Analysis
-
max time kernel
139s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 23:08
Behavioral task
behavioral1
Sample
c1d6b600261c8fa506046e27639d8104.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
c1d6b600261c8fa506046e27639d8104.exe
Resource
win10v2004-20240226-en
General
-
Target
c1d6b600261c8fa506046e27639d8104.exe
-
Size
23KB
-
MD5
c1d6b600261c8fa506046e27639d8104
-
SHA1
bbbaabbfde4e94613f690a3b3ece8c12fb3c8d4a
-
SHA256
04e4d18d9029c46da00d048441689bea7a2ad67975958d6a452eb5180c67daa6
-
SHA512
2878e066346ea9115e21435c79954ef751b7f42e773c7d298eef41a4b1ef8e733641f5303f1c8ed6bbe655910c0431104af1e539a462af7665a300435e896d14
-
SSDEEP
384:ENwx70GGigxf+FhQrSmtlWCMHQw2iVPnQ3tJgFwmiBGFPYrtDLma8nyYeC0:b773gx2FhQrdtbMHGQ4vBGhYDLma8ndi
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad c1d6b600261c8fa506046e27639d8104.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CBD236B7 = "{CBD236B7-B762-4832-AEC1-D3178F03C71B}" c1d6b600261c8fa506046e27639d8104.exe -
Modifies AppInit DLL entries 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation c1d6b600261c8fa506046e27639d8104.exe -
Loads dropped DLL 1 IoCs
pid Process 3120 c1d6b600261c8fa506046e27639d8104.exe -
resource yara_rule behavioral2/memory/3120-0-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral2/memory/3120-29-0x0000000000400000-0x0000000000417000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\cbdijmbn.dll c1d6b600261c8fa506046e27639d8104.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBD236B7-B762-4832-AEC1-D3178F03C71B}\InProcServer32 c1d6b600261c8fa506046e27639d8104.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node c1d6b600261c8fa506046e27639d8104.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID c1d6b600261c8fa506046e27639d8104.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBD236B7-B762-4832-AEC1-D3178F03C71B} c1d6b600261c8fa506046e27639d8104.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBD236B7-B762-4832-AEC1-D3178F03C71B}\InProcServer32\ = "C:\\Windows\\SysWow64\\cbdijmbn.dll" c1d6b600261c8fa506046e27639d8104.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CBD236B7-B762-4832-AEC1-D3178F03C71B}\InProcServer32\ThreadingModel = "Apartment" c1d6b600261c8fa506046e27639d8104.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3120 c1d6b600261c8fa506046e27639d8104.exe 3120 c1d6b600261c8fa506046e27639d8104.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3120 c1d6b600261c8fa506046e27639d8104.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3120 wrote to memory of 4660 3120 c1d6b600261c8fa506046e27639d8104.exe 89 PID 3120 wrote to memory of 4660 3120 c1d6b600261c8fa506046e27639d8104.exe 89 PID 3120 wrote to memory of 4660 3120 c1d6b600261c8fa506046e27639d8104.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1d6b600261c8fa506046e27639d8104.exe"C:\Users\Admin\AppData\Local\Temp\c1d6b600261c8fa506046e27639d8104.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SelfDel.bat" "2⤵PID:4660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
279B
MD52351fb5aace5c30fe307b26ee8029dd0
SHA18de2bde9e5241b8f59b99bcce04f0e7fd5ebb925
SHA256aa30b63e2658b9d0088f15c9192e3e8a5ff06ba91aebdda14d01d21a55d6f624
SHA512f97aab2117e05ae584b47bd37a57649ffd3dd642eb0108fbe1c61656320226da02b3d8ffd0a91fb2f4a2f1fc95eaf84633fcecf31b96311db739cab6260f3af1
-
Filesize
44KB
MD549ed89fb90a0caa60fc5bee22e8273df
SHA1f968692fd23fc949e70667d2c6501fd1bd8a7dfe
SHA25609811d0b3fe3b0d9a77be81d41e3a086f16270b7534a2b283c0d97b4c450c756
SHA512d5740d0ffededb5bab99fbb15afe85d107403c40737ce134b62d9782002e4c68064e5e40ad17473e131662349cb9863deef5bf67a46df8cdd59fc2bfe7ee75ed