Overview

overview

8

Static

static

bfe7a3d3d9...87.dll

windows7-x64

8

bfe7a3d3d9...87.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 08:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bfe7a3d3d916adecd7f566353e38d7024742edc4743e2a3af5edc44636cd5387.dll

  • Size

    741KB

  • MD5

    34f9b98d34ad196f831cd63d5d122bf5

  • SHA1

    e8d4e378b54664f77200a48ba5022600c3bc13a6

  • SHA256

    bfe7a3d3d916adecd7f566353e38d7024742edc4743e2a3af5edc44636cd5387

  • SHA512

    f01bcc4bc50c15307e58de5e12a79f015e1259575725d058bad5bd3d22073ca2cc646b5dfda8b86b3a32f6ef095fae91c1241c54abae70940c665e08d0566ac3

  • SSDEEP

    3072:+ONuMKQg2WX6UoAAFmfiTx7MH6t5DlCQBl/j9ISdPAmLbONu:+OWWUoAYm6Tx72y5Bpj9jAYbO

Score
8/10
persistence

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bfe7a3d3d916adecd7f566353e38d7024742edc4743e2a3af5edc44636cd5387.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\bfe7a3d3d916adecd7f566353e38d7024742edc4743e2a3af5edc44636cd5387.dll,#1
      2⤵
      • Sets DLL path for service in the registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c net start COMSysApp
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1096
        • C:\Windows\SysWOW64\net.exe
          net start COMSysApp
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4992
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start COMSysApp
            5⤵
              PID:908
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c net start SENS
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3824
          • C:\Windows\SysWOW64\net.exe
            net start SENS
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4584
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start SENS
              5⤵
                PID:4632
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p
        1⤵
          PID:792
        • C:\Windows\system32\dllhost.exe
          C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
          1⤵
          • Drops file in Windows directory
          PID:2812
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
          1⤵
            PID:1324

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/624-133-0x0000000002280000-0x00000000022A8000-memory.dmp

                  Filesize

                  160KB

                  Download