Analysis
-
max time kernel
94s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
01/06/2023, 00:38
General
-
Target
1277ca71e55a3848bc68949c772ec14ba48865c03cd2fe9fd2fe66afcf6cd7b9.dll
-
Size
1.0MB
-
MD5
015592cd0f1256a4eab1be3cfa289359
-
SHA1
9c1bfe861013a94221500d2f104bc00874a3dacb
-
SHA256
1277ca71e55a3848bc68949c772ec14ba48865c03cd2fe9fd2fe66afcf6cd7b9
-
SHA512
ec5f4afd1e028aa3cb5508be64d838d6ccda3ebd17fd102c9383e4e9899d8e4eabb4a70547c0650df6b0a6356c061af75d7232d0551a54a336a53ff339ac80dc
-
SSDEEP
6144:eoXBwewxTr6448g1psPxdxfYKiiVDE71RlHpulnuFPZqtVQgdrwSO3jkPi4b5QJe:rBwhxTuaAfZHuuFIQcOHc9ASsS
Malware Config
Signatures
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 45 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1277ca71e55a3848bc68949c772ec14ba48865c03cd2fe9fd2fe66afcf6cd7b9.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\DeviceProperties.exeC:\Windows\system32\DeviceProperties.exe1⤵
-
C:\Windows\system32\dwm.exeC:\Windows\system32\dwm.exe1⤵
-
C:\Windows\system32\iscsicpl.exeC:\Windows\system32\iscsicpl.exe1⤵
-
C:\Windows\system32\LegacyNetUXHost.exeC:\Windows\system32\LegacyNetUXHost.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\69X.cmd1⤵
-
C:\Windows\system32\TSTheme.exeC:\Windows\system32\TSTheme.exe1⤵
-
C:\Windows\system32\PrintBrmUi.exeC:\Windows\system32\PrintBrmUi.exe1⤵
-
C:\Windows\system32\DTUHandler.exeC:\Windows\system32\DTUHandler.exe1⤵
-
C:\Windows\system32\RemotePosWorker.exeC:\Windows\system32\RemotePosWorker.exe1⤵
-
C:\Windows\system32\iscsicpl.exeC:\Windows\system32\iscsicpl.exe1⤵
-
C:\Windows\system32\phoneactivate.exeC:\Windows\system32\phoneactivate.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\T8j.cmd1⤵
- Drops file in System32 directory
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\eczh.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Kakxbomh" /SC minute /MO 60 /TR "C:\Windows\system32\2043\phoneactivate.exe" /RL highest3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Desktop'1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" .\1277ca71e55a3848bc68949c772ec14ba48865c03cd2fe9fd2fe66afcf6cd7b9.dll,322⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5df42e812a6927b8116e5492d332c8a55
SHA15157f905dc1922eb4da32b614ab1720ac2e93622
SHA256ca8cfefe14b45ebd13f55278a04cdbd352d10cb09a9943586e65344ad436169f
SHA5122b60c3c1950925c1be936fbd6c9b2a9382844261f3a8bb5e272818382c2816d01912790977def01002d436c787afc3292e1fbeeb420f20cc7d31d55a4a8d7362
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
3KB
MD54cfa90981271fb9883f829835e00bbd4
SHA1c45cdfb8247f74bfb592926a25e830290fda6f56
SHA25637d5327863656a272ca47e48b5024896c894dd97b39edee07c1b2dff6f594ef4
SHA512548bbf8b4a2eb8853589a30d975f8df6cb5c6593ab1f3ac86ce605cb69f041b2f7c9ae4d5f969a0aa2e1e1dfa4a9adb5bcab9209d8f7f20da38a7756511b7ce9
-
Filesize
221B
MD59cb3f54fc8c894059a313dcefabd45f0
SHA1571f1a79666282c315f00e07cea0dd3f82d71a8b
SHA25655807307eed7ff3efe3af1d7686a181ee193d29cc3ca4e6b1499adbc76d674f6
SHA512552a51a35385aceea9c9110b4a505da2105e894f79a4b83509a2c95e182e3a670540e3f5389d5f907b08442171116a642a1c83db8e8fb9f5922a68526c7ffd18
