Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
-
submitted
19/11/2023, 22:24
General
-
Target
c6fc9524fec2a6e2d2954d11b67a4d86a3c4a5672f21c388b1ab555e6fd09888.dll
-
Size
912KB
-
MD5
d24b38a543bfbb715b93e9059a79ada5
-
SHA1
af4b41a4ddd99d866360160f755a5f55fc8f35f0
-
SHA256
c6fc9524fec2a6e2d2954d11b67a4d86a3c4a5672f21c388b1ab555e6fd09888
-
SHA512
abceb1d12fc00678b63d2439341e04bdee65952230ebd6ba674d9a9b8b6fccea04fed1e4b9f1c8f2064c944b7f5b8d71749a7b2b343923d335a8bd03b5eb3830
-
SSDEEP
12288:v+YE32Q8n9FgCBT4jh0rOcazvLbzTq4TYSyPKcaTuxfa:vvEwnfg04jgaXbzG4TYS8KcR
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c6fc9524fec2a6e2d2954d11b67a4d86a3c4a5672f21c388b1ab555e6fd09888.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\0mct.cmd1⤵
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\YOzYb.cmd1⤵
- Drops file in System32 directory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "Zulhjuyrr" /TR C:\Windows\system32\rNkY\unregmp2.exe /SC minute /MO 60 /RL highest1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Zulhjuyrr"1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Zulhjuyrr"1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Zulhjuyrr"1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Zulhjuyrr"1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Zulhjuyrr"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD528a9702102176fc50e153d9ad3f2305f
SHA10c962fd8229c0c3bbb5839cade2ee31bc7e6bba8
SHA25671c15d4ce1077317d2739ff1e4b5d7652f63837e672dbd69f7a032403939ff80
SHA512579fbb5931f20df3f2fd8f2e22bfe1393d31ba1453412589e1b4ab6ebf61533ff49c8fa05382b44e4a2929d203ca3f55988fc13d5711972c530194daced1c571
-
Filesize
195B
MD54007d9c9144bf845789c835034cd6bae
SHA1a0a2ed9cf7a8628758350c8ed514c033f150090e
SHA2565cc04ce3c315966647c68b16177772215cac525a13690685e4b805f88354c515
SHA51226865a46b0f28bb8222e47d4d13dec78c2a061618a65f9c0a389ead7e0226f36b6ce917d27035e1f7fa6e43536d8bdf6edd3233fd6c6586cd12f20e53866d32e
-
Filesize
916KB
MD5c46de1ae040ff25d2f18f051d3a248e2
SHA13838dd06278bfe163dd2b8bfedda8a6b97b169bb
SHA256c3532d6592075a2c83f99a2d1d5dffd6d382569f581738cd3c3f305f1899839e
SHA512c51e60021d9f6e91110550997d8dff3b578ccf0dfcbce125f388f544cb27e7e89ad124f7ae27e6485615e90ffd2446da14e701c8f7fcdae5d4e985380b08abd3
-
Filesize
916KB
MD57edb7d1bf020aa95b8d8cbecd3614777
SHA1f4c9b14902141dc2e1f4ffa7356df1998d04a263
SHA2566254821165d0051ddf8f588dd23c58c920b0f1f85114a0331f89e7ac74fb5715
SHA512288201e498776a44ffc4dca0e864063c6ab9a11fca9da76a0f3e5bf3fdc76cf6ac51797b5979044236a1ad23d8f5f234694a144ce70a52ba8d7ecefaa97a2460
-
Filesize
774B
MD528e2f57dbc78151a830c46018fd113e6
SHA1821145d27d46be3aab4d361498d1fd0a43094550
SHA2564ea7f34e44133f5fdbbfd220263f625dc7fe448ef91c10a35542e9913457bcd3
SHA5126fd64728bbeaa1a3d8c293d9d29597be586b7d061a3ac9e68e56f6c8192bdc8f7cc80b797a4d0ffb8a094f455d13f234d791aad4cdf96c02f2e1f0de6228b052
-
Filesize
272KB
MD53bcb70da9b5a2011e01e35ed29a3f3f3
SHA19daecb1ee5d7cbcf46ee154dd642fcd993723a9b
SHA256dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5
SHA51269d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df
-
Filesize
272KB
MD53bcb70da9b5a2011e01e35ed29a3f3f3
SHA19daecb1ee5d7cbcf46ee154dd642fcd993723a9b
SHA256dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5
SHA51269d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
4KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
4KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
4KB
-
Filesize
912KB
-
Filesize
32KB
-
Filesize
912KB