be53e7e6f94e654953c72093f6350bca2a338c601b6ee19a15bc4c6032ca272c

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 20:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d7076ab7ab2cd8bc57617272b58617ae.exe
Size

13KB
MD5

d7076ab7ab2cd8bc57617272b58617ae
SHA1

4e9d7741b00d76f795289b7e5bf756ff4bdfeef6
SHA256

be53e7e6f94e654953c72093f6350bca2a338c601b6ee19a15bc4c6032ca272c
SHA512

c88efeef70594c3dfaa2e883e349129ded6fb58d67d818f42a04f91c95bda7dae78dae523c87176eaa7ccdd8f040f7c7870d6b30ac0b93b895bb0857111538b9
SSDEEP

384:lijhd5kbROXYpAIoNog4wo8MYvIvtCdCq/:UHabROXYKfN94wwv7q/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zlsdribf.dll = "{DC6ED3B4-D07A-4f04-9D41-0E6701C0BD09}"	d7076ab7ab2cd8bc57617272b58617ae.exe

Deletes itself 1 IoCs

pid	Process
2580	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2740	d7076ab7ab2cd8bc57617272b58617ae.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zlsdribf.nls	d7076ab7ab2cd8bc57617272b58617ae.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6ED3B4-D07A-4f04-9D41-0E6701C0BD09}	d7076ab7ab2cd8bc57617272b58617ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6ED3B4-D07A-4f04-9D41-0E6701C0BD09}\InProcServer32	d7076ab7ab2cd8bc57617272b58617ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6ED3B4-D07A-4f04-9D41-0E6701C0BD09}\InProcServer32\ = "C:\\Windows\\SysWow64\\zlsdribf.dll"	d7076ab7ab2cd8bc57617272b58617ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6ED3B4-D07A-4f04-9D41-0E6701C0BD09}\InProcServer32\ThreadingModel = "Apartment"	d7076ab7ab2cd8bc57617272b58617ae.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2740	d7076ab7ab2cd8bc57617272b58617ae.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2740	d7076ab7ab2cd8bc57617272b58617ae.exe
2740	d7076ab7ab2cd8bc57617272b58617ae.exe
2740	d7076ab7ab2cd8bc57617272b58617ae.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2580	2740	d7076ab7ab2cd8bc57617272b58617ae.exe	28
PID 2740 wrote to memory of 2580	2740	d7076ab7ab2cd8bc57617272b58617ae.exe	28
PID 2740 wrote to memory of 2580	2740	d7076ab7ab2cd8bc57617272b58617ae.exe	28
PID 2740 wrote to memory of 2580	2740	d7076ab7ab2cd8bc57617272b58617ae.exe	28

C:\Users\Admin\AppData\Local\Temp\d7076ab7ab2cd8bc57617272b58617ae.exe
"C:\Users\Admin\AppData\Local\Temp\d7076ab7ab2cd8bc57617272b58617ae.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\895B.tmp.bat
  2⤵
  - Deletes itself
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\895B.tmp.bat

Filesize
179B

MD5
6967a1e52cfa9b6f857d6c36812d37ed

SHA1
7a779f47819c4fc897f0d9094363e944ec3e0ed6

SHA256
b30fc958017ed20dd6da3a25d263c45308af49f2b5e6ee62bb4a15bb02812ab0

SHA512
52c19b7fab63c21d4fd64ee571f057f895b49d412f417931f0b58ad7640e1e575db1722243e905365154849aa2af7c830341a17f4b1b07e8b9a7aacb088f0ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlsdribf.tmp

Filesize
2.4MB

MD5
1944481ce9a1206624f08c8a165c3652

SHA1
3246bf99bee06ce5a081fefbbc63fcf4d8aa1362

SHA256
9a66c6ebe177c79da4ebc264060571dd3df14b78c87ac1141c4927d8abc114a9

SHA512
744e93d2358b5d9f38571d5fbea7703689796ac5fb69f8c2b8d7a5c4ae5df2f9707fb89eaf91b5937fed0fcfdc10d0476527c02bb7a0958d9aa47a0831c49cfa

Download Submit
memory/2740-8-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2740-17-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download