a7231d2673c3fab4f1c78ffc49bbe4774f5dd63847706093df547b91769fc439

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/03/2024, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d40688246116dc007f4cec0d5b1c929f.exe
Size

14KB
MD5

d40688246116dc007f4cec0d5b1c929f
SHA1

2e20204ac1e8f99a808f8a1df1a695acfae2881b
SHA256

a7231d2673c3fab4f1c78ffc49bbe4774f5dd63847706093df547b91769fc439
SHA512

e997c5896de979df3e11a4612921d5983b2569f22af971bbe6e2f32198fca9c0682a60ad126c301edd7d22ac36d85879169558ad7a1ca1ea7cf8ac23ebf4069b
SSDEEP

384:Nb4NFv7Nu7gke1yrXxD42Ue793JNnrC5nfQ6Gq:NcnvBi1cyVzU295Nnm5Yq

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\adsntzt.dll = "{00010001-0001-0001-0001-00010001BB15}"	d40688246116dc007f4cec0d5b1c929f.exe

Deletes itself 1 IoCs

pid	Process
2972	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2008	d40688246116dc007f4cec0d5b1c929f.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\adsntzt.nls	d40688246116dc007f4cec0d5b1c929f.exe
File created	C:\Windows\SysWOW64\adsntzt.tmp	d40688246116dc007f4cec0d5b1c929f.exe
File opened for modification	C:\Windows\SysWOW64\adsntzt.tmp	d40688246116dc007f4cec0d5b1c929f.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00010001-0001-0001-0001-00010001BB15}	d40688246116dc007f4cec0d5b1c929f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00010001-0001-0001-0001-00010001BB15}\InProcServer32	d40688246116dc007f4cec0d5b1c929f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00010001-0001-0001-0001-00010001BB15}\InProcServer32\ = "C:\\Windows\\SysWow64\\adsntzt.dll"	d40688246116dc007f4cec0d5b1c929f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00010001-0001-0001-0001-00010001BB15}\InProcServer32\ThreadingModel = "Apartment"	d40688246116dc007f4cec0d5b1c929f.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2008	d40688246116dc007f4cec0d5b1c929f.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2008	d40688246116dc007f4cec0d5b1c929f.exe
2008	d40688246116dc007f4cec0d5b1c929f.exe
2008	d40688246116dc007f4cec0d5b1c929f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2972	2008	d40688246116dc007f4cec0d5b1c929f.exe	30
PID 2008 wrote to memory of 2972	2008	d40688246116dc007f4cec0d5b1c929f.exe	30
PID 2008 wrote to memory of 2972	2008	d40688246116dc007f4cec0d5b1c929f.exe	30
PID 2008 wrote to memory of 2972	2008	d40688246116dc007f4cec0d5b1c929f.exe	30

C:\Users\Admin\AppData\Local\Temp\d40688246116dc007f4cec0d5b1c929f.exe
"C:\Users\Admin\AppData\Local\Temp\d40688246116dc007f4cec0d5b1c929f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\15D2.tmp.bat
  2⤵
  - Deletes itself
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15D2.tmp.bat

Filesize
179B

MD5
cdad54ce375121748444d6607ecd8d99

SHA1
18913450ab8c210f9fc660971fbc030436f6c5ff

SHA256
5f5cec4b1a7b773d7c9438eec31dd8dbd79ff7900fdab5d7899ecce5974d4304

SHA512
02629cf6cc5882b90cdd497558e1208942b52ae2e6f7f538b49bf4fb4e337ef679a7fcd8ca6a1b3ed206234def9be64f884d0e4b685f9b1267a18057bb216b42

Download Submit
\Windows\SysWOW64\adsntzt.dll

Filesize
564KB

MD5
3ad5465c183b14495f77d0f906adfa89

SHA1
030c593c271b988da0e473970bd6dd70a964c99b

SHA256
ca674e69cd7f48e2478f0e4bddd6fad757c442a963a03c31f4a8ee14ea34e8aa

SHA512
447d51462a3cc1063945ae0239864566fedf7bd5ff2dba4a9f5c5f57fa53ec4510985c03830ba334c15dc712ba206498f03c8bbdcada880bcb46398e69fe5ea5

Download Submit
memory/2008-12-0x0000000020000000-0x000000002000B000-memory.dmp

Filesize
44KB

Download
memory/2008-22-0x0000000020000000-0x000000002000B000-memory.dmp

Filesize
44KB

Download