Overview

overview

6

Static

static

51da274016...50.dll

windows7-x64

6

51da274016...50.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2022 08:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51da274016724d3654dfb5cd5b202a73a8c31cb19aaf254568e56747337fca50.dll

  • Size

    220KB

  • MD5

    120a38ec5fd75385e14bd68cc28b3ed0

  • SHA1

    9e2df88945805a10d4e317a4670021d53c02be0a

  • SHA256

    51da274016724d3654dfb5cd5b202a73a8c31cb19aaf254568e56747337fca50

  • SHA512

    11167bdb425c0146cf296ea9917a225f860bbb3c9e48f4f807ae0fdc827f283f9b7fe8565a739765b04ce096bf0136d6b789e19b6c269c29d4f792aa8972fb73

  • SSDEEP

    3072:bx80xX2aL6pDXcyISI+TzOFeITQryMyHcMAfA2y24OXEDXc4PMbuAcKwsWf:bxpX16bIHFtgKAfA3jO0DXcDbu5bf

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2332
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3420
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3356
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4688
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3732
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
      PID:3516
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:3260
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 3260 -s 396
          2⤵
          • Program crash
          PID:4932
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Adds Run key to start application
        • Modifies Internet Explorer Protected Mode
        • Modifies Internet Explorer Protected Mode Banner
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:3044
        • C:\Windows\system32\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\51da274016724d3654dfb5cd5b202a73a8c31cb19aaf254568e56747337fca50.dll,#1
          2⤵
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4084
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\51da274016724d3654dfb5cd5b202a73a8c31cb19aaf254568e56747337fca50.dll,#1
            3⤵
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1424
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2440
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 440 -p 3260 -ip 3260
        1⤵
          PID:4856

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1424-153-0x0000000003290000-0x00000000032DE000-memory.dmp

          Filesize

          312KB

          Download

        • memory/1424-133-0x0000000074D80000-0x0000000074DBA000-memory.dmp

          Filesize

          232KB

          Download

        • memory/1424-135-0x0000000002830000-0x0000000002861000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1424-132-0x0000000000000000-mapping.dmp

          Download

        • memory/1424-154-0x0000000003360000-0x00000000033D8000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2332-136-0x00007FFBE72D0000-0x00007FFBE72D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2332-137-0x0000000000080000-0x00000000000CE000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2332-138-0x000001CA38C90000-0x000001CA38CF8000-memory.dmp

          Filesize

          416KB

          Download

        • memory/2440-139-0x00007FFBE72D0000-0x00007FFBE72D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2440-140-0x0000022F710E0000-0x0000022F71148000-memory.dmp

          Filesize

          416KB

          Download

        • memory/3044-141-0x00007FFBE72D0000-0x00007FFBE72D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3044-142-0x00000000079F0000-0x0000000007A58000-memory.dmp

          Filesize

          416KB

          Download

        • memory/3356-143-0x00007FFBE72D0000-0x00007FFBE72D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3356-144-0x0000019AA9190000-0x0000019AA91F8000-memory.dmp

          Filesize

          416KB

          Download

        • memory/3420-146-0x000002132FE70000-0x000002132FED8000-memory.dmp

          Filesize

          416KB

          Download

        • memory/3420-145-0x00007FFBE72D0000-0x00007FFBE72D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3732-147-0x00007FFBE72D0000-0x00007FFBE72D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3732-148-0x0000015F489E0000-0x0000015F48A48000-memory.dmp

          Filesize

          416KB

          Download

        • memory/4084-151-0x00007FFBE72D0000-0x00007FFBE74C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4084-152-0x000002DA994A0000-0x000002DA99508000-memory.dmp

          Filesize

          416KB

          Download

        • memory/4084-155-0x00007FFBE72D0000-0x00007FFBE74C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4688-149-0x00007FFBE72D0000-0x00007FFBE72D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4688-150-0x0000023F50480000-0x0000023F504E8000-memory.dmp

          Filesize

          416KB

          Download