Malware Analysis Report

2024-11-30 14:40

Sample ID 201108-mlp13srey6
Target 24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6
SHA256 24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6

Threat Level: Likely malicious

The file 24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Sets DLL path for service in the registry

Sets service image path in registry

Checks BIOS information in registry

Modifies service

Checks processor information in registry

Enumerates system info in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-08 14:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-08 14:30

Reported

2020-11-08 16:24

Platform

win7v20201028

Max time kernel

4s

Max time network

13s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6.dll,#1

Signatures

Sets DLL path for service in the registry

persistence

Sets service image path in registry

persistence

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\rundll32.exe N/A

Modifies service

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TEMP\ObjectName = "LocalSystem" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TEMP\Type = "272" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TEMP C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TEMP\Group = "ProfSvc_Group" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TEMP\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TEMP\Parameters C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TEMP\Parameters\ServiceDll = "C:\\USERS\\ADMIN\\APPDATA\\LOCAL\\TEMP\\24FF7026FC4C06E06F7188C44A5E2D44" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TEMP\ErrorControl = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TEMP\Start = "2" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TEMP\Description = "@%SystemRoot%\\system32\\Sens.dll,-201" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TEMP\DisplayName = "@%SystemRoot%\\system32\\Sens.dll,-200" C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6.dll,#1

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

Network

N/A

Files

memory/1944-0-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-08 14:30

Reported

2020-11-08 16:24

Platform

win10v20201028

Max time kernel

10s

Max time network

110s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6.dll,#1

Signatures

Sets DLL path for service in the registry

persistence

Sets service image path in registry

persistence

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\SysWOW64\rundll32.exe N/A

Modifies service

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\Description = "@%SystemRoot%\\system32\\Sens.dll,-201" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\ObjectName = "LocalSystem" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TEMP\Parameters C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\Parameters\ServiceDll = "C:\\USERS\\ADMIN\\APPDATA\\LOCAL\\TEMP\\24FF7026FC4C06E06F7188C44A5E2D44眀" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\Start = "2" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TEMP C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\DisplayName = "@%SystemRoot%\\system32\\Sens.dll,-200" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\Group = "ProfSvc_Group" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\ErrorControl = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TEMP\Type = "272" C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 1344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1056 wrote to memory of 1344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1056 wrote to memory of 1344 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\24ff7026fc4c06e06f7188c44a5e2d4429aab0d0de9fcd93d4f8e95210be7ba6.dll,#1

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k LocalService

Network

N/A

Files

memory/1344-0-0x0000000000000000-mapping.dmp