409c0607a3d766daa46b5478d84d82021856a0b77d39f22504a8437c7914adf7

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c80c1b05b426945eca03302d16219791.exe
Size

1.9MB
MD5

c80c1b05b426945eca03302d16219791
SHA1

97cf1b8ad0e761957d95550e1944035504ab71a5
SHA256

409c0607a3d766daa46b5478d84d82021856a0b77d39f22504a8437c7914adf7
SHA512

2b2bf67ab40c633d626450fd70c334e344a6d2943b5389f590a8555d29c62f2672c1f4af8206470f7a8de62698ed2398f87779f56a6f7b665d8134321e5c0725
SSDEEP

49152:FI724QOXxmmsACAjP8Im7smFTmY4otUmiF:KFRXxY277m79mH9miF

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,rundll32 shell32 Control_RunDLL \"syskb.cpl\""	6.exe

Executes dropped EXE 1 IoCs

pid	Process
1980	6.exe

Loads dropped DLL 6 IoCs

pid	Process
1888	c80c1b05b426945eca03302d16219791.exe
1888	c80c1b05b426945eca03302d16219791.exe
1980	6.exe
1424	rundll32.exe
1424	rundll32.exe
1424	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\syskb.cpl	6.exe
File created	C:\Windows\SysWOW64\verclsid.exe	6.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	6.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\fonts\1b3643d1.ttf	6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}	6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{51CEAEDE-3DB6-480d-89AB-7334F3DE3095} = "1b3643d1;1241882686;-261511501,-390526356"	6.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1424	rundll32.exe
1424	rundll32.exe
1424	rundll32.exe
1424	rundll32.exe
1424	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 1980	1888	c80c1b05b426945eca03302d16219791.exe	28
PID 1888 wrote to memory of 1980	1888	c80c1b05b426945eca03302d16219791.exe	28
PID 1888 wrote to memory of 1980	1888	c80c1b05b426945eca03302d16219791.exe	28
PID 1888 wrote to memory of 1980	1888	c80c1b05b426945eca03302d16219791.exe	28
PID 1980 wrote to memory of 1424	1980	6.exe	29
PID 1980 wrote to memory of 1424	1980	6.exe	29
PID 1980 wrote to memory of 1424	1980	6.exe	29
PID 1980 wrote to memory of 1424	1980	6.exe	29
PID 1980 wrote to memory of 1424	1980	6.exe	29
PID 1980 wrote to memory of 1424	1980	6.exe	29
PID 1980 wrote to memory of 1424	1980	6.exe	29
PID 1980 wrote to memory of 952	1980	6.exe	30
PID 1980 wrote to memory of 952	1980	6.exe	30
PID 1980 wrote to memory of 952	1980	6.exe	30
PID 1980 wrote to memory of 952	1980	6.exe	30

C:\Users\Admin\AppData\Local\Temp\c80c1b05b426945eca03302d16219791.exe
"C:\Users\Admin\AppData\Local\Temp\c80c1b05b426945eca03302d16219791.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\6.exe
  "C:\Users\Admin\AppData\Local\Temp\6.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 shell32 Control_RunDLL "syskb.cpl"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\delA63E.tmp.bat"
    3⤵
    PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
15KB

MD5
70eb53b2bce2e9cd5db13ff21968f956

SHA1
dd6319656fa26f5f5e6ec3c31415c480366bb0ad

SHA256
f6b5a4fdda7364e19cd212504532d09a32704fc2eb8e3676ad3753f99b230a4a

SHA512
0d7568a387deca8c3ea3827bec4213a6deb09c7f69e1576cba362e54efae0aaef5a4ac04f3b70a890abfb5474758b1d75df8c76b10b576e93f371ebe13e332eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\38120746

Filesize
82B

MD5
d71b21f073557315816d77cff30528d0

SHA1
b78425d99d6150858f3a6dc28be9f02cbd793115

SHA256
710811177eede5186a8e7e33aa257e2ddcbf0a08bdc2621eea5ad5832714797f

SHA512
ec744bb9017275adaa87a385644664ab4e64e2bedd6a61f3e6973dcb829202cf58420e776172d1ea7e832fdd5370c69504b38a486671a5d37b19fd447b13a6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\47F6F508

