3d7cfd928f425b90d5f70aa39a71f8d043750b1c4db23342001022d1d7faf938

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b51c7f2633cff83206582a60da4ec974.exe
Size

88KB
MD5

b51c7f2633cff83206582a60da4ec974
SHA1

034da2d9520ef8b266061a63d2ae92d18fa5f776
SHA256

3d7cfd928f425b90d5f70aa39a71f8d043750b1c4db23342001022d1d7faf938
SHA512

5ee2fb61f619ac5de26a49fb2286a60a82e373e7ef82d36a3055c42be8412dbca8f7b481a4e37f041c24dce2263e10f68d4e0f3dc311e1c7aba5443ebeae2501
SSDEEP

768:pn3/uyR05qzAWa1Uxv29b3jOmz+9wgwMdo6llDrwC3RdXW69vgW:pPuyR0g+oOb/DIlG69

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ewdnowzo.dll = "{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}"	b51c7f2633cff83206582a60da4ec974.exe

Loads dropped DLL 1 IoCs

pid	Process
2788	b51c7f2633cff83206582a60da4ec974.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewdnowzo.tmp	b51c7f2633cff83206582a60da4ec974.exe
File opened for modification	C:\Windows\SysWOW64\ewdnowzo.tmp	b51c7f2633cff83206582a60da4ec974.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ = "C:\\Windows\\SysWow64\\ewdnowzo.dll"	b51c7f2633cff83206582a60da4ec974.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ThreadingModel = "Apartment"	b51c7f2633cff83206582a60da4ec974.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}	b51c7f2633cff83206582a60da4ec974.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32	b51c7f2633cff83206582a60da4ec974.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2788	b51c7f2633cff83206582a60da4ec974.exe
2788	b51c7f2633cff83206582a60da4ec974.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2788	b51c7f2633cff83206582a60da4ec974.exe
2788	b51c7f2633cff83206582a60da4ec974.exe
2788	b51c7f2633cff83206582a60da4ec974.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 1700	2788	b51c7f2633cff83206582a60da4ec974.exe	100
PID 2788 wrote to memory of 1700	2788	b51c7f2633cff83206582a60da4ec974.exe	100
PID 2788 wrote to memory of 1700	2788	b51c7f2633cff83206582a60da4ec974.exe	100

C:\Users\Admin\AppData\Local\Temp\b51c7f2633cff83206582a60da4ec974.exe
"C:\Users\Admin\AppData\Local\Temp\b51c7f2633cff83206582a60da4ec974.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\A613.tmp.bat
  2⤵
  PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A613.tmp.bat

Filesize
179B

MD5
77f502b5388a53f5ee36d224e329c111

SHA1
8c912294e46e841a7b4b80486d33659482ea589f

SHA256
a94396d48c82a9790b5eb30ec156522fcdad67ca85252ad4a6ad9bb1162ecf86

SHA512
1c8c0a383c4cb9e22d15f29e80125a70b8df97f3a732221986579d1d0bdd7747ef7f8a34571c5fcd4cdf4dd9174dd62a02d0e4b62863f133b19ebd1ba633519e

Download Submit
C:\Windows\SysWOW64\ewdnowzo.dll

Filesize
2.2MB

MD5
fb8c725644f69db04fad3e780bc87d40

SHA1
427305d559251c7e5a52d4efabd6c7e3f6bdb690

SHA256
4562ff71d250423ef17455fe9b1e7b3a34b32a502944d0cdea23e4e1c0237f5c

SHA512
e69bd58a7c6ca8000b8c86df41f85bb119c8333694f35b7a530b6aa7e291bb9af9480b636d3536a95934063a1d1a14ad43931c651dbd6a6748c4d230c91377fd

Download Submit
memory/2788-6-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2788-10-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download