1a66db6e905b44361d7a1f844f07a455585894b4a2b58d64b0311f129206042d

Analysis

max time kernel
144s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b56c574f44943648a94077d9b1aa7402.exe
Size

12KB
MD5

b56c574f44943648a94077d9b1aa7402
SHA1

d4a1c5dc883a49e7e6d012610dc88a7ee5b2ba51
SHA256

1a66db6e905b44361d7a1f844f07a455585894b4a2b58d64b0311f129206042d
SHA512

4c6fd348fb4fc2426ae68a9dd35a05eee36c2fd9fb5cd1634329b4e09a0279f6f9f30881c5460e7141f5ccd1b16611473eec5a68748b3b2a735272fda18dd796
SSDEEP

384:Kx69z3jJUZztDiY+U3fXZy2vXg/o5YaF3WUI:Q6J3jMztdPfZ/owWau

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tscfgwmijxsj.dll = "{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}"	b56c574f44943648a94077d9b1aa7402.exe

Loads dropped DLL 1 IoCs

pid	Process
3984	b56c574f44943648a94077d9b1aa7402.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tscfgwmijxsj.tmp	b56c574f44943648a94077d9b1aa7402.exe
File opened for modification	C:\Windows\SysWOW64\tscfgwmijxsj.tmp	b56c574f44943648a94077d9b1aa7402.exe
File opened for modification	C:\Windows\SysWOW64\tscfgwmijxsj.nls	b56c574f44943648a94077d9b1aa7402.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}	b56c574f44943648a94077d9b1aa7402.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}\InProcServer32	b56c574f44943648a94077d9b1aa7402.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}\InProcServer32\ = "C:\\Windows\\SysWow64\\tscfgwmijxsj.dll"	b56c574f44943648a94077d9b1aa7402.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}\InProcServer32\ThreadingModel = "Apartment"	b56c574f44943648a94077d9b1aa7402.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3984	b56c574f44943648a94077d9b1aa7402.exe
3984	b56c574f44943648a94077d9b1aa7402.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3984	b56c574f44943648a94077d9b1aa7402.exe
3984	b56c574f44943648a94077d9b1aa7402.exe
3984	b56c574f44943648a94077d9b1aa7402.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 3536	3984	b56c574f44943648a94077d9b1aa7402.exe	101
PID 3984 wrote to memory of 3536	3984	b56c574f44943648a94077d9b1aa7402.exe	101
PID 3984 wrote to memory of 3536	3984	b56c574f44943648a94077d9b1aa7402.exe	101

C:\Users\Admin\AppData\Local\Temp\b56c574f44943648a94077d9b1aa7402.exe
"C:\Users\Admin\AppData\Local\Temp\b56c574f44943648a94077d9b1aa7402.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\A103.tmp.bat
  2⤵
  PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A103.tmp.bat

Filesize
179B

MD5
43e8614ccbb139bf7a2f6b3e089d3faa

SHA1
b1c0dd18ac1d67d6b314acaad5011c96ccbf7270

SHA256
899ca26a9ddeae3ba9962405ec440336689c6888d1156759c71a05c93674cb32

SHA512
1ac56ee490f1f9ac03350f329d096db4d7a7ec6c6ca2a721753d9c3f035651437d378f63d3239acdde40231d7d602eb3a06927ab484f75d5662819c78290a36b

Download Submit
C:\Windows\SysWOW64\tscfgwmijxsj.nls

Filesize
428B

MD5
86782c93072a701fa642b2e8488d420f

SHA1
d7ca5f8d7b6976eefbcce78f6441755e6e9cc1a1

SHA256
a8430b4ffbdbdf2b7f9b20e60163ce1bf20a3e79c0cc692d51ac65350e6ceecf

SHA512
e968d5ed91062a80937d76ec1278cb05e4593ed79b2ccac8a7ada238d6f0a82a7a6b4078c3bbd78f285e407ab2da0bb53034988133460bd768895c422642e1cb

Download Submit
C:\Windows\SysWOW64\tscfgwmijxsj.tmp

Filesize
949KB

MD5
5e9422951a12cc6d1d3a43196d35dcdb

SHA1
1668167718163b0c1657eaa7d863fe4521f1ff6e

SHA256
fa8587581b23ddfcd6c37aeaad07d9f98b3bd4e8180fe0a04d9e674d976b83e9

SHA512
883fe9e7adeae7ef85acedefc04a1092022eca0b7dc0c0fea2c4dc9dc4398651d196bc4dab516fa4bcc1a9d824d51deb0b85a5715662c200c1fb2c3ca832f7d4

Download Submit
memory/3984-17-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/3984-21-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download