436376c2c0da704a3bb85b917ca8609fa80d35bd2a70b20849db3218a49c71ac

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 21:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b838c0316a0c2732d26628f956f64879.exe
Size

14KB
MD5

b838c0316a0c2732d26628f956f64879
SHA1

778bb494be97671ef26af193cba2defcd2679526
SHA256

436376c2c0da704a3bb85b917ca8609fa80d35bd2a70b20849db3218a49c71ac
SHA512

b351a648a5f5829c470e0893e02eb4edaea5772943fa200352fe4f95d0a2a78185a5e9cc08928ad7454eefdea43be77196d5fe15323d4d08c7f4e0109fd3be7d
SSDEEP

192:vJe3kPsm4VevmE9Aw3Exwb4//2xBBL8YfO71bv2N+CoEwHydxnySaKakTiYsEufO:vpUmTmy37w3eMHanDja4iBpIcGRQW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\jjwqpcwx.dll = "{76D44356-B494-443a-BEDC-AA68DE4255E6}"	b838c0316a0c2732d26628f956f64879.exe

Loads dropped DLL 1 IoCs

pid	Process
4484	b838c0316a0c2732d26628f956f64879.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\jjwqpcwx.nls	b838c0316a0c2732d26628f956f64879.exe
File created	C:\Windows\SysWOW64\jjwqpcwx.tmp	b838c0316a0c2732d26628f956f64879.exe
File opened for modification	C:\Windows\SysWOW64\jjwqpcwx.tmp	b838c0316a0c2732d26628f956f64879.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}	b838c0316a0c2732d26628f956f64879.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32	b838c0316a0c2732d26628f956f64879.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ = "C:\\Windows\\SysWow64\\jjwqpcwx.dll"	b838c0316a0c2732d26628f956f64879.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76D44356-B494-443a-BEDC-AA68DE4255E6}\InProcServer32\ThreadingModel = "Apartment"	b838c0316a0c2732d26628f956f64879.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4484	b838c0316a0c2732d26628f956f64879.exe
4484	b838c0316a0c2732d26628f956f64879.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4484	b838c0316a0c2732d26628f956f64879.exe
4484	b838c0316a0c2732d26628f956f64879.exe
4484	b838c0316a0c2732d26628f956f64879.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 3232	4484	b838c0316a0c2732d26628f956f64879.exe	101
PID 4484 wrote to memory of 3232	4484	b838c0316a0c2732d26628f956f64879.exe	101
PID 4484 wrote to memory of 3232	4484	b838c0316a0c2732d26628f956f64879.exe	101

C:\Users\Admin\AppData\Local\Temp\b838c0316a0c2732d26628f956f64879.exe
"C:\Users\Admin\AppData\Local\Temp\b838c0316a0c2732d26628f956f64879.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\AECE.tmp.bat
  2⤵
  PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AECE.tmp.bat

Filesize
179B

MD5
e03deb97914570419257114ea76b8e2b

SHA1
b5261ffd0f0afc327519905256451db6edb0ad05

SHA256
677cc42a14b4e53690ac32743781cccf42b5a26751cd6e2f32dba2f72ec649f4

SHA512
795537bb7fc7359a2af31ca60e1594a25dda2cd963ce56de1e3706ddabcd8cf835ad011d95f68486bb76f344c1d92aaec69082c076c3fc738ab71deb8ec9b71f

Download Submit
C:\Windows\SysWOW64\jjwqpcwx.nls

Filesize
428B

MD5
29ef62bc1e93ae71073671829660a9a5

SHA1
b7784d1ae9d7a9269e2636c2b37d82d0c69b49f0

SHA256
670a70f9b0753b1dffa542bc5b184e378edffe09cc25f80d6204afdd3ec397d5

SHA512
d332199ac5b2bc766d582cf632b49f1c65bb86cb5fc137dbb58e6afdac6ebcae919e7cb98b4aa0c15967461c6790926ee1950ad907fcd1b49d3047924e7a25eb

Download Submit
C:\Windows\SysWOW64\jjwqpcwx.tmp

Filesize
2.3MB

MD5
26c977623aa3ab3d3bb2c5933808fa68

SHA1
834134139533de201103389ca5dbcd44a9bf295f

SHA256
ad2ad33e5cd9e32377f6f6f14575cc69673af15b2060b4766cf8ceb6bae2ff02

SHA512
3fff806ed6c564173b5ea74145cfb4198ab349dabea1bdfc86871bc5a198bdf16b2dddc2c070d8f6575d86ac881deff8ab0b702f79f361abeaae9663de0b7aa0

Download Submit
memory/4484-17-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download
memory/4484-21-0x0000000010000000-0x000000001006C000-memory.dmp

Filesize
432KB

Download