Resubmissions

23/03/2022, 11:41

220323-ntlz3sdbf4 10

23/03/2022, 09:48

220323-lswf1sbhf5 10

Analysis

  • max time kernel
    121s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-it-20220113
  • submitted
    23/03/2022, 11:41

General

  • Target

    readme.dll

  • Size

    471KB

  • MD5

    fbc2f28e187edcc6ddf89989ff8e591f

  • SHA1

    a322761d2f8eb898810454f545e8646495e98fea

  • SHA256

    77457f0b7da19036041ca3a0071e141909d889eb7e2d28d6ad0df73bc3c81636

  • SHA512

    6d04490602f0239dc823a5640793f5415597a70682d64b1620ae5006a351c70e232cb5c024caf2eff2ef2527d22ed321687dcde94b00877f8ecfc9ba788ae0de

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs
  • Executes dropped EXE 5 IoCs
  • Sets file execution options in registry 2 TTPs
  • Loads dropped DLL 48 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\readme.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\readme.dll,#1
      2⤵
        PID:3044
    • C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe
      "C:\ProgramData\Adobe\ARM\S\7729\AdobeARMHelper.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\7729" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /ArmUpdate /MSI FOLDER:"C:\ProgramData\Adobe\ARM\S\7729" /MODE:3 /PRODUCT:Reader /VERSION:19.0 /LANG:ENU
        2⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:208
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding B9BF8A9D52CC38AD3789D56DBE7F71A6
        2⤵
        • Loads dropped DLL
        PID:2580
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 6578CDAA941952C379CF8FC2DFFD8FEF E Global\MSI0000
        2⤵
        • Loads dropped DLL
        PID:3720
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 90EC29F971E0E77E3759A02027439C85
        2⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        PID:3720
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 2222BCD1214A0DE5188B8DF5648ECB34 E Global\MSI0000
        2⤵
        • Loads dropped DLL
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:4016
      • C:\Windows\Installer\MSI9981.tmp
        "C:\Windows\Installer\MSI9981.tmp" /b 2 120 0
        2⤵
        • Executes dropped EXE
        PID:1820
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe" 19.010.20098 19.010.20069.0
        2⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:3432
    • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
      "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
      1⤵
      • Executes dropped EXE
      PID:1980
    • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
      "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
      1⤵
      • Executes dropped EXE
      PID:364

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads