Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 04:34
Static task
static1
Behavioral task
behavioral1
Sample
0e9fa391b449719565a188b51105913a.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0e9fa391b449719565a188b51105913a.dll
Resource
win10v2004-20231215-en
General
-
Target
0e9fa391b449719565a188b51105913a.dll
-
Size
169KB
-
MD5
0e9fa391b449719565a188b51105913a
-
SHA1
845b9d1b5d2fcbf23333aa577cb18ccbaed3821b
-
SHA256
e9063e847f506e45000ee8f983b3db62bc19f2e7fa79edc18f7b8162b6dfe46c
-
SHA512
01a4f7b305e2fdae2b18dac6f6d29b74299dc5e341e386b912df5f7dc5deb0de1c97e821abf9a9a7b80ef74d296c95b7775e5df26319f1639ccf5390bada72e9
-
SSDEEP
3072:h58nVS9CNRMrdfbkqaX9y8lJupNO2hOtvncB4SMM99QmVK9yB4U:hmVMCTMrdbWQ8lJ4NO2hOtvLTm0yB
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~3\\32simdllqwe.dat,StartAs" regsvr32.exe -
Drops file in Program Files directory 4 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\PROGRA~3\32simdllqwe.dat regsvr32.exe File opened for modification C:\PROGRA~3\32simdllqwe.dat regsvr32.exe File created C:\PROGRA~3\ewqlldmis23.dat regsvr32.exe File opened for modification C:\PROGRA~3\ewqlldmis23.dat regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 476 regsvr32.exe 476 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
regsvr32.exedescription pid process Token: SeDebugPrivilege 476 regsvr32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 3136 wrote to memory of 476 3136 regsvr32.exe regsvr32.exe PID 3136 wrote to memory of 476 3136 regsvr32.exe regsvr32.exe PID 3136 wrote to memory of 476 3136 regsvr32.exe regsvr32.exe PID 476 wrote to memory of 3552 476 regsvr32.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\0e9fa391b449719565a188b51105913a.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\0e9fa391b449719565a188b51105913a.dll3⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\32simdllqwe.datFilesize
1.2MB
MD5f77683d17764cb9dc123517d2ea43128
SHA1c24e0bde4f994d34259a8334d97e199d5c0937f8
SHA25616d8ea40fdf9471ff76dadca46d4ebd5d8334d88b5508de9dec6dacd14135c29
SHA512ae0cb85c7d0b0c8f7b0539d3af56f3a3e370bf6e0ed03c715d570b97ae22dd56f6c1c56188907977e6354194d0a8223f00481a4ae9e942d2f54a9dc7840790dd
-
C:\PROGRA~3\ewqlldmis23.datFilesize
1.2MB
MD5b5afe45995f25c5c30648f84a89dd606
SHA19dc8a44aa4e346faa3d6c02f5889c8a0923b8300
SHA25611e7761e16e306937e9ff0175933d81e24c95b2488f3cbff70c7394dd2cb85a4
SHA512cf35434acc211f51bc8ac1f111c6b3b1780b27924e46fbc35b6d328e9c7aa7eee0d33ff621bb7c8e0d2716f6e6114dd5f304f49354c4ff42bff0efeb805ffaea
-
memory/476-0-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/476-1-0x0000000002C90000-0x0000000002CBA000-memory.dmpFilesize
168KB
-
memory/476-2-0x0000000002D00000-0x0000000002D68000-memory.dmpFilesize
416KB
-
memory/476-3-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/476-14-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB