Overview
overview
10Static
static
1044ede6e1b9...0b.dll
windows7-x64
1044ede6e1b9...0b.dll
windows10-2004-x64
10830700df4f...46.dll
windows7-x64
10830700df4f...46.dll
windows10-2004-x64
10b89d80ca3f...79.dll
windows7-x64
10b89d80ca3f...79.dll
windows10-2004-x64
10cad0968f5a...b9.exe
windows7-x64
10cad0968f5a...b9.exe
windows10-2004-x64
10e3932ab83b...e8.dll
windows7-x64
10e3932ab83b...e8.dll
windows10-2004-x64
10Resubmissions
03-08-2023 07:52
230803-jqkwdsca99 1027-07-2023 11:24
230727-nhyvhaec35 1026-12-2022 13:39
221226-qx588sgb9y 1026-12-2022 13:39
221226-qx1zhsgb9x 1026-12-2022 13:38
221226-qxxbbsda57 1026-12-2022 13:38
221226-qxjp8sda56 10Analysis
-
max time kernel
1544s -
max time network
1549s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2023 07:52
Behavioral task
behavioral1
Sample
44ede6e1b9be1c013f13d82645f7a9cff7d92b267778f19b46aa5c1f7fa3c10b.dll
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral2
Sample
44ede6e1b9be1c013f13d82645f7a9cff7d92b267778f19b46aa5c1f7fa3c10b.dll
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral4
Sample
830700df4fc2b75b067479d6f2f67d51dff7e883d2a33793c905380a9351cb46.dll
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral6
Sample
b89d80ca3f0a5da24b8b768d2d5eb35ca1322f6bc2b01e265465ac95d7d61279.dll
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral8
Sample
cad0968f5ab3bedeffef68bbe18f92946fb97967cef59970157029480ed15bb9.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8.dll
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral10
Sample
e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8.dll
Resource
win10v2004-20230703-en
windows10-2004-x64
General
-
Target
e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8.dll
-
Size
111KB
-
MD5
e3564138588cba04c873bd054458f8b9
-
SHA1
157ec7421e1333b714d01a750b6d5d6517a92c45
-
SHA256
e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8
-
SHA512
2a2e8ce45a928bcffdb40ebf6559c1f071bb3feccfd9cfe355e593acb559ecf84858cf4474708d311317ab08b3f981eba7c8b80dceae973839a0eec9049665c8
-
SSDEEP
1536:3ui/9Xb791Wff4K84oeRnobxxm2ShclQaLMin8F5vAC+WEQbAmTjTpeyv0+gPzff:H/J7jWHT/oegcaQF5XEgHbpeyvfgT
Malware Config
Signatures
-
Blocklisted process makes network request 42 IoCs
flow pid Process 45 4036 msiexec.exe 47 4036 msiexec.exe 50 4036 msiexec.exe 53 4036 msiexec.exe 56 4036 msiexec.exe 59 4036 msiexec.exe 62 4036 msiexec.exe 88 4036 msiexec.exe 89 4036 msiexec.exe 90 4036 msiexec.exe 91 4036 msiexec.exe 92 4036 msiexec.exe 93 4036 msiexec.exe 94 4036 msiexec.exe 99 4036 msiexec.exe 100 4036 msiexec.exe 101 4036 msiexec.exe 102 4036 msiexec.exe 103 4036 msiexec.exe 104 4036 msiexec.exe 105 4036 msiexec.exe 110 4036 msiexec.exe 111 4036 msiexec.exe 112 4036 msiexec.exe 113 4036 msiexec.exe 114 4036 msiexec.exe 115 4036 msiexec.exe 116 4036 msiexec.exe 120 4036 msiexec.exe 121 4036 msiexec.exe 122 4036 msiexec.exe 123 4036 msiexec.exe 124 4036 msiexec.exe 125 4036 msiexec.exe 126 4036 msiexec.exe 130 4036 msiexec.exe 131 4036 msiexec.exe 132 4036 msiexec.exe 133 4036 msiexec.exe 134 4036 msiexec.exe 135 4036 msiexec.exe 136 4036 msiexec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Giyh = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Gioby\\hediebig.dll,DllRegisterServer" msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4356 set thread context of 4036 4356 regsvr32.exe 94 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSecurityPrivilege 4036 msiexec.exe Token: SeSecurityPrivilege 4036 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3472 wrote to memory of 4356 3472 regsvr32.exe 84 PID 3472 wrote to memory of 4356 3472 regsvr32.exe 84 PID 3472 wrote to memory of 4356 3472 regsvr32.exe 84 PID 4356 wrote to memory of 4036 4356 regsvr32.exe 94 PID 4356 wrote to memory of 4036 4356 regsvr32.exe 94 PID 4356 wrote to memory of 4036 4356 regsvr32.exe 94 PID 4356 wrote to memory of 4036 4356 regsvr32.exe 94 PID 4356 wrote to memory of 4036 4356 regsvr32.exe 94
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\e3932ab83bc05de2e91d321c4d479ff1aa3d10fdbd91e1687c80cc0ec88270e8.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-