13fe2669c7239f572323b0cd74b9e6b0386d70f1b6f0c83ad0f6bd2301a642a7

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2024, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7a4850c861f5c4c5ad293bd60920c67.exe
Size

180KB
MD5

d7a4850c861f5c4c5ad293bd60920c67
SHA1

5bf8db3d36baef106e905089b64983d1e26e03be
SHA256

13fe2669c7239f572323b0cd74b9e6b0386d70f1b6f0c83ad0f6bd2301a642a7
SHA512

7cb9c32c6ddf329bbb011f7e95d965bccde619422c8bbefb8911a342d22d0aac77a1cd9a5c597edf4601ace6c9209c766388f029adea75f225ac860b3010d714
SSDEEP

3072:uf/USDSNfoJLE2L5YYqqzFaNagQeB+BC3K5eqIL:ufVagE2L5YYqq4NaxcK7IL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4976	lfxkxz.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\alfxk	lfxkxz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\alfxk	lfxkxz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	lfxkxz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	lfxkxz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	lfxkxz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\alfxk\\command	lfxkxz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	lfxkxz.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5340	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 908	3244	d7a4850c861f5c4c5ad293bd60920c67.exe	88
PID 3244 wrote to memory of 908	3244	d7a4850c861f5c4c5ad293bd60920c67.exe	88
PID 3244 wrote to memory of 908	3244	d7a4850c861f5c4c5ad293bd60920c67.exe	88
PID 908 wrote to memory of 4976	908	cmd.exe	90
PID 908 wrote to memory of 4976	908	cmd.exe	90
PID 908 wrote to memory of 4976	908	cmd.exe	90
PID 908 wrote to memory of 5340	908	cmd.exe	91
PID 908 wrote to memory of 5340	908	cmd.exe	91
PID 908 wrote to memory of 5340	908	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\d7a4850c861f5c4c5ad293bd60920c67.exe
"C:\Users\Admin\AppData\Local\Temp\d7a4850c861f5c4c5ad293bd60920c67.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mwyfauo.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Users\Admin\AppData\Local\Temp\lfxkxz.exe
    "C:\Users\Admin\AppData\Local\Temp\lfxkxz.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:4976
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:5340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kcjuky.bat

Filesize
156B

MD5
2232b40f45044ba15dd8fdc37b681966

SHA1
fd47dfda87a62317afae5d3d8bab7e98858ac4b4

SHA256
3ac64d9dfb03e3fa0c7bb1482ed3a9de2a6786bfeaf5d105fbaf8c54afd16178

SHA512
01dad6856c490c59e9bb3ce6b51b732d847e6c9981258cdab41dd8e3f503e50bdbfab4876038c926ce2d36a84be5152eeda7ecaf92ca5074db070ef2126942fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lfxkxz.exe

Filesize
132KB

MD5
082b2409f5339e035f2c5611501ec708

SHA1
579c3d3ad3493c7150c062af4218598e4c6d687b

SHA256
11c4d82dcbb6b5f2c695e7d77565f294fdc28b4eb49b945888ab0d59c559e701

SHA512
acc4b94c90525d240ffb66f004f9e3c515d13efce16451a74edcc73145cf20ad6961f01f02dc3b13afe85cf69c4ec170be788012234c5ec9bcc24acca10726ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwyfauo.bat

Filesize
124B

MD5
5656058f8389225589b55de0363027b5

SHA1
9c40acb8d31a47004a0a3c538d848ff79246ef57

SHA256
dec669fcdbcab9878fd5384c057754e9d37559912685afd1b699860d5a77bbcf

SHA512
9f518dd2cba386d49adf89f28ff78fd36c46600dc53327aaf4b8180b2b01a12822657197ee96b917234ac9db0714e65a8ff273e1771e61092c23a33723b3282c

Download Submit