Filesize
82B

MD5
e2be98db12748829f6a1b7f5a04af169

SHA1
af7949b95894820c9b593ac5f3ae00e5cedb0ee6

SHA256
71b9ee911dc752bad2cde704a25659e9188285a5eafcad0ed5a2e4c529ac614e

SHA512
50d2d8b8410737bdf4741bc879a24cac23bd2579442fb2c8092f358bdb0a9d75ee6d91459197cf08528ad6c555c621830b4f92d3ee425b51311300b57c95f98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\6C08CE60

Filesize
82B

MD5
e1746587f89f004ca304e2109592677b

SHA1
286e90bf0b889e29c5181a5a374f21610bbc0725

SHA256
009a03fe387f54ae1faa7b33d70428b2fa8a85d8cde0bcaadb8b07e59b50ebcf

SHA512
201f4cdeae0ed61ed01314f719a7708a25eda9003bf57dbe3833c8c2fd5f08dc9654cda0a965228c5fccd2271dc3be8e84da71952ed46beec6809c174043c6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\7A2C4650

Filesize
82B

MD5
7c4a60e6663e71c93de27d378112e622

SHA1
b31c323f42748f6be476217458d7c226d29de03b

SHA256
f168365f9cfb8f49fc22468272e410d252c38c77ec26ea9f7dc19e777f1d7a1b

SHA512
6943a268d0af9f1bb70b29c01b06edc02e204a4854762e7fe89c63e3139911764415e5814b9cd0ba77acf679aa2cf902712cd266736ce3586ee652e768f13b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\7DCBDFD6

Filesize
68B

MD5
8009becfeebb4c29cdee058fa11da69d

SHA1
757173dfca7e9b71fbc453b0f0ee13ac02523a54

SHA256
c0b9535dd2f69898fe3d7c0979b71ed8d13591ce273de4398657eb4e71c1c3ba

SHA512
f1ffa7d78629d356bc9a7c0f06ee56d84481104fee301ceec531d4d3490ebb33760ec01da1119fd09b74d4eccea74b463eb1bd6a5924b73b637be5f187d38064

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\9AA0B0B1

Filesize
115B

MD5
a51f1bfc5c714cd1c369e8db1e33e8a5

SHA1
cddb24433088546c467cf29308763c3ded5349c5

SHA256
ea31958f6f62a706794e1e1d31ced717161c453d64235b5e18753610b0f2464f

SHA512
b282dd764f1da1fb753216191c7d9ae3e3c0ac1ccb5b94df0faed5c7cc459bacfa5169e23e8ad5ab2aed966fad17cae58b671206ba1037d364674c774bbb94eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\9ABE3CA8

Filesize
164B

MD5
7ffe0288cccad7eb66f33c56a59a649f

SHA1
2fb03b98bf60c9c3ac7ee1bc3749fe371cb85618

SHA256
00b9f34b7a58408458506d1c6cc1d434c2ad3361a50bc445d938f528dd1d7e68

SHA512
cdad26ac4a7b287564967d24e8d35e06e16b938f4b12515e22e2b0585ee8da90bdd7528981ba314541598bc2001a8fee6a005a78ea66b63edcf393afda48b82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\9F0F368D

Filesize
86B

MD5
0a8bcdf88155f43e8655696970751d76

SHA1
eee7f6ea54a61e5540f304369dd5de191ccfdd87

SHA256
7492052a4005f29783563d899e93a7cbea9ee1f3b9ad3519b137a737a6022ea8

SHA512
334be4633b2f2de92e069bdaf3ccf5661d8b30b455232ad04a06f0ed28ea6fd6ff930cf34087d1d14f28c09481ee43803cfc262b961c15e47f555df193a0fd3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\A61CB530

Filesize
84B

MD5
dfaaba093db270d1726c1a2e3325d35d

SHA1
21f5bc994061473fd69db8c4a9480b4ae42248b2

SHA256
4907edf0b04ac82761840b7ef36976d1848a5eecb545cbce7508dbed1f2f2b0f

SHA512
3ebcc206becd180f9dcea93e27f8aa2b738871b339e4d498ac926546fd59a520ec41ae215983634095fcf6ef292e049032c282ad787b9ab0b08ddb7a865ae9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\B38E5520

Filesize
82B

MD5
b44f9fe1287b4c450234c0167a2a6165

SHA1
b9d9d29de7aa6097a12205973e64131028715b93

SHA256
9f2595103090348fb05d9bb8299ff76f39dcbd55d624d60dcb269ecaf60897e1

SHA512
58e68051fe7d2f7424cacdd138ea32939efbee367553643233294a967c181f55f2fa28ebc3996d11fb20daf887605340829b42e891f883244abc67e4067333ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\C153719A

Filesize
115B

MD5
ab3d9aa049c77a5887c6229f11c577a4

SHA1
d9b2a89561505835ef11a7512d2e28e061c6c712

SHA256
bf7192d8e349fdc2c5f105c8c974267c1820e60a03eb2243b825f51f3fad0f9e

SHA512
4cc31a1cf8684fea89ec4d4ff1f2ad575a951502d851313156f3d94b416f6c2f41a065ef2937c5a539fe047a483b16305d42738f8333cc10961d535831aca3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\D31AE8D4

Filesize
132B

MD5
09b8e89ffe48fb88dfe38eef8795e141

SHA1
090c26e30d67fd66f93e4590a567173d0026c2bc

SHA256
50ff05c164863043ad98ce480210255ab8617eccc0ab13c3e4940d14d56476e2

SHA512
5bc555ad689da5222d156faba45562de4ef47c761e96f77f849eced0551896bd5377ce21a29134640d8e75be2e90c5fc820f3439dc8d1c979cc207d9d8d47311

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\D7EF38E9

Filesize
119B

MD5
308575c936f9d6d28ab58e8c0b40e961

SHA1
37e0bb4ea3e0d5291bc3c70e668c08933c06ccea

SHA256
31ab34001c46fb148f00a9ca01dbf5d030ee3e7b3e0b00ed3a2aacbbcd7480f7

SHA512
a07ad7d1700e6288a1f0375ffb9af13a1e4b23db513c6af5f1d8e5a9fd759574b0fa96da35b49b5c79ff0f6e84e1b4a4afd3d7a4017e7307158e1612caa71324

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\F5D8CF3A

Filesize
88B

MD5
457321dd97b278049b36095448450e19

SHA1
f6aceee71b6adaf3b3acdf396883e02973fd5535

SHA256
8a0686aab43b10fbd5883457d61dd23567e89d15e2c1a0e94f3caae526624f50

SHA512
9ca3a295fdd77698e817b7605fd3c129bb923b24ea270d2aafd4e0032b8c4849e919e2b63be173391f98bc1e9590a469d4a7ed6beadb83e0b65ef95e43b3188d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\F8C0C146

Filesize
105B

MD5
7c4881303e96dafdc51258bb26aee693

SHA1
11f8e7420f3bc70eb34957bbe069c5f56d253313

SHA256
b8a77f70090d5d46ee962aec5d531dfb0606308f14c58d97ed2891640e8a2790

SHA512
79d7782bbd0f2e9f31f5032532a29088b2bbdf4828cf1be587719c5a68730f228989471315f18c0ab71c6a66dae0b34df9487bfbe7ce6a8e24e848e62d71c30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskScript\FFF361

Filesize
122B

MD5
0795e0c6ee5e831b82c6679f2717e8c9

SHA1
e105465ec1a986ab30b0944b13677f743efba687

SHA256
bab009759361cd196678d43d786073f7e2bb3d8fcdfdcc77f7ba63d93796cac0

SHA512
c04d60899e5d539ec1b127aed3db2f9239bc3fadb8222f447a4c287728dc9ac4ea83e8909cd6e251b21e1bbe6d882d915f698787a35acd84febc132e560ed835

Download Submit
C:\Users\Admin\AppData\Local\Temp\delA63E.tmp.bat

Filesize
512B

MD5
ef6ac9e681358641a69221eda05fa902

SHA1
daafa035f3f79d67d7e01595cb75f0e5a4bf6073

SHA256
3beb011a58e085db28fc6f5e78f8bdee239a609a189cc0d44739e33869526d19

SHA512
379ad841dc72e0bae0a57e8f1d3b070ae6ea9c1a88f5741ce365081e19f205331d8a32b67bdeeb18fadc70531831019331dab42bb587d214c66f4fc23920448a

Download Submit
\Windows\Fonts\1b3643d1.ttf

Filesize
27KB

MD5
d90ee126719090e6784a3a1ef38d35bc

SHA1
b8184b903cdc993a71990b9f2839097f97a718b9

SHA256
4003a6091d9de92858e218122532c1c219f47fdb6cd5d888833e46b2adf7ca08

SHA512
3d392963b396c936f808a89a526509b588a69f7c1880f7d293f06d284919991492cdf940c603901eb927e90b5189a42d89f1528aff820f2ed24c14a4eac1efdf

Download Submit
memory/1424-2645-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1888-2634-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1980-2639-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads