f9d61f1953345a0da112b6653fbe72292c73ba8e67f875c0b60e0c8f05f4d024

Analysis

max time kernel
159s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

034952c93a87e5465783cea13800fbcd.exe
Size

154KB
MD5

034952c93a87e5465783cea13800fbcd
SHA1

f0fdb581db3183ea3d0a40f4e6386bb310dac4b8
SHA256

f9d61f1953345a0da112b6653fbe72292c73ba8e67f875c0b60e0c8f05f4d024
SHA512

1a8d85efd59936156c68fae0018aa6a65f6fb210edc620b703d4218136034165006022c0fdb87a29eeed738e9bf5a1f940bd81f29a2d94067cae3c8389673a90
SSDEEP

3072:r0Cc0k/A9aXfaOxMy/+wErSdhz2ZJsZ4CDl5sgqu3W+YlLsQ0i:rW0kXXfaOxMy/+wE6UZJsZ4Clqu3gL

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
15	396	RUNDLL32.EXE

Deletes itself 1 IoCs

pid	Process
1704	RUNDLL32.EXE

Loads dropped DLL 2 IoCs

pid	Process
1704	RUNDLL32.EXE
396	RUNDLL32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Autorun = "RUNDLL32.EXE \"C:\\ProgramData\\Microsoft\\PDA\\TVT.DLL\" VzcPlqsyj 3"	RUNDLL32.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\SS\PROXY	RUNDLL32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SS	RUNDLL32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SS\PROXY	RUNDLL32.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	RUNDLL32.EXE
Token: SeTcbPrivilege	396	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 1704	5060	034952c93a87e5465783cea13800fbcd.exe	90
PID 5060 wrote to memory of 1704	5060	034952c93a87e5465783cea13800fbcd.exe	90
PID 5060 wrote to memory of 1704	5060	034952c93a87e5465783cea13800fbcd.exe	90
PID 1704 wrote to memory of 396	1704	RUNDLL32.EXE	92
PID 1704 wrote to memory of 396	1704	RUNDLL32.EXE	92
PID 1704 wrote to memory of 396	1704	RUNDLL32.EXE	92

C:\Users\Admin\AppData\Local\Temp\034952c93a87e5465783cea13800fbcd.exe
"C:\Users\Admin\AppData\Local\Temp\034952c93a87e5465783cea13800fbcd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\SysWOW64\RUNDLL32.EXE
  RUNDLL32.EXE "C:\ProgramData\Microsoft\PDA\TVT.DLL" VzcPlqsyj 0 "C:\Users\Admin\AppData\Local\Temp\034952c93a87e5465783cea13800fbcd.exe"
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\RUNDLL32.EXE
    RUNDLL32.EXE "C:\ProgramData\Microsoft\PDA\TVT.DLL" VzcPlqsyj 3
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\PDA\TVT.DLL

Filesize
153KB

MD5
8794b968b5c3fbefa9a65405e70d0c71

SHA1
cfa55a57682f5cdb370fc7e9bca102ad6e9397e9

SHA256
ffa7b06212eeb312e28e41bd599ab9ee7b784d2b0dde50e6802db1e40d875f90

SHA512
96b1f68f9a13578d9d44dfb1ffb7c076c0d35ec59bde3c246b1b38c81a5a3a0febba76cd9a805521f4bc845449588f81e98ade2c10c58928df7f3d6a58eda639

Download Submit
C:\ProgramData\Microsoft\PDA\TVT.DLL

Filesize
134KB

MD5
3dee15921e7e4b1b87e7c8916e02748f

SHA1
8fe371a5cc6ae340fdb8237477a02d1bb8e8b125

SHA256
4924b9e1511aee61e5d29e5b60a4dcbed493ab9f83aeebfef95531e356131247

SHA512
2da0990862f02024562f07e6a8054b1c6610df9f5aab743c370b23867bb2f1e8469a9df28f55d215a1c36a2093c4f940daa817506782b905cc62e7877e7de72e

Download Submit
C:\ProgramData\Microsoft\PDA\TVT.DLL

Filesize
108KB

MD5
67db607fc24f6673f5642231c72c6148

SHA1
9a1b0d71368976cec43f89ad82814946ab1dc576

SHA256
efc38899ab35a2943a4cb57e329fc9deb113ad0e9467bc677e2e5b7bf1515e0c

SHA512
29ec9bde65ecf46325988776151b61d269921babdcec85507f95a45015a3e0a67e2644f835a0c692305d237488b24f7f38cacbba6d8b24204a6fe9ed3100dfe2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads