a717e7cdf06ad08d77b0e9db114e8c0f3a7b73d68f63cf418ad74835a8e3769a

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5fed68b6b6bc0e25d25e8b591d6708b.exe
Size

15KB
MD5

b5fed68b6b6bc0e25d25e8b591d6708b
SHA1

33d8f8cbdffadaa1ed67fb5c8db40925df937ddc
SHA256

a717e7cdf06ad08d77b0e9db114e8c0f3a7b73d68f63cf418ad74835a8e3769a
SHA512

3fb2ce244dc2b4ec111daa0e7a088b5c3ad66fe060711045c08e6a29b57f6423d43c71846655060a0d076cba38fa39377e7c56aeb71fef15cfb8bf6eb53b6415
SSDEEP

384:6hNNij0M+DdEbvZWG+22dwWxWoLDvpiiSoBkfNN5IKD:69iQMjMG+22dwmL/piiS+kn5vD

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\pvattukv.dll = "{76D44356-B494-443a-BEDC-AA68DE4255E6}"	b5fed68b6b6bc0e25d25e8b591d6708b.exe

Loads dropped DLL 1 IoCs

pid	Process
3676	b5fed68b6b6bc0e25d25e8b591d6708b.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pvattukv.tmp	b5fed68b6b6bc0e25d25e8b591d6708b.exe
File opened for modification	C:\Windows\SysWOW64\pvattukv.tmp	b5fed68b6b6bc0e25d25e8b591d6708b.exe
File opened for modification	C:\Windows\SysWOW64\pvattukv.nls	b5fed68b6b6bc0e25d25e8b591d6708b.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}	b5fed68b6b6bc0e25d25e8b591d6708b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32	b5fed68b6b6bc0e25d25e8b591d6708b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ = "C:\\Windows\\SysWow64\\pvattukv.dll"	b5fed68b6b6bc0e25d25e8b591d6708b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ThreadingModel = "Apartment"	b5fed68b6b6bc0e25d25e8b591d6708b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3676	b5fed68b6b6bc0e25d25e8b591d6708b.exe
3676	b5fed68b6b6bc0e25d25e8b591d6708b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3676	b5fed68b6b6bc0e25d25e8b591d6708b.exe
3676	b5fed68b6b6bc0e25d25e8b591d6708b.exe
3676	b5fed68b6b6bc0e25d25e8b591d6708b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 1628	3676	b5fed68b6b6bc0e25d25e8b591d6708b.exe	100
PID 3676 wrote to memory of 1628	3676	b5fed68b6b6bc0e25d25e8b591d6708b.exe	100
PID 3676 wrote to memory of 1628	3676	b5fed68b6b6bc0e25d25e8b591d6708b.exe	100

C:\Users\Admin\AppData\Local\Temp\b5fed68b6b6bc0e25d25e8b591d6708b.exe
"C:\Users\Admin\AppData\Local\Temp\b5fed68b6b6bc0e25d25e8b591d6708b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\B91E.tmp.bat
  2⤵
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B91E.tmp.bat

Filesize
179B

MD5
6e3664e93a01593127c5d37ed2ca8459

SHA1
4c3c261753b8ce82e9e85bd1dd566dc4a99f7a5e

SHA256
ec1a76f92558c26bed6fe9048eba128a5ea8fbe460611c6f7dbe5a766267feb7

SHA512
d4e5777b7414c44928b4dd8ea70ba0faf31f17b77045bdce856f6a6b03a00265051cc88d800bd833b165a6d355d83557a671fda9d8667c972fa0460828141254

Download Submit
C:\Windows\SysWOW64\pvattukv.nls

Filesize
428B

MD5
bbcbd82e40a379ab28466249d6a81301

SHA1
4a883e5dcd114d5791ce81c3ceae10b2584dc5de

SHA256
323f3491bf34366199ab59d1d0ca81364a6c76993a9332bd653169ab8a60392f

SHA512
0bfade420a480de99a2aeb768eecaa387b6806ad7152e184e366a57f99e8c9a38b8910c64ded2792042c08fa5c9732e249a9f7b9469b22cc9d1203df73f6d196

Download Submit
C:\Windows\SysWOW64\pvattukv.tmp

Filesize
2.4MB

MD5
c6b98cdafe00800bd76fceb9d7c4c362

SHA1
61480fc0542985aa556418bc3523f1a20f574619

SHA256
723bd62859f242baabe22721aa8f32886c9b4355435548d7f42bb683fae26c7f

SHA512
eeff31a7b444f07613fb1454c04f35ab1b12b6c556738d494ae8d5e98084de2c04c0318749692f97baf8ff23ee377c90b6d92aa795b7156a4b5ef5dc10acded5

Download Submit
memory/3676-17-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/3676-21-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download