-
Filesize
195B
MD5da2c82780ff01e78d9757e79bc465e02
SHA14ff18b4681c6ace5e9f3d4481e33b52fdace41c7
SHA2567adc567063c6748cbcabc815c3a1af9c17883e110ca9e60bcd83f8e910f6613f
SHA512c452d0c8f26514746664d1c54a8f563b2ae652e5c8e32c5b8c4c8f362ce0b652da8ca697548456d6cde98a27f65c4a847bea67bc77b00315a8ab89cbeca91148
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
132B
MD5a551020817ea14a1c8f1c3c5a9f18abb
SHA16ed9c83b76e99f96607c520f8764d5488887145d
SHA256f7fb411426c3f94dda6514421d22dccbdbb08cbb561a46de56caaedac68413c3
SHA51207ef9289abe00ed9a329a39d6a3cc9d0af44d0935a97c6b30d52be043ba098c844b6800345bb846914ab7dd0129dbd5e5b2ef39deabb02250da945a0c14f4cf4
-
Filesize
1.0MB
MD566c2b7fa484ad7dd36957add0b863d82
SHA1e29846c546393f7e363901bd9eea2ec8297a04db
SHA2564280c960699cfbee89d4f9f471ce2342656bfe358e4f92b2daa7687dc8a0aa94
SHA512fe1b0e115bf672e25a0f916dfee46f8797cb501d6e43c2e6e8b784b7c04c2b48876d68e03b8c2be698d25c72049b61e04ce594d59fa5c77e30cd77b838da7660
-
Filesize
1.0MB
MD54b469126d515767c896339a85bcf4576
SHA105353a024f1189e5ca02c91dbde13bd2575f3265
SHA2564fb01efc35601d7e8539a03c1081de0948ca5d76a7264e42f262506b189a702b
SHA512c5c24faf88f81d2598b667536242934db8a89a35fd5a1e6fdc1e9771dbb6eb69d078f70737c9dffe85a05b910e681dfb3442607de2ece87a27b90ba02087f726
-
Filesize
11B
MD52f24b9adc372308b0ef3e10a75d934eb
SHA1dd7f58fc96c1081b97628bf292c2743ce9895fa4
SHA256d191607323f6b576b75bb227df6a9c72dce3faf7a5f299224fc32c90bc94d5f8
SHA5125f3d5e9d5d539b08f50c87860686071f90a920853dc9de10c0d824ba5f9ffe4cbfbf6ae5a33c55d53e7264fc8334f81f7bd64b4b79519d1c8cce99efa9e56b4f
-
Filesize
6KB
MD5b473f30b3fb81fd50b7954e239d2cd4f
SHA1352ec5cce50e88a7e4a35607c62635f6eebefe01
SHA256461efc1a5b925ae56efb399c58e83d53488269e161f4017042142c80b4f02e11
SHA5122a9e767c4f656b60e694505fdbe83c8daedc9364e7e9f903f392aa40292e7b8c657cbebc22681b9fccaa5c2260b837630b1d0149287d12dd8f64252eb8e42571
-
Filesize
6KB
MD50f0f77ec13a5d2b31dd4fefb96a9fdda
SHA138580e7a7146540ecb03f9894f0596443f7925fe
SHA2563e2b9706748480a171f189a96f1e1adfb51e7ccc2fdcafa36e824b20e2409647
SHA51292e2c39c7e9272d0290cdf4423e4946f34716b452e325ec53bd4b31d2dbf7c2cf046f0b0555160c14c4902e3c831c8b1f161a9a7b3c2af1874afaf903d282d56
-
Filesize
878B
MD5f73d2a379a3ba3ff5a84ac7774efd347
SHA1746257d690af552ceed3b2f3390e844674a4cd5d
SHA25680e317b03c6563032f3fe9086dbb09504fac49b7d005c811d5ec849277e11c2b
SHA5122fb82733b85bb7bc90a20df823b0f1e4610a4829043ec33d7536ce7f5aa9bbd15cb67cb0796c412f59c8ab368ca32f7c39705e45926a4426b0a8dff216fa0d72
-
Filesize
92KB
MD55c27608411832c5b39ba04e33d53536c
SHA1f92f8b7439ce1de4c297046ed1d3ff9f20bc97af
SHA2560ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565
SHA5121fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309
-
Filesize
28KB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
28KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
2.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
272KB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
28KB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
4KB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB