ae733a0abbc428a165cd22715064bec3dda3d50162ff79fa6b5a0b8531e96b63

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4b7170f7242e3c5537c8fb128b6257d.exe
Size

17KB
MD5

c4b7170f7242e3c5537c8fb128b6257d
SHA1

08e6bf55d3d755ca1ff675fec2ea85738048fd5c
SHA256

ae733a0abbc428a165cd22715064bec3dda3d50162ff79fa6b5a0b8531e96b63
SHA512

b4a01bfff6ea30c6ed6e77d5d2da6741e386b36373a0d296fbc39e781437ccc7385fd9c6792a2962266adb1547db4565d7b84cae817e6b493dc3ca721ce38ba5
SSDEEP

384:JeUptCGyXQuv2EwMl998I3kJU4R19K6iCfapLr8iy/WQ3:0WtrygumMlL82kJU4b9PiCfaZ2uC

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\cdflkvys.dll = "{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}"	c4b7170f7242e3c5537c8fb128b6257d.exe

Loads dropped DLL 1 IoCs

pid	Process
1308	c4b7170f7242e3c5537c8fb128b6257d.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cdflkvys.nls	c4b7170f7242e3c5537c8fb128b6257d.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}\InProcServer32\ = "C:\\Windows\\SysWow64\\cdflkvys.dll"	c4b7170f7242e3c5537c8fb128b6257d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}\InProcServer32\ThreadingModel = "Apartment"	c4b7170f7242e3c5537c8fb128b6257d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}	c4b7170f7242e3c5537c8fb128b6257d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}\InProcServer32	c4b7170f7242e3c5537c8fb128b6257d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1308	c4b7170f7242e3c5537c8fb128b6257d.exe
1308	c4b7170f7242e3c5537c8fb128b6257d.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1308	c4b7170f7242e3c5537c8fb128b6257d.exe
1308	c4b7170f7242e3c5537c8fb128b6257d.exe
1308	c4b7170f7242e3c5537c8fb128b6257d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2836	1308	c4b7170f7242e3c5537c8fb128b6257d.exe	100
PID 1308 wrote to memory of 2836	1308	c4b7170f7242e3c5537c8fb128b6257d.exe	100
PID 1308 wrote to memory of 2836	1308	c4b7170f7242e3c5537c8fb128b6257d.exe	100

C:\Users\Admin\AppData\Local\Temp\c4b7170f7242e3c5537c8fb128b6257d.exe
"C:\Users\Admin\AppData\Local\Temp\c4b7170f7242e3c5537c8fb128b6257d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BA38.tmp.bat
  2⤵
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BA38.tmp.bat

Filesize
179B

MD5
25d5ecf52233f763169b4dc60aac12bf

SHA1
859d0eb3536c1178e700ff8d19e7ed9d3e0f538b

SHA256
fc223d4ba362b5b0e16b9c35c140f0ad0d1177a579cd961c89639fb2358ddde6

SHA512
eb90ef0a7c4caeb99bfe90576c6c0ad8c9520205d9e898eff96b43582901d7908d1ed7aaec254025a4b41908dd8be0ac0c1b4faaec38037cad0bdc1da462f3fd

Download Submit
C:\Windows\SysWOW64\cdflkvys.dll

Filesize
705KB

MD5
7252a0d2e140df5ea0bb3a083860f58f

SHA1
bba92fc1e0b30199605440f50f9742ffe58acb72

SHA256
8d40d30274c4cae63c0dc96ea172248ccb2cd185ac1a573ade44f4b56df9cbde

SHA512
9dbe318971c5ad5448abb95c04480302b735628cf171dbfa2a21ba0704d627bd857dc31949032c76082452eb76889f0a8bdfffa522bb729d066373e07eabb2e6

Download Submit
C:\Windows\SysWOW64\cdflkvys.dll

Filesize
471KB

MD5
009299b139c07a539c77a8116faaae3e

SHA1
9a1f235e38c9648d6fcd8410ed4ad71ac5704904

SHA256
528c292efce48260eaf087db08ef6ea99d699b07c79318baabc5cf039a8a763b

SHA512
81ae27a0aeabe2ef0c593df36ddee66de6ac5b7c8a17fdb59b989afd3da002d1b32e5987f4f3081987081dffd439d00dd2d38243486e4837dfcdea2632679a08

Download Submit
memory/1308-9-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1308-13-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download