a7231d2673c3fab4f1c78ffc49bbe4774f5dd63847706093df547b91769fc439

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d40688246116dc007f4cec0d5b1c929f.exe
Size

14KB
MD5

d40688246116dc007f4cec0d5b1c929f
SHA1

2e20204ac1e8f99a808f8a1df1a695acfae2881b
SHA256

a7231d2673c3fab4f1c78ffc49bbe4774f5dd63847706093df547b91769fc439
SHA512

e997c5896de979df3e11a4612921d5983b2569f22af971bbe6e2f32198fca9c0682a60ad126c301edd7d22ac36d85879169558ad7a1ca1ea7cf8ac23ebf4069b
SSDEEP

384:Nb4NFv7Nu7gke1yrXxD42Ue793JNnrC5nfQ6Gq:NcnvBi1cyVzU295Nnm5Yq

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\adsntzt.dll = "{00010001-0001-0001-0001-00010001BB15}"	d40688246116dc007f4cec0d5b1c929f.exe

Loads dropped DLL 1 IoCs

pid	Process
400	d40688246116dc007f4cec0d5b1c929f.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\adsntzt.tmp	d40688246116dc007f4cec0d5b1c929f.exe
File opened for modification	C:\Windows\SysWOW64\adsntzt.tmp	d40688246116dc007f4cec0d5b1c929f.exe
File opened for modification	C:\Windows\SysWOW64\adsntzt.nls	d40688246116dc007f4cec0d5b1c929f.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00010001-0001-0001-0001-00010001BB15}\InProcServer32\ = "C:\\Windows\\SysWow64\\adsntzt.dll"	d40688246116dc007f4cec0d5b1c929f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00010001-0001-0001-0001-00010001BB15}\InProcServer32\ThreadingModel = "Apartment"	d40688246116dc007f4cec0d5b1c929f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00010001-0001-0001-0001-00010001BB15}	d40688246116dc007f4cec0d5b1c929f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00010001-0001-0001-0001-00010001BB15}\InProcServer32	d40688246116dc007f4cec0d5b1c929f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
400	d40688246116dc007f4cec0d5b1c929f.exe
400	d40688246116dc007f4cec0d5b1c929f.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
400	d40688246116dc007f4cec0d5b1c929f.exe
400	d40688246116dc007f4cec0d5b1c929f.exe
400	d40688246116dc007f4cec0d5b1c929f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2224	400	d40688246116dc007f4cec0d5b1c929f.exe	93
PID 400 wrote to memory of 2224	400	d40688246116dc007f4cec0d5b1c929f.exe	93
PID 400 wrote to memory of 2224	400	d40688246116dc007f4cec0d5b1c929f.exe	93

C:\Users\Admin\AppData\Local\Temp\d40688246116dc007f4cec0d5b1c929f.exe
"C:\Users\Admin\AppData\Local\Temp\d40688246116dc007f4cec0d5b1c929f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\B4C9.tmp.bat
  2⤵
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B4C9.tmp.bat

Filesize
179B

MD5
cdad54ce375121748444d6607ecd8d99

SHA1
18913450ab8c210f9fc660971fbc030436f6c5ff

SHA256
5f5cec4b1a7b773d7c9438eec31dd8dbd79ff7900fdab5d7899ecce5974d4304

SHA512
02629cf6cc5882b90cdd497558e1208942b52ae2e6f7f538b49bf4fb4e337ef679a7fcd8ca6a1b3ed206234def9be64f884d0e4b685f9b1267a18057bb216b42

Download Submit
C:\Windows\SysWOW64\adsntzt.tmp

Filesize
904KB

MD5
f716dd70adfce6353f68735c06eebf65

SHA1
e2847c07107424ab75c00962b78fc92592c40503

SHA256
c1f268bdbc77b74095e9bf816c73a6f613b2da5b9ae0b9bcbe733e2140a9af8a

SHA512
dac524a460459d41c8c1f254a45cd1a1931d7ced63fd35df11a76bb14110bd1652250d62c46290545e850a209422e5d1796e73b3b77f3e9ccf28a90b437b2ef8

Download Submit
memory/400-13-0x0000000020000000-0x000000002000B000-memory.dmp

Filesize
44KB

Download
memory/400-17-0x0000000020000000-0x000000002000B000-memory.dmp

Filesize
44KB

Download