be53e7e6f94e654953c72093f6350bca2a338c601b6ee19a15bc4c6032ca272c

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 20:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d7076ab7ab2cd8bc57617272b58617ae.exe
Size

13KB
MD5

d7076ab7ab2cd8bc57617272b58617ae
SHA1

4e9d7741b00d76f795289b7e5bf756ff4bdfeef6
SHA256

be53e7e6f94e654953c72093f6350bca2a338c601b6ee19a15bc4c6032ca272c
SHA512

c88efeef70594c3dfaa2e883e349129ded6fb58d67d818f42a04f91c95bda7dae78dae523c87176eaa7ccdd8f040f7c7870d6b30ac0b93b895bb0857111538b9
SSDEEP

384:lijhd5kbROXYpAIoNog4wo8MYvIvtCdCq/:UHabROXYKfN94wwv7q/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dnuikjtq.dll = "{DC6ED3B4-D07A-4f04-9D41-0E6701C0BD09}"	d7076ab7ab2cd8bc57617272b58617ae.exe

Loads dropped DLL 1 IoCs

pid	Process
3044	d7076ab7ab2cd8bc57617272b58617ae.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dnuikjtq.nls	d7076ab7ab2cd8bc57617272b58617ae.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6ED3B4-D07A-4f04-9D41-0E6701C0BD09}	d7076ab7ab2cd8bc57617272b58617ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6ED3B4-D07A-4f04-9D41-0E6701C0BD09}\InProcServer32	d7076ab7ab2cd8bc57617272b58617ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6ED3B4-D07A-4f04-9D41-0E6701C0BD09}\InProcServer32\ = "C:\\Windows\\SysWow64\\dnuikjtq.dll"	d7076ab7ab2cd8bc57617272b58617ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC6ED3B4-D07A-4f04-9D41-0E6701C0BD09}\InProcServer32\ThreadingModel = "Apartment"	d7076ab7ab2cd8bc57617272b58617ae.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3044	d7076ab7ab2cd8bc57617272b58617ae.exe
3044	d7076ab7ab2cd8bc57617272b58617ae.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3044	d7076ab7ab2cd8bc57617272b58617ae.exe
3044	d7076ab7ab2cd8bc57617272b58617ae.exe
3044	d7076ab7ab2cd8bc57617272b58617ae.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 3952	3044	d7076ab7ab2cd8bc57617272b58617ae.exe	87
PID 3044 wrote to memory of 3952	3044	d7076ab7ab2cd8bc57617272b58617ae.exe	87
PID 3044 wrote to memory of 3952	3044	d7076ab7ab2cd8bc57617272b58617ae.exe	87

C:\Users\Admin\AppData\Local\Temp\d7076ab7ab2cd8bc57617272b58617ae.exe
"C:\Users\Admin\AppData\Local\Temp\d7076ab7ab2cd8bc57617272b58617ae.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BC1C.tmp.bat
  2⤵
  PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BC1C.tmp.bat

Filesize
179B

MD5
6967a1e52cfa9b6f857d6c36812d37ed

SHA1
7a779f47819c4fc897f0d9094363e944ec3e0ed6

SHA256
b30fc958017ed20dd6da3a25d263c45308af49f2b5e6ee62bb4a15bb02812ab0

SHA512
52c19b7fab63c21d4fd64ee571f057f895b49d412f417931f0b58ad7640e1e575db1722243e905365154849aa2af7c830341a17f4b1b07e8b9a7aacb088f0ecf

Download Submit
C:\Windows\SysWOW64\dnuikjtq.dll

Filesize
2.2MB

MD5
d4976659ecd792a467f42f10d0bd7b75

SHA1
bcef41f9723f43f36328a62c37948dd6c34dd3da

SHA256
c0d54aebacc70f7067de19dc52fbef43a55b7ab67ebe543abf87088592cf278c

SHA512
8a9ce2440820231093674506d4b80d61cd8c0073ea7e4a3809e3cf7f49ae3e4cd9d380b6adb670e596bde9bcb1c78553f9afc1ce268ef179d302f9100c0d9f28

Download Submit
memory/3044-9-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/3044-13-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download