Analysis

  • max time kernel
    175s
  • max time network
    97s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-06-2024 17:22

General

  • Target

    DeltaV625.exe

  • Size

    502KB

  • MD5

    179ea60405653e949d9df2ec9c82adcc

  • SHA1

    10f8c047b0e12ef44390fc22b75a12616b39d308

  • SHA256

    e84a03e62284a5f03a5023c7f3b6ebfd0eac07576c0acdf1292e7de68fa4de02

  • SHA512

    93f28edb90312e259f23d09b1f8386c0f75942284cb1f4632ec49369732fad9923a4d4eceafaae47b1ce4c5fe936bceaea1bc507c4c1e02cbd6bd5a17a6af0b4

  • SSDEEP

    12288:eJroGcHz7ZkIhh8w13vaw1e/EEn7NONvR:75hhRvjecuN

Score
7/10

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Registers COM server for autorun 1 TTPs 64 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DeltaV625.exe
    "C:\Users\Admin\AppData\Local\Temp\DeltaV625.exe"
    1⤵
      PID:3456
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
      1⤵
      • Modifies system executable filetype association
      • Registers COM server for autorun
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1392
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1172
      • C:\Windows\System32\DataExchangeHost.exe
        C:\Windows\System32\DataExchangeHost.exe -Embedding
        1⤵
          PID:1212
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
          1⤵
            PID:2324
          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
            1⤵
            • Suspicious use of SetWindowsHookEx
            PID:1892

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

            Filesize

            10KB

            MD5

            b11a15baac2a74995ae6f353e63723ad

            SHA1

            a64d549fa00962953eede6bb877caa60862cfbf3

            SHA256

            69e2381681ce85f320660228583f2ed1604b1dbfa90a69dde1a4853aca900778

            SHA512

            3406cdb89d03d3dc114637d8469f265d25857538e52f6f76ebd6272d4c79d51fbbb6c711e04605fb9ed1875ef870cd0ef5f18cf8accc5ace2a3ead72a3dfb8b5

          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

            Filesize

            10KB

            MD5

            df46eb1fe5d54a0521d9965203a4a9da

            SHA1

            e977aae1bb82f3d57267ead3b91df3d82d6d50c6

            SHA256

            6076a9ea8f52f5ad109fbe29f955ee052f626b22ee45366bfa83f70706744b1d

            SHA512

            5bc5f8d247ba164f1af6f4ae902906568a4e9baf05c9782d999e537730d8cfe443daac6f44aa246f27e9678237a4b57a7e8411e3c4fbe88e943525cdb2ae239e

          • memory/3456-0-0x00007FFCB4D33000-0x00007FFCB4D35000-memory.dmp

            Filesize

            8KB

          • memory/3456-1-0x0000000000A70000-0x0000000000AF4000-memory.dmp

            Filesize

            528KB