7416a147df7d5a895f4cd5de6bd80db29fa9176d74d2a046487521499c4f08b2

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c21fccbd2bf54ae063d3625f452f7071.exe
Size

12KB
MD5

c21fccbd2bf54ae063d3625f452f7071
SHA1

510649854ef82975a2d1169985c6dfe399ad8b5c
SHA256

7416a147df7d5a895f4cd5de6bd80db29fa9176d74d2a046487521499c4f08b2
SHA512

0112bdc01c06564d1267989a7622d8de6572010f3bb41b2e79e29255ec79b499841c8c221d117097d14103d121f6f15049b4e6a2ff19b6e56eec2e93ce306367
SSDEEP

192:WF14nGKN7d5QstF9851DKOX1A+b15T2qf4FAwUUTZ1yXTV4a2GQ51niKfi16sEX0:SNKN7MSF9kw4A+b11pwTWX543zq1REX0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\slbiopfs2.dll = "{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}"	c21fccbd2bf54ae063d3625f452f7071.exe

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2960	c21fccbd2bf54ae063d3625f452f7071.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\slbiopfs2.tmp	c21fccbd2bf54ae063d3625f452f7071.exe
File opened for modification	C:\Windows\SysWOW64\slbiopfs2.nls	c21fccbd2bf54ae063d3625f452f7071.exe
File created	C:\Windows\SysWOW64\slbiopfs2.tmp	c21fccbd2bf54ae063d3625f452f7071.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32	c21fccbd2bf54ae063d3625f452f7071.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ = "C:\\Windows\\SysWow64\\slbiopfs2.dll"	c21fccbd2bf54ae063d3625f452f7071.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ThreadingModel = "Apartment"	c21fccbd2bf54ae063d3625f452f7071.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}	c21fccbd2bf54ae063d3625f452f7071.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2960	c21fccbd2bf54ae063d3625f452f7071.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2960	c21fccbd2bf54ae063d3625f452f7071.exe
2960	c21fccbd2bf54ae063d3625f452f7071.exe
2960	c21fccbd2bf54ae063d3625f452f7071.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2564	2960	c21fccbd2bf54ae063d3625f452f7071.exe	28
PID 2960 wrote to memory of 2564	2960	c21fccbd2bf54ae063d3625f452f7071.exe	28
PID 2960 wrote to memory of 2564	2960	c21fccbd2bf54ae063d3625f452f7071.exe	28
PID 2960 wrote to memory of 2564	2960	c21fccbd2bf54ae063d3625f452f7071.exe	28

C:\Users\Admin\AppData\Local\Temp\c21fccbd2bf54ae063d3625f452f7071.exe
"C:\Users\Admin\AppData\Local\Temp\c21fccbd2bf54ae063d3625f452f7071.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\C081.tmp.bat
  2⤵
  - Deletes itself
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C081.tmp.bat

Filesize
179B

MD5
9dfb0c514c4c1b20a9d22e2afd6989da

SHA1
b1adb19e109fc7c8fcfde85193e62aa0860476f6

SHA256
627806434bf850db8d073638f1568f252b68c4ff4664ea16494a1b1f7b3ed300

SHA512
576263a41c27a9d2b7c48efb175ff144dcd30c0a8ee9bf0f5724d8667d0efd0b94a738305544c8b2bc93bac2d8e0402ca7a1f7d02aabf4a443bc3f1870703e6f

Download Submit
C:\Windows\SysWOW64\slbiopfs2.nls

Filesize
428B

MD5
c3de7dee96f4814a750642ac7ab96c04

SHA1
b28ae61e2387790a69419b1edbf395b63869e9d2

SHA256
2ca87196fe2154351916285baa69202ca42cec38342a414b1bb1702ec59ce3f7

SHA512
b660f69b8c0a835ca3a5c38b7ead7c45400a4903c0d2a6343f76ef7ac184b659562227c62b1702c6c6acc2732355bdd59f1d207a92ac04b15be8e873d2812470

Download Submit
C:\Windows\SysWOW64\slbiopfs2.tmp

Filesize
680KB

MD5
471c52c92e2572988c6c0e5fb98bb23e

SHA1
0fc5bdbc6a229ae1216dcea10e0d665a6b31c25e

SHA256
0553ab810c4bc90ac211b3571e2b6793db7ba86fd083c9a4583e27ffb5040b3e

SHA512
32643546a66c04dbf4a05881c4da591f13baf3a27b9ac3c1584963c004bc5c80aeee66520c9940ef956d418cfd5797c6a3451b15c4df5163df346f5f474ee166

Download Submit
memory/2960-16-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/2960-26-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download