83206582a60da4ec974.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ThreadingModel = "Apartment"	b51c7f2633cff83206582a60da4ec974.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3024	b51c7f2633cff83206582a60da4ec974.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3024	b51c7f2633cff83206582a60da4ec974.exe
3024	b51c7f2633cff83206582a60da4ec974.exe
3024	b51c7f2633cff83206582a60da4ec974.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2528	3024	b51c7f2633cff83206582a60da4ec974.exe	28
PID 3024 wrote to memory of 2528	3024	b51c7f2633cff83206582a60da4ec974.exe	28
PID 3024 wrote to memory of 2528	3024	b51c7f2633cff83206582a60da4ec974.exe	28
PID 3024 wrote to memory of 2528	3024	b51c7f2633cff83206582a60da4ec974.exe	28

C:\Users\Admin\AppData\Local\Temp\b51c7f2633cff83206582a60da4ec974.exe
"C:\Users\Admin\AppData\Local\Temp\b51c7f2633cff83206582a60da4ec974.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\DE9C.tmp.bat
  2⤵
  - Deletes itself
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DE9C.tmp.bat

Filesize
179B

MD5
77f502b5388a53f5ee36d224e329c111

SHA1
8c912294e46e841a7b4b80486d33659482ea589f

SHA256
a94396d48c82a9790b5eb30ec156522fcdad67ca85252ad4a6ad9bb1162ecf86

SHA512
1c8c0a383c4cb9e22d15f29e80125a70b8df97f3a732221986579d1d0bdd7747ef7f8a34571c5fcd4cdf4dd9174dd62a02d0e4b62863f133b19ebd1ba633519e

Download Submit
\Windows\SysWOW64\ottljqcu.dll

Filesize
2.1MB

MD5
2b6850f9e510612a2c445089f01094ef

SHA1
295a3a45b2ed6b935c0720ba3d7237bd09acb71e

SHA256
bdfae0984fcffa98bdd1f3a5b5d8e64f84e7c68f054ae1bf44d4b9b49c3ba900

SHA512
ce19fce44ecaa1e90f0f3ca625fe0a506f04838b36de4a87d6a0fbcdf0eedf1668a27adf4852e5a4358e29615cc2ec3853d6ba3d7ba767ca3a9f3567b272d2ab

Download Submit
memory/3024-5-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/3024-14-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download