Analysis
-
max time kernel
152s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 04:04
Static task
static1
Behavioral task
behavioral1
Sample
1f9847d8ea36e802327f7a4ae96bda5057e1c6c2af2e7986d1b2602de838af5b.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
1f9847d8ea36e802327f7a4ae96bda5057e1c6c2af2e7986d1b2602de838af5b.dll
Resource
win10v2004-20221111-en
General
-
Target
1f9847d8ea36e802327f7a4ae96bda5057e1c6c2af2e7986d1b2602de838af5b.dll
-
Size
2.4MB
-
MD5
729fb400126e4c71f4b23eb2490d9bb0
-
SHA1
e01eae06d2bd836fc3d41b0a01f79c457c660aba
-
SHA256
1f9847d8ea36e802327f7a4ae96bda5057e1c6c2af2e7986d1b2602de838af5b
-
SHA512
4a72b1a859e30d4272a0e3cbd984391d3678f60edf752ebb19815ba5c5beb55a05de3cecc2268532fd73304c3b0f3e5355b80adec723e66a1481bb6d34ec12d3
-
SSDEEP
6144:GXkWpMQwzjCZl13fTS5W3tc7T1rdEjVJ3D:GXNMQ1ZDfTS5eccjVBD
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 868 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 868 rundll32.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
regsvr32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~3\\qwecomesowi.dat,StartAs" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~3\\qwecomesowi.dat,StartAs" rundll32.exe -
Drops file in Program Files directory 5 IoCs
Processes:
regsvr32.exerundll32.exedescription ioc process File created C:\PROGRA~3\qwecomesowi.dat regsvr32.exe File opened for modification C:\PROGRA~3\qwecomesowi.dat regsvr32.exe File created C:\PROGRA~3\iwosemocewq.dat regsvr32.exe File opened for modification C:\PROGRA~3\iwosemocewq.dat regsvr32.exe File opened for modification C:\PROGRA~3\iwosemocewq.dat rundll32.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs
Processes:
rundll32.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" rundll32.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" rundll32.exe -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
regsvr32.exerundll32.exepid process 1664 regsvr32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe 868 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvr32.exerundll32.exedescription pid process Token: SeDebugPrivilege 1664 regsvr32.exe Token: SeDebugPrivilege 868 rundll32.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
regsvr32.exeregsvr32.exerundll32.exedescription pid process target process PID 2040 wrote to memory of 1664 2040 regsvr32.exe regsvr32.exe PID 2040 wrote to memory of 1664 2040 regsvr32.exe regsvr32.exe PID 2040 wrote to memory of 1664 2040 regsvr32.exe regsvr32.exe PID 2040 wrote to memory of 1664 2040 regsvr32.exe regsvr32.exe PID 2040 wrote to memory of 1664 2040 regsvr32.exe regsvr32.exe PID 2040 wrote to memory of 1664 2040 regsvr32.exe regsvr32.exe PID 2040 wrote to memory of 1664 2040 regsvr32.exe regsvr32.exe PID 1664 wrote to memory of 1312 1664 regsvr32.exe Explorer.EXE PID 1664 wrote to memory of 868 1664 regsvr32.exe rundll32.exe PID 1664 wrote to memory of 868 1664 regsvr32.exe rundll32.exe PID 1664 wrote to memory of 868 1664 regsvr32.exe rundll32.exe PID 1664 wrote to memory of 868 1664 regsvr32.exe rundll32.exe PID 1664 wrote to memory of 868 1664 regsvr32.exe rundll32.exe PID 1664 wrote to memory of 868 1664 regsvr32.exe rundll32.exe PID 1664 wrote to memory of 868 1664 regsvr32.exe rundll32.exe PID 868 wrote to memory of 1312 868 rundll32.exe Explorer.EXE PID 868 wrote to memory of 1176 868 rundll32.exe taskhost.exe PID 868 wrote to memory of 1276 868 rundll32.exe Dwm.exe PID 868 wrote to memory of 1312 868 rundll32.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1312
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f9847d8ea36e802327f7a4ae96bda5057e1c6c2af2e7986d1b2602de838af5b.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1f9847d8ea36e802327f7a4ae96bda5057e1c6c2af2e7986d1b2602de838af5b.dll3⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\PROGRA~3\qwecomesowi.dat,StartAs4⤵
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1276
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1176
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\iwosemocewq.datFilesize
72.5MB
MD59dedbba6de3b60fe8960ea7392922982
SHA130eaab05ae6229653c1211c09e167c84eaba91c2
SHA25650deb35f0b58bc1aee62621fa77b8b6b66dfd1700c32099b9edf5495e46703ee
SHA51280f1b6b350c5f2d50c08494bcb70786d565a0f006445e3e64e20de9a0d784941d274ef42e736706ba82c88a6db0ebe9474b8faa496b718e89424e1d41d09b8b1
-
C:\PROGRA~3\qwecomesowi.datFilesize
2.8MB
MD5aaac3dc2f5db49febaeaa127cc7a717e
SHA1601ec3e28f005f97f1f1b982c8e4bc96ad82ba03
SHA256240b9bf79457241a24d72f9a3b59e5d4a462d1f71ca2dac76a7bf30bc1184984
SHA512857af623a40c7d620043cdf9d041a9f0e387e31b518ea3b6427e25974149a23ad01220e2d32b6c074dc34f9124eb98366bcc5c7c98a806da381a3d66800ad6c3
-
\PROGRA~3\qwecomesowi.datFilesize
2.8MB
MD5aaac3dc2f5db49febaeaa127cc7a717e
SHA1601ec3e28f005f97f1f1b982c8e4bc96ad82ba03
SHA256240b9bf79457241a24d72f9a3b59e5d4a462d1f71ca2dac76a7bf30bc1184984
SHA512857af623a40c7d620043cdf9d041a9f0e387e31b518ea3b6427e25974149a23ad01220e2d32b6c074dc34f9124eb98366bcc5c7c98a806da381a3d66800ad6c3
-
memory/868-63-0x0000000000000000-mapping.dmp
-
memory/868-73-0x00000000006A0000-0x0000000000707000-memory.dmpFilesize
412KB
-
memory/868-72-0x00000000007E0000-0x0000000000848000-memory.dmpFilesize
416KB
-
memory/868-71-0x00000000006A0000-0x0000000000707000-memory.dmpFilesize
412KB
-
memory/868-69-0x00000000006A0000-0x0000000000707000-memory.dmpFilesize
412KB
-
memory/1664-58-0x0000000000930000-0x0000000000997000-memory.dmpFilesize
412KB
-
memory/1664-62-0x0000000000930000-0x0000000000997000-memory.dmpFilesize
412KB
-
memory/1664-66-0x0000000001E90000-0x0000000001EF7000-memory.dmpFilesize
412KB
-
memory/1664-64-0x0000000000930000-0x0000000000997000-memory.dmpFilesize
412KB
-
memory/1664-61-0x0000000000930000-0x0000000000997000-memory.dmpFilesize
412KB
-
memory/1664-60-0x0000000001E90000-0x0000000001F10000-memory.dmpFilesize
512KB
-
memory/1664-59-0x0000000000240000-0x000000000026B000-memory.dmpFilesize
172KB
-
memory/1664-57-0x0000000000930000-0x0000000000997000-memory.dmpFilesize
412KB
-
memory/1664-56-0x0000000075591000-0x0000000075593000-memory.dmpFilesize
8KB
-
memory/1664-55-0x0000000000000000-mapping.dmp
-
memory/2040-54-0x000007FEFBAC1000-0x000007FEFBAC3000-memory.dmpFilesize
8KB