Overview

overview

8

Static

static

8

baebe3a735...17.dll

windows7-x64

8

baebe3a735...17.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    110s
  • max time network
    190s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 12:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    baebe3a7351c7e82c729c06d2fa7f325894d74318d12260b18c51ba3831f7417.dll

  • Size

    922KB

  • MD5

    69266422d558e7d94713d25dadded350

  • SHA1

    6cdb1c2c853ad0e4663802673a006d233e82019a

  • SHA256

    baebe3a7351c7e82c729c06d2fa7f325894d74318d12260b18c51ba3831f7417

  • SHA512

    fa721af30fac2fa7b4407363a7f72fc7a9ee76618ae5f119031d2498d51b55874fbb77c3531c56a1025b3a528ef0b094d51a46d3f367fb92a97c6861ca4b08de

  • SSDEEP

    12288:53RWz/CTxoOAjzHljSA6cg8rPbSHYIkhEmEazstA+UinhcoqzJPYoO8lrS9Ehc96:zRbEluQYYIkhwazrQzqlP+9EhWwIg

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\baebe3a7351c7e82c729c06d2fa7f325894d74318d12260b18c51ba3831f7417.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\baebe3a7351c7e82c729c06d2fa7f325894d74318d12260b18c51ba3831f7417.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1292
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1292 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:672
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1320
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1320 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1912

Network

  • flag-us
    DNS
    api.bing.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    api.bing.com
    IN A
    Response
    api.bing.com
    IN CNAME
    api-bing-com.e-0001.e-msedge.net
    api-bing-com.e-0001.e-msedge.net
    IN CNAME
    afd.e-0001.e-dc-msedge.net
    afd.e-0001.e-dc-msedge.net
    IN CNAME
    e-0001.e-dc-msedge.net
    e-0001.e-dc-msedge.net
    IN A
    13.107.13.80
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls
    iexplore.exe
    707 B
     7.6kB
     8
    11
  • 8.8.8.8:53
    api.bing.com
    dns
    iexplore.exe
    58 B
     171 B
     1
    1

    DNS Request

    api.bing.com

    DNS Response

    13.107.13.80

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{486501C1-4994-11ED-B19F-72E6D75F6BEB}.dat
    Filesize

    5KB

    MD5

    d027d119c0030d5da36ecea4cecf9935

    SHA1

    58e991433a440f1f384a528b7804db32560acf24

    SHA256

    e80e67de6b1cf8291080da833803bfa1ae5debdf109ff21515d0a9a164a7180e

    SHA512

    05aa9becf0d50d43e0b557625cda84dc6f99bdcfa7a433370d3939884d7673bbc3c4b3751dff1f39183e3c7545e7a2b2f07ec63a79add7f1aaefbedeb5914aa4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{486528D1-4994-11ED-B19F-72E6D75F6BEB}.dat
    Filesize

    3KB

    MD5

    e899cadeccb8834b599d8c4f7e067372

    SHA1

    70e8decc3f562622f49749d83c24f44d5e2ce4c3

    SHA256

    902e3794f0ff419ed3cef1be25679c2f57dd9dd0ccfd49b7a0f69147e7e1c6a8

    SHA512

    9df7c0331fae0333ea8c3c8ad0cf6ab461ee240a370b00b715a5b5504e20395de8036d605fce85d9c7f9b97858db6aa5e3d1cb4bed3318d9b3a8c4ba5d92ed37

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KXJDYLT8.txt
    Filesize

    603B

    MD5

    58aa39d54ffbc4a1e9414572f52b506d

    SHA1

    d47c6bb9293fc2046e9dd2b48dfd28785cd7c4b6

    SHA256

    8a802c1aa21af0558c76cab6905e0eded7c42681b9a6bd70b0a019b4c3e2c4e5

    SHA512

    37b316b493ffb808f00ff30679b8cd4d727d01d642b61ee80f246f9d25004c63c823fdd0fcdf077ce6ab27a66aab60b02d5ef187ec30783feae2c64cc23e09e6

    Download Submit

  • C:\Windows\SysWOW64\rundll32mgr.exe
    Filesize

    173KB

    MD5

    77c5d1f7d9596e57a88f4dbcf3fef526

    SHA1

    fb265bb6a2cc331edb70b90d36d42ec6e61544ab

    SHA256

    d09416051d3a9cb33fa22cea2347fab648bfb262d58a5f26bde7da61a7fefae0

    SHA512

    4d24d309469c834d663f62ae31b52ccd1ca2d0dc73d07d0e4bb19d78fe955ae040554062a972d17106e1a6da738002ceb87a5ccb65517374ba2cca966bb87d3c

    Download Submit

  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    173KB

    MD5

    77c5d1f7d9596e57a88f4dbcf3fef526

    SHA1

    fb265bb6a2cc331edb70b90d36d42ec6e61544ab

    SHA256

    d09416051d3a9cb33fa22cea2347fab648bfb262d58a5f26bde7da61a7fefae0

    SHA512

    4d24d309469c834d663f62ae31b52ccd1ca2d0dc73d07d0e4bb19d78fe955ae040554062a972d17106e1a6da738002ceb87a5ccb65517374ba2cca966bb87d3c

    Download Submit

  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    173KB

    MD5

    77c5d1f7d9596e57a88f4dbcf3fef526

    SHA1

    fb265bb6a2cc331edb70b90d36d42ec6e61544ab

    SHA256

    d09416051d3a9cb33fa22cea2347fab648bfb262d58a5f26bde7da61a7fefae0

    SHA512

    4d24d309469c834d663f62ae31b52ccd1ca2d0dc73d07d0e4bb19d78fe955ae040554062a972d17106e1a6da738002ceb87a5ccb65517374ba2cca966bb87d3c

    Download Submit

  • memory/1516-62-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/1516-65-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/1928-61-0x00000000001F0000-0x0000000000257000-memory.dmp

    Filesize

    412KB

    Download

  • memory/1928-56-0x0000000010000000-0x00000000102EA000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1928-55-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.