Overview

overview

8

Static

static

ec021c0177...16.dll

windows7-x64

8

ec021c0177...16.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    153s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 16:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec021c01776c7e86e836ae56f331b88196a5024589b3a0a811b7c8aebacdc116.dll

  • Size

    1.5MB

  • MD5

    849a766ef139b1c82e4cc8541fbb1c1c

  • SHA1

    2d3dfa8517778130e507be7b58f1a96ea7c210ad

  • SHA256

    ec021c01776c7e86e836ae56f331b88196a5024589b3a0a811b7c8aebacdc116

  • SHA512

    c48bc320d04f5daf612784841a8a47cf544555803076d8933340636b986ec6babf144cc7704e2115b997dc10507eeaf2049239a90ec9b76b8670c90091207b5d

  • SSDEEP

    6144:GXkWpMQwzjCZl13fTS5W3tc7T1rdEjVJ3D:GXNMQ1ZDfTS5eccjVBD

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Program Files directory 5 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1140
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1284
        • C:\Windows\system32\regsvr32.exe
          regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ec021c01776c7e86e836ae56f331b88196a5024589b3a0a811b7c8aebacdc116.dll
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Windows\SysWOW64\regsvr32.exe
            /s C:\Users\Admin\AppData\Local\Temp\ec021c01776c7e86e836ae56f331b88196a5024589b3a0a811b7c8aebacdc116.dll
            3⤵
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1912
            • C:\Windows\SysWOW64\rundll32.exe
              "C:\Windows\System32\rundll32.exe" C:\PROGRA~3\comsubjejm.dat,StartAs
              4⤵
              • Blocklisted process makes network request
              • Deletes itself
              • Loads dropped DLL
              • Adds Run key to start application
              • Drops file in Program Files directory
              • Modifies Internet Explorer Protected Mode
              • Modifies Internet Explorer Protected Mode Banner
              • Modifies Internet Explorer settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:276
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1228

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        4
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\PROGRA~3\comsubjejm.dat
          Filesize

          2.5MB

          MD5

          9fae9a23a0e61826e2d5f635e8c158e5

          SHA1

          cfc3b995c215a5c8126f38ac98f31e0309227d56

          SHA256

          102da2a7d81e2a1e73db95605e905ffb5e560867d1e86677b227e4229cb9a517

          SHA512

          47e81993c69ff60504e02b240f5a23887b1426bbc0ba0a0c111bf922720a86515d23f799cc2638f8d4f20139d591ffa5a7789f9668d18dce6ad1aa2463d9927e

          Download Submit
        • C:\PROGRA~3\mjejbusmoc.dat
          Filesize

          72.5MB

          MD5

          fd720cc32b3d38b8d8a1c8b027b53969

          SHA1

          1cf205f43ec6c5964bc1691c9fe79b6b5adb61a6

          SHA256

          ab99b89eb541863fdaf1b743fd8032cf0dca93a204ad62b5131edaecd274e746

          SHA512

          240cc4dd52753c0ec27006f4fb236f1bc19aec9b7216993d292720bc480f0815f94bb955dc6242e981df7c156723cc8d47894fa1974558c11831e0f053d41f69

          Download Submit
        • \PROGRA~3\comsubjejm.dat
          Filesize

          2.5MB

          MD5

          9fae9a23a0e61826e2d5f635e8c158e5

          SHA1

          cfc3b995c215a5c8126f38ac98f31e0309227d56

          SHA256

          102da2a7d81e2a1e73db95605e905ffb5e560867d1e86677b227e4229cb9a517

          SHA512

          47e81993c69ff60504e02b240f5a23887b1426bbc0ba0a0c111bf922720a86515d23f799cc2638f8d4f20139d591ffa5a7789f9668d18dce6ad1aa2463d9927e

          Download Submit
        • memory/276-61-0x0000000000000000-mapping.dmp
          Download
        • memory/276-66-0x00000000007E0000-0x0000000000847000-memory.dmp
          Filesize

          412KB

          Download
        • memory/276-68-0x00000000007E0000-0x0000000000847000-memory.dmp
          Filesize

          412KB

          Download
        • memory/276-69-0x00000000008F0000-0x0000000000958000-memory.dmp
          Filesize

          416KB

          Download
        • memory/276-70-0x00000000007E0000-0x0000000000847000-memory.dmp
          Filesize

          412KB

          Download
        • memory/1912-59-0x0000000000210000-0x000000000023B000-memory.dmp
          Filesize

          172KB

          Download
        • memory/1912-60-0x0000000001E00000-0x0000000001E80000-memory.dmp
          Filesize

          512KB

          Download
        • memory/1912-62-0x0000000001E00000-0x0000000001E33000-memory.dmp
          Filesize

          204KB

          Download
        • memory/1912-58-0x0000000001E00000-0x0000000001E80000-memory.dmp
          Filesize

          512KB

          Download
        • memory/1912-56-0x0000000076031000-0x0000000076033000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1912-55-0x0000000000000000-mapping.dmp
          Download
        • memory/1996-54-0x000007FEFB831000-0x000007FEFB833000-memory.dmp
          Filesize

          8KB

          Download