Overview

overview

8

Static

static

3

0e9fa391b4...3a.dll

windows7-x64

8

0e9fa391b4...3a.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 04:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e9fa391b449719565a188b51105913a.dll

  • Size

    169KB

  • MD5

    0e9fa391b449719565a188b51105913a

  • SHA1

    845b9d1b5d2fcbf23333aa577cb18ccbaed3821b

  • SHA256

    e9063e847f506e45000ee8f983b3db62bc19f2e7fa79edc18f7b8162b6dfe46c

  • SHA512

    01a4f7b305e2fdae2b18dac6f6d29b74299dc5e341e386b912df5f7dc5deb0de1c97e821abf9a9a7b80ef74d296c95b7775e5df26319f1639ccf5390bada72e9

  • SSDEEP

    3072:h58nVS9CNRMrdfbkqaX9y8lJupNO2hOtvncB4SMM99QmVK9yB4U:hmVMCTMrdbWQ8lJ4NO2hOtvLTm0yB

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 9 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 5 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Windows\system32\regsvr32.exe
        regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0e9fa391b449719565a188b51105913a.dll
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Windows\SysWOW64\regsvr32.exe
          /s C:\Users\Admin\AppData\Local\Temp\0e9fa391b449719565a188b51105913a.dll
          3⤵
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1416
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\System32\rundll32.exe" C:\PROGRA~3\mnjsimwinaso.dat,StartAs
            4⤵
            • Blocklisted process makes network request
            • Deletes itself
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Modifies Internet Explorer Protected Mode
            • Modifies Internet Explorer Protected Mode Banner
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2104
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1172
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1116

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        4
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\PROGRA~3\mnjsimwinaso.dat
          Filesize

          384KB

          MD5

          54650d2ffd39ade8363f89bd5840c5e1

          SHA1

          b631983d7281a11da39e866d79b139b103956b01

          SHA256

          26af6676bd386cf11d3c44184f575b90912de93ad68fbf3ccfcfd5940c5c9346

          SHA512

          f3d5cd1ce28c3e9d9635c3ef92fff696c3f379d948e60a49416cb4303e2abd5d56b7294f56bf5a9353b03623cf6e3ba750d9b703805e24e14eca239d98dd6dfc

          Download Submit
        • C:\PROGRA~3\mnjsimwinaso.dat
          Filesize

          1.2MB

          MD5

          ee8a7b97574c78c0a1870d6dc811d52d

          SHA1

          49696d1ad593328f83f5940a651b707045255543

          SHA256

          fcff9d063373259cb91e8e9f05be97e6cc4534e9a2793b5b3e0a4b45ef83f610

          SHA512

          494410c0c216485936656948e786a0ae9f40e9a3727f6456f2883860c9e30fd1c19179c679648f2d977f2da250cebeeaabc8a59313b3df9fa6a77a5bb2193a36

          Download Submit
        • C:\PROGRA~3\osaniwmisjnm.dat
          Filesize

          93KB

          MD5

          981a34b0fe8fc7b8cf314104f1faa213

          SHA1

          547b845a7b00690ca757affd2ac6433bdf1ce093

          SHA256

          753dd6fea80f0937f471c87f9e2be91d831296846ac4cba96064444e51b15b12

          SHA512

          05accfba97ca50bf74a82f4774d8fd05e635cf1293798b8d2c6396089045a0e1052ace41acc1b295383b037a9cd59724a2b314db54255f2b3691b9c709c74f77

          Download Submit
        • \PROGRA~3\mnjsimwinaso.dat
          Filesize

          365KB

          MD5

          770262a9dd7568343b24f4ea64d7e69d

          SHA1

          967ea21feab3941653f30cf18224f4a2988c80cd

          SHA256

          373c14557d9ce3773c925f96dfb780602daf458e4b9041b76ee12c0194054394

          SHA512

          8c2e44fdf499bced7b02b5d01313834a26a40e676c603edc425b06b64f1d6c8c93ea6144a6d62e8ac8a80be129bcd9ce3a9019aa2acbe2713e8b07fbb8f5cfcb

          Download Submit
        • memory/1208-15-0x0000000002B00000-0x0000000002B01000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1416-2-0x0000000000700000-0x000000000072A000-memory.dmp
          Filesize

          168KB

          Download
        • memory/1416-0-0x00000000008A0000-0x0000000000907000-memory.dmp
          Filesize

          412KB

          Download
        • memory/1416-1-0x00000000008A0000-0x0000000000907000-memory.dmp
          Filesize

          412KB

          Download
        • memory/1416-3-0x0000000002220000-0x0000000002288000-memory.dmp
          Filesize

          416KB

          Download
        • memory/1416-16-0x00000000008A0000-0x0000000000907000-memory.dmp
          Filesize

          412KB

          Download
        • memory/1416-4-0x00000000008A0000-0x0000000000907000-memory.dmp
          Filesize

          412KB

          Download
        • memory/2104-19-0x0000000000400000-0x0000000000467000-memory.dmp
          Filesize

          412KB

          Download
        • memory/2104-21-0x0000000000350000-0x00000000003B8000-memory.dmp
          Filesize

          416KB

          Download
        • memory/2104-25-0x0000000000400000-0x0000000000467000-memory.dmp
          Filesize

          412KB

          Download
        • memory/2104-46-0x0000000000400000-0x0000000000467000-memory.dmp
          Filesize

          412KB

          Download
        • memory/2104-67-0x0000000000400000-0x0000000000467000-memory.dmp
          Filesize

          412KB

          Download
        • memory/2104-91-0x0000000000400000-0x0000000000467000-memory.dmp
          Filesize

          412KB

          Download
        • memory/2104-102-0x0000000000400000-0x0000000000467000-memory.dmp
          Filesize

          412KB

          Download
        • memory/2104-112-0x0000000000400000-0x0000000000467000-memory.dmp
          Filesize

          412KB

          Download
        • memory/2104-125-0x0000000000400000-0x0000000000467000-memory.dmp
          Filesize

          412KB

          Download
        • memory/2104-137-0x0000000000400000-0x0000000000467000-memory.dmp
          Filesize

          412KB

          Download
        • memory/2104-157-0x0000000000400000-0x0000000000467000-memory.dmp
          Filesize

          412KB

          Download
        • memory/2104-181-0x0000000000400000-0x0000000000467000-memory.dmp
          Filesize

          412KB

          Download
        • memory/2104-192-0x0000000000400000-0x0000000000467000-memory.dmp
          Filesize

          412KB

          Download