7416a147df7d5a895f4cd5de6bd80db29fa9176d74d2a046487521499c4f08b2

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c21fccbd2bf54ae063d3625f452f7071.exe
Size

12KB
MD5

c21fccbd2bf54ae063d3625f452f7071
SHA1

510649854ef82975a2d1169985c6dfe399ad8b5c
SHA256

7416a147df7d5a895f4cd5de6bd80db29fa9176d74d2a046487521499c4f08b2
SHA512

0112bdc01c06564d1267989a7622d8de6572010f3bb41b2e79e29255ec79b499841c8c221d117097d14103d121f6f15049b4e6a2ff19b6e56eec2e93ce306367
SSDEEP

192:WF14nGKN7d5QstF9851DKOX1A+b15T2qf4FAwUUTZ1yXTV4a2GQ51niKfi16sEX0:SNKN7MSF9kw4A+b11pwTWX543zq1REX0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\slbiopfs2.dll = "{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}"	c21fccbd2bf54ae063d3625f452f7071.exe

Loads dropped DLL 1 IoCs

pid	Process
2900	c21fccbd2bf54ae063d3625f452f7071.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\slbiopfs2.tmp	c21fccbd2bf54ae063d3625f452f7071.exe
File opened for modification	C:\Windows\SysWOW64\slbiopfs2.nls	c21fccbd2bf54ae063d3625f452f7071.exe
File created	C:\Windows\SysWOW64\slbiopfs2.tmp	c21fccbd2bf54ae063d3625f452f7071.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}	c21fccbd2bf54ae063d3625f452f7071.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32	c21fccbd2bf54ae063d3625f452f7071.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ = "C:\\Windows\\SysWow64\\slbiopfs2.dll"	c21fccbd2bf54ae063d3625f452f7071.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}\InProcServer32\ThreadingModel = "Apartment"	c21fccbd2bf54ae063d3625f452f7071.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2900	c21fccbd2bf54ae063d3625f452f7071.exe
2900	c21fccbd2bf54ae063d3625f452f7071.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2900	c21fccbd2bf54ae063d3625f452f7071.exe
2900	c21fccbd2bf54ae063d3625f452f7071.exe
2900	c21fccbd2bf54ae063d3625f452f7071.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 3304	2900	c21fccbd2bf54ae063d3625f452f7071.exe	104
PID 2900 wrote to memory of 3304	2900	c21fccbd2bf54ae063d3625f452f7071.exe	104
PID 2900 wrote to memory of 3304	2900	c21fccbd2bf54ae063d3625f452f7071.exe	104

C:\Users\Admin\AppData\Local\Temp\c21fccbd2bf54ae063d3625f452f7071.exe
"C:\Users\Admin\AppData\Local\Temp\c21fccbd2bf54ae063d3625f452f7071.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\B0E1.tmp.bat
  2⤵
  PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B0E1.tmp.bat

Filesize
179B

MD5
9dfb0c514c4c1b20a9d22e2afd6989da

SHA1
b1adb19e109fc7c8fcfde85193e62aa0860476f6

SHA256
627806434bf850db8d073638f1568f252b68c4ff4664ea16494a1b1f7b3ed300

SHA512
576263a41c27a9d2b7c48efb175ff144dcd30c0a8ee9bf0f5724d8667d0efd0b94a738305544c8b2bc93bac2d8e0402ca7a1f7d02aabf4a443bc3f1870703e6f

Download Submit
C:\Windows\SysWOW64\slbiopfs2.nls

Filesize
428B

MD5
c3de7dee96f4814a750642ac7ab96c04

SHA1
b28ae61e2387790a69419b1edbf395b63869e9d2

SHA256
2ca87196fe2154351916285baa69202ca42cec38342a414b1bb1702ec59ce3f7

SHA512
b660f69b8c0a835ca3a5c38b7ead7c45400a4903c0d2a6343f76ef7ac184b659562227c62b1702c6c6acc2732355bdd59f1d207a92ac04b15be8e873d2812470

Download Submit
C:\Windows\SysWOW64\slbiopfs2.tmp

Filesize
884KB

MD5
f07e0d41ef29f70e51499157dcd94f76

SHA1
c62d8478aa0f6b15d9a9a92cf7ab9bd40d18b100

SHA256
64126bb3f0fcc92fe8928f69031ada43004027d0d0d91b457df22784fa4ca37b

SHA512
eee5e9244e5db1d9a78943319304b83d92b4d8986debe9844367a07a7b4cfd8e82918700085d0904a2534498b726530ab7b03705c68efaf8b7e7fa3822bb1b4c

Download Submit
memory/2900-17-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download
memory/2900-21-0x0000000020000000-0x0000000020008000-memory.dmp

Filesize
32KB

Download