Analysis
-
max time kernel
118s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
-
submitted
19-11-2023 22:24
General
-
Target
c6fc9524fec2a6e2d2954d11b67a4d86a3c4a5672f21c388b1ab555e6fd09888.dll
-
Size
912KB
-
MD5
d24b38a543bfbb715b93e9059a79ada5
-
SHA1
af4b41a4ddd99d866360160f755a5f55fc8f35f0
-
SHA256
c6fc9524fec2a6e2d2954d11b67a4d86a3c4a5672f21c388b1ab555e6fd09888
-
SHA512
abceb1d12fc00678b63d2439341e04bdee65952230ebd6ba674d9a9b8b6fccea04fed1e4b9f1c8f2064c944b7f5b8d71749a7b2b343923d335a8bd03b5eb3830
-
SSDEEP
12288:v+YE32Q8n9FgCBT4jh0rOcazvLbzTq4TYSyPKcaTuxfa:vvEwnfg04jgaXbzG4TYS8KcR
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c6fc9524fec2a6e2d2954d11b67a4d86a3c4a5672f21c388b1ab555e6fd09888.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msinfo32.exeC:\Windows\system32\msinfo32.exe1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\J9p.cmd1⤵
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ML6T5E.cmd1⤵
- Drops file in System32 directory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "Qyyjbocrodgi" /TR C:\Windows\system32\yjTIw\wbengine.exe /SC minute /MO 60 /RL highest1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Qyyjbocrodgi"1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Qyyjbocrodgi"1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Qyyjbocrodgi"1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Qyyjbocrodgi"1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Qyyjbocrodgi"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
920KB
MD588ab63c792eb46ce2452fb82d24b1bce
SHA1db1cc044cbc26a91be7e8c14afd337147f187dd9
SHA256613509e44be9dba5257c95a18bec570c167952f3621fbfafc18ae5fd9cf3ea05
SHA512497ba4716a2b153847c6181b622678f4de73b547e0740a2b622f392613e714b8a59db0a6e9ed8a675dca44c14df50b8ba6ac887df5dd9e3e8f967fa6280ff3f9
-
Filesize
225B
MD5b0c4e7d85acd3a916859d46995f08363
SHA1adf277b392580084b14751b6e88f12a1432715c0
SHA256f7df85fc024f2b679b5b45f6350cc5bf6a2602ea4a81f4f7fea4e265f07febe1
SHA5128114ce4f338de192a541a9069a845cd830516103b6a8f91114d95a1b586118452bc703490f3e74a6f73d62ffb97c77dca92544313b9890b4e5090a22a6305370
-
Filesize
916KB
MD537039d8080a8eb5e33532bb958ac0e36
SHA1797f5fbf22f610ac58870b44b3ecca19521ba3b4
SHA2561883ab706228c955b4638d6e98bc7a2b39633a7c4f200c971621536dc89f372f
SHA512c069ec20b312ff072a0aa4274ae0738d116c17299d52ac5a92e12da9d4f500fabeeaa193f0a4d74c262c6232bbdf45050eedf915470a244369aaadd8ad2205ac
-
Filesize
192B
MD5a27d50fc0d2d2079d98beb187dd430db
SHA1116610a7882d922b579b6314e92905983413de09
SHA256d89533526d1344b2a6d0b8d5e60d3dd88c5dd90b66119a759dfd8960964eec2b
SHA5124d414e1ef1dead1569c4f98a927ae8a8d34f4b4731030123c879d7a43e9fa0c56d53fc8a4957e6402e0294ee718c2525a3360c83d01ce423a5224ef118ac0077
-
Filesize
376KB
MD50aed91da63713bf9f881b03a604a1c9d
SHA1b1b2d292cb1a4c13dc243b5eab13afb316a28b9a
SHA2565cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14
SHA51204bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03
-
Filesize
876B
MD58bafe3af0f304d4e2cd2434ea790c450
SHA14f4c91033dae452782db4576085d01e3a52a5863
SHA256dc202ab9a9bfff1236f89f27173453546672cfb383110c1483c0be077e13cd2f
SHA512f82166b611380f3d592c542a73d5fc6b90fd06aab7b90663c7676c0461d910d0ce1614f24f199db3831bb15f57329daf235959b10a250767dbdcd8c89b2c65bd
-
Filesize
32KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
912KB
-
Filesize
912KB
-
Filesize
32KB
-
Filesize
64KB