1888066013ef8e9f4d5c1ff5f6912adbdb6e42c1548671af7357e37751d32f1b

Analysis

max time kernel
90s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c64fa255df1b03022f2cf8ecd03fccb2.exe
Size

14KB
MD5

c64fa255df1b03022f2cf8ecd03fccb2
SHA1

90f5843833701f8093692a18dabcdbe1f9de80ff
SHA256

1888066013ef8e9f4d5c1ff5f6912adbdb6e42c1548671af7357e37751d32f1b
SHA512

099011ba6e03d1da2f7008d85bee3323eaa63085508a2e77b19aa8a5cc380e7b829d6bd5e160ff6879023ee138db8fce52e1b271fd62d1ff90daac2907d1aac8
SSDEEP

192:vmOr1W7LByID6uR4i84sSc3Xc+b2BkwLRIpCXdMgBJFGQ0mpW2v2XZJwabMv/piY:vma1uedPHKOEgCX3FI8v+Jw3/piLE

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bootvidgj.dll = "{D3112B69-A745-4805-874E-ABD480EA1299}"	c64fa255df1b03022f2cf8ecd03fccb2.exe

Loads dropped DLL 1 IoCs

pid	Process
2852	c64fa255df1b03022f2cf8ecd03fccb2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bootvidgj.tmp	c64fa255df1b03022f2cf8ecd03fccb2.exe
File opened for modification	C:\Windows\SysWOW64\bootvidgj.nls	c64fa255df1b03022f2cf8ecd03fccb2.exe
File created	C:\Windows\SysWOW64\bootvidgj.tmp	c64fa255df1b03022f2cf8ecd03fccb2.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3112B69-A745-4805-874E-ABD480EA1299}	c64fa255df1b03022f2cf8ecd03fccb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3112B69-A745-4805-874E-ABD480EA1299}\InProcServer32	c64fa255df1b03022f2cf8ecd03fccb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3112B69-A745-4805-874E-ABD480EA1299}\InProcServer32\ = "C:\\Windows\\SysWow64\\bootvidgj.dll"	c64fa255df1b03022f2cf8ecd03fccb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3112B69-A745-4805-874E-ABD480EA1299}\InProcServer32\ThreadingModel = "Apartment"	c64fa255df1b03022f2cf8ecd03fccb2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2852	c64fa255df1b03022f2cf8ecd03fccb2.exe
2852	c64fa255df1b03022f2cf8ecd03fccb2.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2852	c64fa255df1b03022f2cf8ecd03fccb2.exe
2852	c64fa255df1b03022f2cf8ecd03fccb2.exe
2852	c64fa255df1b03022f2cf8ecd03fccb2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 4532	2852	c64fa255df1b03022f2cf8ecd03fccb2.exe	101
PID 2852 wrote to memory of 4532	2852	c64fa255df1b03022f2cf8ecd03fccb2.exe	101
PID 2852 wrote to memory of 4532	2852	c64fa255df1b03022f2cf8ecd03fccb2.exe	101

C:\Users\Admin\AppData\Local\Temp\c64fa255df1b03022f2cf8ecd03fccb2.exe
"C:\Users\Admin\AppData\Local\Temp\c64fa255df1b03022f2cf8ecd03fccb2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DF73.tmp.bat
  2⤵
  PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DF73.tmp.bat

Filesize
179B

MD5
f6102bf98769c4c56f0bf0b1b96ccb28

SHA1
17d2d0c69f4e43f9ddbfc99005acc3eefab29e8e

SHA256
2459efec37a8709e85e589a09735256900dcd0159663e9ad2ba707cbe7946732

SHA512
7b7763bc78b0f41d399119f858af51d5d49a772dd3320d0da1976de0911b88ed8b16c5ae4237b712fceb39f98d907dcc7a5a1c5267a99fd6e2f39b80465eb488

Download Submit
C:\Windows\SysWOW64\bootvidgj.dll

Filesize
240KB

MD5
ac8ad31a1db38b01914a91fdf8039171

SHA1
d2a0dec6905afed23c410ec13e169e07e6842a3e

SHA256
46a3a6563318e1329a52febd9565853096ee69a00fa554e179e0f087ee7ed793

SHA512
88f84da71d8c2270ca4597551abe473f16b383b96299e85953d07bb01ce55b72fc50873d96189f7a9e33c7c7c9f52f879b3842432a22ac8bfe70a4f80387043d

Download Submit
C:\Windows\SysWOW64\bootvidgj.tmp

Filesize
320KB

MD5
45cff8b9b5d015f0e51fc0bdc70e0e38

SHA1
a7f9646b96d56442a7dcf09627bfd7f4cde68ce3

SHA256
13359115e6aaa79c80f2081cc120d1789a500d0f41212c6288d8947ad374ebc7

SHA512
f092410d5523bd7fd111f89941b0b28920719219fe6361ea4ac2f904356253250711364bbe6c16aacf7af4e23cdc7e397bdccf37d4e742e65b12a0f8344bb270

Download Submit
memory/2852-13-0x0000000020000000-0x000000002006D000-memory.dmp

Filesize
436KB

Download
memory/2852-18-0x0000000020000000-0x000000002006D000-memory.dmp

Filesize
436KB

Download