Overview
overview
10Static
static
ScanClient...1C.dll
windows7_x64
1ScanClient...1C.dll
windows10-2004_x64
1ScanClient...l1.dll
windows7_x64
1ScanClient...l1.dll
windows10-2004_x64
1ScanClient...em.dll
windows7_x64
1ScanClient...em.dll
windows10-2004_x64
1ScanClient...rd.dll
windows7_x64
1ScanClient...rd.dll
windows10-2004_x64
1ScanClient...te.lnk
windows7_x64
10ScanClient...te.lnk
windows10-2004_x64
10Analysis
-
max time kernel
4265044s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
14-01-2022 16:01
Static task
static1
Behavioral task
behavioral1
Sample
ScanClientUpdate/KM.EKeyAlmaz1C.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ScanClientUpdate/KM.EKeyAlmaz1C.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral3
Sample
ScanClientUpdate/KM.EKeyCrystal1.dll
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
ScanClientUpdate/KM.EKeyCrystal1.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral5
Sample
ScanClientUpdate/KM.FileSystem.dll
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
ScanClientUpdate/KM.FileSystem.dll
Resource
win10v2004-en-20220112
Behavioral task
behavioral7
Sample
ScanClientUpdate/KM.IDCard.dll
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
ScanClientUpdate/KM.IDCard.dll
Resource
win10v2004-en-20220112
Behavioral task
behavioral9
Sample
ScanClientUpdate/ScanClientUpdate.lnk
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
ScanClientUpdate/ScanClientUpdate.lnk
Resource
win10v2004-en-20220112
General
-
Target
ScanClientUpdate/KM.EKeyAlmaz1C.dll
-
Size
165KB
-
MD5
021e42c964102fd263d474427ee78193
-
SHA1
8a6227b6db02b8ba278e13ccd6eece907e3657f0
-
SHA256
2fbe9b3eda5da1e2eded989941fdbb4e967245a53231d9c0c9333eb6486215c7
-
SHA512
d517bcb9cfdd4082242ed6a2d12abef54db5fb31da19ce3d91665268a9006a9d9cda69bf28a8395b501df1cc8b22d0968b7af965e8a120c2db6c1f85c2e528e2
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotification.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MusNotification.exedescription pid process Token: SeShutdownPrivilege 1364 MusNotification.exe Token: SeCreatePagefilePrivilege 1364 MusNotification.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 640 wrote to memory of 1508 640 rundll32.exe rundll32.exe PID 640 wrote to memory of 1508 640 rundll32.exe rundll32.exe PID 640 wrote to memory of 1508 640 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ScanClientUpdate\KM.EKeyAlmaz1C.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ScanClientUpdate\KM.EKeyAlmaz1C.dll,#12⤵
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1508-130-0x0000000000000000-mapping.dmp