ccdc26c2d4de251147a00140aba26f4cc4e9bf8420fc68994318f2038eda9edb

General

Target

923753.jpg.dll
Size

2.9MB
MD5

3887099911b9df16a1eff94599b00871
SHA1

5e9944de761d8cc337c3783429762cdfae11f3d6
SHA256

ccdc26c2d4de251147a00140aba26f4cc4e9bf8420fc68994318f2038eda9edb
SHA512

d857da4058fe7e82f1752df49d76b863f431d1ee425a641ab3b50ec39d6db0e03470da472f8cdb5a776cd8b2d2bf1f2a52b22599da705889cae03a401ded58ee

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1512 regsvr32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1596 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

2004 rundll32.exe
2004 rundll32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

2004 rundll32.exe

pid	process
1512	regsvr32.exe

pid	process
1596	schtasks.exe

pid	process
2004	rundll32.exe
2004	rundll32.exe

pid	process
2004	rundll32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exe

description	pid	process	target process
PID 1084 wrote to memory of 2004	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 2004	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 2004	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 2004	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 2004	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 2004	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 2004	1084	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1212	2004	rundll32.exe	explorer.exe
PID 2004 wrote to memory of 1212	2004	rundll32.exe	explorer.exe
PID 2004 wrote to memory of 1212	2004	rundll32.exe	explorer.exe
PID 2004 wrote to memory of 1212	2004	rundll32.exe	explorer.exe
PID 2004 wrote to memory of 1212	2004	rundll32.exe	explorer.exe
PID 2004 wrote to memory of 1212	2004	rundll32.exe	explorer.exe
PID 1212 wrote to memory of 1596	1212	explorer.exe	schtasks.exe
PID 1212 wrote to memory of 1596	1212	explorer.exe	schtasks.exe
PID 1212 wrote to memory of 1596	1212	explorer.exe	schtasks.exe
PID 1212 wrote to memory of 1596	1212	explorer.exe	schtasks.exe
PID 1496 wrote to memory of 1056	1496	taskeng.exe	regsvr32.exe
PID 1496 wrote to memory of 1056	1496	taskeng.exe	regsvr32.exe
PID 1496 wrote to memory of 1056	1496	taskeng.exe	regsvr32.exe
PID 1496 wrote to memory of 1056	1496	taskeng.exe	regsvr32.exe
PID 1496 wrote to memory of 1056	1496	taskeng.exe	regsvr32.exe
PID 1056 wrote to memory of 1512	1056	regsvr32.exe	regsvr32.exe
PID 1056 wrote to memory of 1512	1056	regsvr32.exe	regsvr32.exe
PID 1056 wrote to memory of 1512	1056	regsvr32.exe	regsvr32.exe
PID 1056 wrote to memory of 1512	1056	regsvr32.exe	regsvr32.exe
PID 1056 wrote to memory of 1512	1056	regsvr32.exe	regsvr32.exe
PID 1056 wrote to memory of 1512	1056	regsvr32.exe	regsvr32.exe
PID 1056 wrote to memory of 1512	1056	regsvr32.exe	regsvr32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\923753.jpg.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\923753.jpg.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn oekwryx /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\923753.jpg.dll\"" /SC ONCE /Z /ST 08:39 /ET 08:51
4⤵
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\taskeng.exe
taskeng.exe {AF7D967D-E49B-4ED4-8E03-4AD0974BAE90} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\system32\regsvr32.exe
regsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\923753.jpg.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\regsvr32.exe
-s "C:\Users\Admin\AppData\Local\Temp\923753.jpg.dll"
3⤵
- Loads dropped DLL
PID:1512

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\923753.jpg.dll
MD5
28cf982d9678325c26cb28c15c5b271f

SHA1
44937746efdeee34d8ba49a88f817368775116ec

SHA256
d2cf10a59c23920f9568031235f22e9860dd6105098caf01de9684a2890f2dfc

SHA512
d53481c1e87374fa706afa3a37435795f6b5dc1bc5c6792944405e2413a03909f1ca120a71ca5127f7c53935e2844b0bd7612726aa640a9e3a0026f30bef44ce

Download Submit
\Users\Admin\AppData\Local\Temp\923753.jpg.dll
MD5
28cf982d9678325c26cb28c15c5b271f

SHA1
44937746efdeee34d8ba49a88f817368775116ec

SHA256
d2cf10a59c23920f9568031235f22e9860dd6105098caf01de9684a2890f2dfc

SHA512
d53481c1e87374fa706afa3a37435795f6b5dc1bc5c6792944405e2413a03909f1ca120a71ca5127f7c53935e2844b0bd7612726aa640a9e3a0026f30bef44ce

Download Submit
memory/1056-7-0x0000000000000000-mapping.dmp

Download
memory/1212-1-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1212-3-0x0000000000000000-mapping.dmp

Download
memory/1212-6-0x0000000000110000-0x0000000000130000-memory.dmp

Filesize
128KB

Download
memory/1512-9-0x0000000000000000-mapping.dmp

Download
memory/1596-5-0x0000000000000000-mapping.dmp

Download
memory/2004-0-0x0000000000000000-mapping.dmp

Download
memory/2004-2-0x0000000000190000-0x00000000001B0000-memory.dmp

Filesize
128KB

Download
memory/2004-4-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads