2411b23bab7703e94897573f3758e1849fdc6f407ea1d1e5da20a4e07ecf3c09

Analysis

max time kernel
542s
max time network
589s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2023, 11:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2411b23bab7703e94897573f3758e1849fdc6f407ea1d1e5da20a4e07ecf3c09.dll
Size

473KB
MD5

3d051c701fbdf002650f8f90267ee16d
SHA1

e835e5d57c769cb86e9e61ff8e28d7bad1421cdb
SHA256

2411b23bab7703e94897573f3758e1849fdc6f407ea1d1e5da20a4e07ecf3c09
SHA512

4018efc79da22eb577a889b608c662ae5d59fc6c8dead939fd814675c08fdd0ac372aa132357451fe4231f592a13ad9b3dfca0f2a12ef9946601a277c18a7dde
SSDEEP

6144:nYGKcdvv6azsXOkDriqiN0DaSCrIB28UJ1F5FRpS0Xu0X:YGKKDADhi+Da3rIByJ13pRxX

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	SndVol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\postventralImpetuosityJunglewood = "regsvr32 /s \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\CostumicEuxineUndernatural\\postventralImpetuosityJunglewood.dll\" "	SndVol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3028 set thread context of 1696	3028	regsvr32.exe	85

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4492	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1696	SndVol.exe
1696	SndVol.exe
1696	SndVol.exe
1696	SndVol.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
3028	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe
Token: SeDebugPrivilege	1592	whoami.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 3028	2052	regsvr32.exe	84
PID 2052 wrote to memory of 3028	2052	regsvr32.exe	84
PID 2052 wrote to memory of 3028	2052	regsvr32.exe	84
PID 3028 wrote to memory of 1696	3028	regsvr32.exe	85
PID 3028 wrote to memory of 1696	3028	regsvr32.exe	85
PID 3028 wrote to memory of 1696	3028	regsvr32.exe	85
PID 3028 wrote to memory of 1696	3028	regsvr32.exe	85
PID 3028 wrote to memory of 1696	3028	regsvr32.exe	85
PID 3028 wrote to memory of 1696	3028	regsvr32.exe	85
PID 3028 wrote to memory of 1696	3028	regsvr32.exe	85
PID 3028 wrote to memory of 1696	3028	regsvr32.exe	85
PID 3028 wrote to memory of 1696	3028	regsvr32.exe	85
PID 1696 wrote to memory of 1592	1696	SndVol.exe	93
PID 1696 wrote to memory of 1592	1696	SndVol.exe	93
PID 1696 wrote to memory of 1592	1696	SndVol.exe	93
PID 1696 wrote to memory of 4492	1696	SndVol.exe	95
PID 1696 wrote to memory of 4492	1696	SndVol.exe	95
PID 1696 wrote to memory of 4492	1696	SndVol.exe	95

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2411b23bab7703e94897573f3758e1849fdc6f407ea1d1e5da20a4e07ecf3c09.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\2411b23bab7703e94897573f3758e1849fdc6f407ea1d1e5da20a4e07ecf3c09.dll
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\SndVol.exe
    "C:\Windows\SysWOW64\SndVol.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\whoami.exe
      whoami.exe /all
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1592
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig.exe /all
      4⤵
      Gathers network information
      PID:4492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1696-133-0x0000000000EA0000-0x0000000000EAF000-memory.dmp

Filesize
60KB

Download
memory/1696-137-0x0000000000EA0000-0x0000000000EAF000-memory.dmp

Filesize
60KB

Download
memory/1696-140-0x0000000000EA0000-0x0000000000EAF000-memory.dmp

Filesize
60KB

Download