Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-1703_x64 -
resource
win10-20220718-it -
resource tags
arch:x64arch:x86image:win10-20220718-itlocale:it-itos:windows10-1703-x64systemwindows -
submitted
22-07-2022 14:49
Static task
static1
General
-
Target
y2FD1.tmp.dll
-
Size
1.1MB
-
MD5
7e4722c69a08c97e5f2cdd2e78c091f3
-
SHA1
831ae50906861832a64e61bf006d943e7fb3fac9
-
SHA256
f90159634dfa11715de1d813ba5747e3e795017f75926b49d4365acc4a4ca807
-
SHA512
07be715ee6c245c40b618509340f90a8a6677b0525047d6808d8a4b75831e4f22f7348f31efec5deba87e7ec7042e139cefcb9fdfd7231f6518b4f14d8d7b0fc
Malware Config
Signatures
-
Detects SVCReady loader 1 IoCs
resource yara_rule behavioral1/memory/2348-159-0x0000000010000000-0x0000000010091000-memory.dmp family_svcready -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 61 IoCs
pid Process 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4640 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4640 taskmgr.exe Token: SeSystemProfilePrivilege 4640 taskmgr.exe Token: SeCreateGlobalPrivilege 4640 taskmgr.exe Token: 33 4640 taskmgr.exe Token: SeIncBasePriorityPrivilege 4640 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe -
Suspicious use of SendNotifyMessage 63 IoCs
pid Process 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2348 2244 regsvr32.exe 66 PID 2244 wrote to memory of 2348 2244 regsvr32.exe 66 PID 2244 wrote to memory of 2348 2244 regsvr32.exe 66
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\y2FD1.tmp.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\y2FD1.tmp.dll2⤵PID:2348
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4640
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4792
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:4416