563e813313dbf27a91c862046f293a6ab8bfa4120f372bc696c7a7bc79d8f948

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2617b76536e87cd4674ef8d27eaf75e.exe
Size

17KB
MD5

c2617b76536e87cd4674ef8d27eaf75e
SHA1

d7eeb9060cbd6485ac5dbc93fe7264f839a826f7
SHA256

563e813313dbf27a91c862046f293a6ab8bfa4120f372bc696c7a7bc79d8f948
SHA512

cc24efd29adbf86b6ea04417f6b8065988405fd772541eba3545bd9f40f502fdd8f7ca4bd61ca1c399267417e85f07cf067b5fecc24dd1abc8a1da3a30b8eb4a
SSDEEP

384:QipFh5F21r+bacSGomWFUWWnB6P8syRSuQam:QipwiezpFUWq22SuQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\oobquvol.dll = "{71A78CD4-E470-4a18-8457-E0E0283DD507}"	c2617b76536e87cd4674ef8d27eaf75e.exe

Deletes itself 1 IoCs

pid	Process
2520	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2476	c2617b76536e87cd4674ef8d27eaf75e.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\oobquvol.nls	c2617b76536e87cd4674ef8d27eaf75e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\oobquvol.tmp	c2617b76536e87cd4674ef8d27eaf75e.exe
File opened for modification	C:\Windows\system\oobquvol.tmp	c2617b76536e87cd4674ef8d27eaf75e.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}	c2617b76536e87cd4674ef8d27eaf75e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32	c2617b76536e87cd4674ef8d27eaf75e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ = "C:\\Windows\\SysWow64\\oobquvol.dll"	c2617b76536e87cd4674ef8d27eaf75e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71A78CD4-E470-4a18-8457-E0E0283DD507}\InProcServer32\ThreadingModel = "Apartment"	c2617b76536e87cd4674ef8d27eaf75e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2476	c2617b76536e87cd4674ef8d27eaf75e.exe
2476	c2617b76536e87cd4674ef8d27eaf75e.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2476	c2617b76536e87cd4674ef8d27eaf75e.exe
2476	c2617b76536e87cd4674ef8d27eaf75e.exe
2476	c2617b76536e87cd4674ef8d27eaf75e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2520	2476	c2617b76536e87cd4674ef8d27eaf75e.exe	28
PID 2476 wrote to memory of 2520	2476	c2617b76536e87cd4674ef8d27eaf75e.exe	28
PID 2476 wrote to memory of 2520	2476	c2617b76536e87cd4674ef8d27eaf75e.exe	28
PID 2476 wrote to memory of 2520	2476	c2617b76536e87cd4674ef8d27eaf75e.exe	28

C:\Users\Admin\AppData\Local\Temp\c2617b76536e87cd4674ef8d27eaf75e.exe
"C:\Users\Admin\AppData\Local\Temp\c2617b76536e87cd4674ef8d27eaf75e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\8A65.tmp.bat
  2⤵
  - Deletes itself
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8A65.tmp.bat

Filesize
179B

MD5
73015806b65ddd5e49d7b52b025b2501

SHA1
9051e65ee3bb8ba875a67a1c9c3536e2fec08c9c

SHA256
defab0de41134a7665a364f8ee55d6ec585f2cabe1149267bd4e48fcb6b9f033

SHA512
da2be1af525ea63aff99e624cff7ef2a2e1195f428ecc49cbcf19a1dbfb050126ac7b1fddb0cc5ce1b9d70fa4c28dca470cab835290f66801ae2e1e1e1646cc2

Download Submit
C:\Windows\SysWOW64\oobquvol.dll

Filesize
280KB

MD5
59fda5bdec3e6f9e4e77f657705e28f2

SHA1
31c1c10906da6fe85bb241be596b29472a60c688

SHA256
4b4b157cf58ec14f6c13b880c41eb5141c8de5ee9cb37f66c7d6c1ac475f6e71

SHA512
7ddfda38df3d5a011e3dc80b6ed9f1f0aec7f45be3497a919915230ff9439772dcffd639ef9b3326e76c62e04d4401901d0e779ca545e597b6d9952ab43ce4f4

Download Submit
\Windows\SysWOW64\oobquvol.dll

Filesize
1.5MB

MD5
c511c5c6669bd9f5db60c79040b56e7d

SHA1
ca5804bd5f3ff1ab87153c62b98a65dd27e87256

SHA256
b4e0125aac3ccc99bf77bef8381fc56ef8db435236d0c7b222ce0f1cccaf160e

SHA512
b755a6e7319ffc6d63b3388b06c857f8d6f56285bc9dcf3722786af8f1c28d9745f1b3ed974b8be62a8c280f4413782ec9e784cd50ab35ae87579391463379fa

Download Submit
memory/2476-8-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2476-17-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download