24cd8e15e68a854a6ffc410669107b082c6d9a192cf671e51ee15735ec149287

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

561B145D9F8EBD81A4F097ECB8EA2EE8.exe
Size

658KB
MD5

561b145d9f8ebd81a4f097ecb8ea2ee8
SHA1

1a3e85e9018a06f260980487ed92849574d6e4e9
SHA256

24cd8e15e68a854a6ffc410669107b082c6d9a192cf671e51ee15735ec149287
SHA512

1cc855ad0d97b8a679aaa0b31c4bb4b758e3c9fe037381148e00f0ab0f047f2ba5ea98be229e04f6dc534c1d2a5e88809cb81319132b6b4e5d557e89eb683de9
SSDEEP

12288:SaejG/5NwYkK19iOCr+TMoO30mYn0YaAsGhQHxM5DKTrH5eZQ2m:2jGAK19iOCr+TMoO30mYn0YaAstHxM5y

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
2	1408	rundll32.exe
13	1408	rundll32.exe
14	1408	rundll32.exe
28	1408	rundll32.exe
30	1408	rundll32.exe
43	1408	rundll32.exe
45	1408	rundll32.exe
49	1408	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\.Net CLRL74\Parameters\ServiceDll = "C:\\Windows\\system32\\e57ddae.dll"	561B145D9F8EBD81A4F097ECB8EA2EE8.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Control Panel\International\Geo\Nation	561B145D9F8EBD81A4F097ECB8EA2EE8.exe

Loads dropped DLL 3 IoCs

pid	Process
1636	561B145D9F8EBD81A4F097ECB8EA2EE8.exe
2316	svchost.exe
1408	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\e57ddae.dll	561B145D9F8EBD81A4F097ECB8EA2EE8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1636	561B145D9F8EBD81A4F097ECB8EA2EE8.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1408	2316	svchost.exe	84
PID 2316 wrote to memory of 1408	2316	svchost.exe	84
PID 2316 wrote to memory of 1408	2316	svchost.exe	84
PID 1636 wrote to memory of 640	1636	561B145D9F8EBD81A4F097ECB8EA2EE8.exe	87
PID 1636 wrote to memory of 640	1636	561B145D9F8EBD81A4F097ECB8EA2EE8.exe	87
PID 1636 wrote to memory of 640	1636	561B145D9F8EBD81A4F097ECB8EA2EE8.exe	87

C:\Users\Admin\AppData\Local\Temp\561B145D9F8EBD81A4F097ECB8EA2EE8.exe
"C:\Users\Admin\AppData\Local\Temp\561B145D9F8EBD81A4F097ECB8EA2EE8.exe"
1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\561B14~1.EXE" > nul
  2⤵
  PID:640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k ".Net CLRL74"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\e57ddae.dll, Launch
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\e57ddae.dll

Filesize
610KB

MD5
576275c8bdfbcbbab2c14444c400275b

SHA1
3677fb22001fd76d64bcffb434c9718024e11675

SHA256
4220bfe33572be4f08d0ab835d47be7cb635fc3b2ebd4ed2c363a182aeabb4dc

SHA512
391e7086913e56bb3320ab90d21eb66aa33c10f150ff63f6b5fcd007f4402c7378c5432cb2ba44f02736fbfb36bc2b3c2822fe0743b0682e4c6d8a016986d54c

Download Submit
C:\Windows\SysWOW64\e57ddae.dll

Filesize
610KB

MD5
576275c8bdfbcbbab2c14444c400275b

SHA1
3677fb22001fd76d64bcffb434c9718024e11675

SHA256
4220bfe33572be4f08d0ab835d47be7cb635fc3b2ebd4ed2c363a182aeabb4dc

SHA512
391e7086913e56bb3320ab90d21eb66aa33c10f150ff63f6b5fcd007f4402c7378c5432cb2ba44f02736fbfb36bc2b3c2822fe0743b0682e4c6d8a016986d54c

Download Submit
C:\Windows\SysWOW64\e57ddae.dll

Filesize
610KB

MD5
576275c8bdfbcbbab2c14444c400275b

SHA1
3677fb22001fd76d64bcffb434c9718024e11675

SHA256
4220bfe33572be4f08d0ab835d47be7cb635fc3b2ebd4ed2c363a182aeabb4dc

SHA512
391e7086913e56bb3320ab90d21eb66aa33c10f150ff63f6b5fcd007f4402c7378c5432cb2ba44f02736fbfb36bc2b3c2822fe0743b0682e4c6d8a016986d54c

Download Submit
\??\c:\windows\SysWOW64\e57ddae.dll

Filesize
610KB

MD5
576275c8bdfbcbbab2c14444c400275b

SHA1
3677fb22001fd76d64bcffb434c9718024e11675

SHA256
4220bfe33572be4f08d0ab835d47be7cb635fc3b2ebd4ed2c363a182aeabb4dc

SHA512
391e7086913e56bb3320ab90d21eb66aa33c10f150ff63f6b5fcd007f4402c7378c5432cb2ba44f02736fbfb36bc2b3c2822fe0743b0682e4c6d8a016986d54c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads