e3ff5ca6952b263f1e3280b8ac648316a25fe1b5be45dae11317918d8856612a

General

Target

launcher.bat
Size

87B
MD5

864189b29e0ee9338690f34f60d9ed61
SHA1

2f130b692da72031ca0089894b84d716319c3b9a
SHA256

6887bbcea8d76ccb3cdf324d5a7b0feea4a7bbc17e4c05c9e7e07c735ba565a4
SHA512

957853c8a9a67d0555ddeb3981440d9709ff2762a4e4ae7cf48bc2a8a4cb9304154b696411ea4a521871b8322bdb433fd36988e230b91d1656f6c0c8488abafb

Score

8^/10

dave discovery

Malware Config

Signatures

Blocklisted process makes network request 29 IoCs

Processes:

rundll32.exe

flow	pid	process
28	4820	rundll32.exe
30	4820	rundll32.exe
31	4820	rundll32.exe
32	4820	rundll32.exe
33	4820	rundll32.exe
34	4820	rundll32.exe
35	4820	rundll32.exe
36	4820	rundll32.exe
37	4820	rundll32.exe
38	4820	rundll32.exe
40	4820	rundll32.exe
41	4820	rundll32.exe
42	4820	rundll32.exe
43	4820	rundll32.exe
44	4820	rundll32.exe
45	4820	rundll32.exe
46	4820	rundll32.exe
47	4820	rundll32.exe
49	4820	rundll32.exe
51	4820	rundll32.exe
52	4820	rundll32.exe
53	4820	rundll32.exe
54	4820	rundll32.exe
55	4820	rundll32.exe
56	4820	rundll32.exe
57	4820	rundll32.exe
58	4820	rundll32.exe
59	4820	rundll32.exe
60	4820	rundll32.exe

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral4/memory/4820-1-0x0000000002C40000-0x0000000003016000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2500 4820 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2500	4820	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exepowershell.exe

pid process

4820 rundll32.exe
4820 rundll32.exe
3528 powershell.exe
3528 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3528 powershell.exe

pid	process
4820	rundll32.exe
4820	rundll32.exe
3528	powershell.exe
3528	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3528	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3832 wrote to memory of 3276	3832	cmd.exe	rundll32.exe
PID 3832 wrote to memory of 3276	3832	cmd.exe	rundll32.exe
PID 3276 wrote to memory of 4820	3276	rundll32.exe	rundll32.exe
PID 3276 wrote to memory of 4820	3276	rundll32.exe	rundll32.exe
PID 3276 wrote to memory of 4820	3276	rundll32.exe	rundll32.exe
PID 4820 wrote to memory of 3528	4820	rundll32.exe	powershell.exe
PID 4820 wrote to memory of 3528	4820	rundll32.exe	powershell.exe
PID 4820 wrote to memory of 3528	4820	rundll32.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\system32\rundll32.exe
rundll32.exe dino.dll ADMISSIONS_get0_admissionAuthority
2⤵
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe dino.dll ADMISSIONS_get0_admissionAuthority
3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 2100
4⤵
- Program crash
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4820 -ip 4820
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4820 -ip 4820
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4820 -ip 4820
1⤵
PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4820 -ip 4820
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4820 -ip 4820
1⤵
PID:3516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sev2dtsi.ch3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3528-99-0x0000000006EB0000-0x0000000006F53000-memory.dmp

Filesize
652KB

Download
memory/3528-104-0x00000000071D0000-0x00000000071E1000-memory.dmp

Filesize
68KB

Download
memory/3528-72-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/3528-61-0x0000000006C70000-0x0000000006CA2000-memory.dmp

Filesize
200KB

Download
memory/3528-62-0x000000006F3F0000-0x000000006F43C000-memory.dmp

Filesize
304KB

Download
memory/3528-103-0x0000000007250000-0x00000000072E6000-memory.dmp

Filesize
600KB

Download
memory/3528-102-0x0000000007040000-0x000000000704A000-memory.dmp

Filesize
40KB

Download
memory/3528-101-0x0000000006FD0000-0x0000000006FEA000-memory.dmp

Filesize
104KB

Download
memory/3528-100-0x0000000007610000-0x0000000007C8A000-memory.dmp

Filesize
6.5MB

Download
memory/3528-44-0x0000000000F10000-0x0000000000F46000-memory.dmp

Filesize
216KB

Download
memory/3528-106-0x0000000007210000-0x0000000007224000-memory.dmp

Filesize
80KB

Download
memory/3528-107-0x0000000007310000-0x000000000732A000-memory.dmp

Filesize
104KB

Download
memory/3528-105-0x0000000007200000-0x000000000720E000-memory.dmp

Filesize
56KB

Download
memory/3528-60-0x0000000005CD0000-0x0000000005D1C000-memory.dmp

Filesize
304KB

Download
memory/3528-59-0x0000000005C90000-0x0000000005CAE000-memory.dmp

Filesize
120KB

Download
memory/3528-58-0x00000000057A0000-0x0000000005AF4000-memory.dmp

Filesize
3.3MB

Download
memory/3528-108-0x00000000072F0000-0x00000000072F8000-memory.dmp

Filesize
32KB

Download
memory/3528-53-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/3528-47-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/3528-46-0x0000000004DD0000-0x0000000004DF2000-memory.dmp

Filesize
136KB

Download
memory/3528-45-0x0000000004F90000-0x00000000055B8000-memory.dmp

Filesize
6.2MB

Download
memory/4820-23-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-24-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-37-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-40-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-41-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-42-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-43-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-34-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-33-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-32-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-30-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-29-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-27-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-26-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-25-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-36-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-1-0x0000000002C40000-0x0000000003016000-memory.dmp

Filesize
3.8MB

Download
memory/4820-22-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-21-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-74-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-20-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-19-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-18-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-17-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-16-0x0000000077EB2000-0x0000000077EB3000-memory.dmp

Filesize
4KB

Download
memory/4820-15-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-14-0x0000000077EB2000-0x0000000077EB3000-memory.dmp

Filesize
4KB

Download
memory/4820-13-0x00000000038D0000-0x00000000040DA000-memory.dmp

Filesize
8.0MB

Download
memory/4820-5-0x0000000000400000-0x00000000007DF000-memory.dmp

Filesize
3.9MB

Download
memory/4820-0-0x0000000003020000-0x00000000033F8000-memory.dmp

Filesize
3.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads