Overview

overview

7

Static

static

3

bot3.dll

windows7-x64

6

bot3.dll

windows10-2004-x64

7

Resubmissions

24/05/2023, 19:53

230524-ymb7eafa8s 8

24/05/2023, 19:52

230524-ylkgdsfa7x 3

24/05/2023, 19:46

230524-ygzqhsef63 7

Analysis

  • max time kernel
    193s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/05/2023, 19:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bot3.dll

  • Size

    3.3MB

  • MD5

    e362ae83e78eeb6ab2e6fa885c4bf114

  • SHA1

    c30b0261b6e741d960cd3fb552077efac9ee29b5

  • SHA256

    ecac2400261d2962ba84f149b9104fb6a6955ccb35d4044a464de26c545b2bd5

  • SHA512

    4d27f8cd937f2d919f311c3b039a66a95cead5bb5a2a19424ad3df5c9cd25193434ead5d4c54a4ea83168937401adaa8ad876e21567766bf6abd82c3a3e4be6c

  • SSDEEP

    49152:vfqRHVwASOpGtlqpDIU6iu4NkZTg+cSwDjys6VUbf01OEe04oE4UWz53B8YVTVq4:n6M+qGD8HzNPDVEkXpiJ

Score
7/10
persistence

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Registers COM server for autorun 1 TTPs 64 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bot3.dll
    1⤵
      PID:4664
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4008
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3352
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
        1⤵
        • Modifies system executable filetype association
        • Registers COM server for autorun
        • Checks processor information in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:4660
        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
          "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
          2⤵
            PID:4816
            • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
              C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
              3⤵
                PID:632

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
                  Filesize

                  471B

                  MD5

                  45ce82249f3e5513fdbab5bc281db94c

                  SHA1

                  be3de66c9f90f5854c0eb73359eec8082d618cbb

                  SHA256

                  cb5e51d40f2b7b32d0932c6de5aa3e1545f4b7aeebaef43818e7a773836c6083

                  SHA512

                  26e3d6533ce0e24c67d115ca6ab7e82d5ac3b48ad019d683eecff73381a4ff930064afefe8f574d8c4bf2d60b3915653474ef402530aee393771385c9c048263

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
                  Filesize

                  412B

                  MD5

                  ebff166e56db1d94a2a54c6bb73be85a

                  SHA1

                  dff29444b26cd99485bca1fc16994fb908652f4a

                  SHA256

                  d258627030b7a88cec5f25847ea04b063db803184f32efd74fa5dee1a9551763

                  SHA512

                  03e755c6d9e5dff6d7e08d8d467670f3ea756a20ed3eebdf83ecedc3b6bc473f9a046c122f8bbf0c2caf69f0ecb553b1f4565370b8efbd9178acc99ffd20b710

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
                  Filesize

                  40.2MB

                  MD5

                  fb4aa59c92c9b3263eb07e07b91568b5

                  SHA1

                  6071a3e3c4338b90d892a8416b6a92fbfe25bb67

                  SHA256

                  e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

                  SHA512

                  60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
                  Filesize

                  40.2MB

                  MD5

                  fb4aa59c92c9b3263eb07e07b91568b5

                  SHA1

                  6071a3e3c4338b90d892a8416b6a92fbfe25bb67

                  SHA256

                  e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

                  SHA512

                  60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
                  Filesize

                  40.2MB

                  MD5

                  fb4aa59c92c9b3263eb07e07b91568b5

                  SHA1

                  6071a3e3c4338b90d892a8416b6a92fbfe25bb67

                  SHA256

                  e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

                  SHA512

                  60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
                  Filesize

                  40.2MB

                  MD5

                  fb4aa59c92c9b3263eb07e07b91568b5

                  SHA1

                  6071a3e3c4338b90d892a8416b6a92fbfe25bb67

                  SHA256

                  e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

                  SHA512

                  60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json
                  Filesize

                  63KB

                  MD5

                  e516a60bc980095e8d156b1a99ab5eee

                  SHA1

                  238e243ffc12d4e012fd020c9822703109b987f6

                  SHA256

                  543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

                  SHA512

                  9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
                  Filesize

                  77B

                  MD5

                  b5e5e1fd6c2ef877ec2fec6c76be08f9

                  SHA1

                  31d605f33b233611066814f301a89388faa1e9bd

                  SHA256

                  f67e39880681312e189577ffed206b4301f144c32aa7ea81aa3fcc9293acec19

                  SHA512

                  c3d50cd57a02299385030a6a39fb391d1e283e3561da5c7bd4dfc0459d13b602598e32d95eca5374952fcc14b55aad66ec0a5811d1c9587f3cb0efe21e5a91e5

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
                  Filesize

                  77B

                  MD5

                  b5e5e1fd6c2ef877ec2fec6c76be08f9

                  SHA1

                  31d605f33b233611066814f301a89388faa1e9bd

                  SHA256

                  f67e39880681312e189577ffed206b4301f144c32aa7ea81aa3fcc9293acec19

                  SHA512

                  c3d50cd57a02299385030a6a39fb391d1e283e3561da5c7bd4dfc0459d13b602598e32d95eca5374952fcc14b55aad66ec0a5811d1c9587f3cb0efe21e5a91e5

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\update100[1].xml
                  Filesize

                  726B

                  MD5

                  53244e542ddf6d280a2b03e28f0646b7

                  SHA1

                  d9925f810a95880c92974549deead18d56f19c37

                  SHA256

                  36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

                  SHA512

                  4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmp8DBF.tmp
                  Filesize

                  32.8MB

                  MD5

                  4566b9b1aa665dc3bc19197fc32b337e

                  SHA1

                  2e1c47e69f9b71bfc38e9c73c2926427ff584b9f

                  SHA256

                  5ad4508c86e6b22230e8d250106eabcf8110cbeee8cc3da72ddbfdb8538ce834

                  SHA512

                  134091d99a56ec346d3139b2ff17b9eb5bfe05dcde28399aac11e5a55b83fc577598ef71059dc15a67d041e0098614236b643017af9ac004ba524764cc354a5f

                  Download Submit

                • memory/3352-141-0x0000017A659F0000-0x0000017A659F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3352-142-0x0000017A659F0000-0x0000017A659F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3352-144-0x0000017A659F0000-0x0000017A659F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3352-140-0x0000017A659F0000-0x0000017A659F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3352-139-0x0000017A659F0000-0x0000017A659F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3352-135-0x0000017A659F0000-0x0000017A659F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3352-133-0x0000017A659F0000-0x0000017A659F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3352-134-0x0000017A659F0000-0x0000017A659F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3352-145-0x0000017A659F0000-0x0000017A659F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3352-143-0x0000017A659F0000-0x0000017A659F1000-memory.dmp

                  Filesize

                  4KB

                  Download