Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 12:27
Behavioral task
behavioral1
Sample
188202eedc45fc7c3f1799fbf449209a.exe
Resource
win7-20231129-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
188202eedc45fc7c3f1799fbf449209a.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
188202eedc45fc7c3f1799fbf449209a.exe
-
Size
41KB
-
MD5
188202eedc45fc7c3f1799fbf449209a
-
SHA1
59e58949c6cabc5f74cabef002c54c3b097eeeb3
-
SHA256
5fd3f8fb423272aca3aa2d1eef9bf062e207f4e34aeeab683ef9f3a7f737d848
-
SHA512
5180792a598cff9071c21cd84b1cd8ec56b36dd1c97723885fd6a2c3e4f85214777e5e175ebcf73d0dcae05a052721dc53f54d4207387bcf074e4410c54e6b36
-
SSDEEP
768:KvBgclfRsHJhSS2/TsiD9e12jECpBvU+z6Isas06E+:KE/nwTl9e12Jpu+z5ds06E
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\rundll32.exe = "C:\\Windows\\SysWOW64\\rundll32.exe:*:Enabled:rundll32" rundll32.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2264 rundll32.exe -
Drops file in Drivers directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\lsi_scsi.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\nvstor.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\compbatt.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\VMBusHID.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\ipfltdrv.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\tcpipreg.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\usbehci.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\volsnap.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\ACPI.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\HpSAMD.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\asyncmac.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\arc.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\sermouse.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\smb.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\ndisuio.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\rdyboost.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\synth3dvsc.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\appid.sys rundll32.exe File created C:\Windows\SysWOW64\Drivers\BrSerWdm.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\umbus.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\usbhub.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\adpu320.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\drmkaud.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\msdsm.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\vgapnp.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\mouclass.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\vhdmp.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\hcw85cir.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\lltdio.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\partmgr.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\MSTEE.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\sffp_mmc.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\sffp_sd.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\kbdhid.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\MSKSSRV.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\evbda.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\MSPQM.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\BrFiltUp.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\disk.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\afd.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\hidir.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\pciide.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\sbp2port.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\rdvgkmd.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\amdsata.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\termdd.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\amdxata.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\tsusbhub.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\MegaSR.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\wmiacpi.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\terminpt.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\CmBatt.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\mountmgr.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\megasas.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\rspndr.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\lsi_sas.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\MSPCLOCK.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\rasacd.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\mpsdrv.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\sffdisk.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\tssecsrv.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\wanarp.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\adp94xx.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\ksthunk.sys rundll32.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000c00000001220d-5.dat acprotect -
Deletes itself 1 IoCs
pid Process 2264 rundll32.exe -
Loads dropped DLL 5 IoCs
pid Process 1216 188202eedc45fc7c3f1799fbf449209a.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe -
resource yara_rule behavioral1/memory/1216-0-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/files/0x000c00000001220d-5.dat upx behavioral1/memory/1216-8-0x0000000010000000-0x0000000010040000-memory.dmp upx behavioral1/memory/2264-14-0x0000000010000000-0x0000000010040000-memory.dmp upx behavioral1/memory/2264-15-0x0000000010000000-0x0000000010040000-memory.dmp upx behavioral1/memory/2264-16-0x0000000010000000-0x0000000010040000-memory.dmp upx behavioral1/memory/1216-17-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/1216-18-0x0000000010000000-0x0000000010040000-memory.dmp upx behavioral1/memory/2264-227-0x0000000010000000-0x0000000010040000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} rundll32.exe -
Modifies WinLogon 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava\MaxWait = "1" 188202eedc45fc7c3f1799fbf449209a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava\ngrvv = "[23E3AE86CDFED5711]" 188202eedc45fc7c3f1799fbf449209a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava 188202eedc45fc7c3f1799fbf449209a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 188202eedc45fc7c3f1799fbf449209a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava\DllName = "snjava.dll" 188202eedc45fc7c3f1799fbf449209a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava\Startup = "snjava" 188202eedc45fc7c3f1799fbf449209a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava\Impersonate = "1" 188202eedc45fc7c3f1799fbf449209a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava\Asynchronous = "1" 188202eedc45fc7c3f1799fbf449209a.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\java2.sys 188202eedc45fc7c3f1799fbf449209a.exe File opened for modification C:\Windows\SysWOW64\z98.bin 188202eedc45fc7c3f1799fbf449209a.exe File opened for modification C:\Windows\SysWOW64\z98.bin rundll32.exe File opened for modification C:\Windows\SysWOW64\a9k.bin 188202eedc45fc7c3f1799fbf449209a.exe File created C:\Windows\SysWOW64\CLFS.sys rundll32.exe File created C:\Windows\SysWOW64\snjava.dll 188202eedc45fc7c3f1799fbf449209a.exe File created C:\Windows\SysWOW64\java2.sys 188202eedc45fc7c3f1799fbf449209a.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1492 2264 WerFault.exe 28 -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} rundll32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4F3C-8081-5663EE0C6C49} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2264 rundll32.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1216 wrote to memory of 2264 1216 188202eedc45fc7c3f1799fbf449209a.exe 28 PID 1216 wrote to memory of 2264 1216 188202eedc45fc7c3f1799fbf449209a.exe 28 PID 1216 wrote to memory of 2264 1216 188202eedc45fc7c3f1799fbf449209a.exe 28 PID 1216 wrote to memory of 2264 1216 188202eedc45fc7c3f1799fbf449209a.exe 28 PID 1216 wrote to memory of 2264 1216 188202eedc45fc7c3f1799fbf449209a.exe 28 PID 1216 wrote to memory of 2264 1216 188202eedc45fc7c3f1799fbf449209a.exe 28 PID 1216 wrote to memory of 2264 1216 188202eedc45fc7c3f1799fbf449209a.exe 28 PID 2264 wrote to memory of 1492 2264 rundll32.exe 29 PID 2264 wrote to memory of 1492 2264 rundll32.exe 29 PID 2264 wrote to memory of 1492 2264 rundll32.exe 29 PID 2264 wrote to memory of 1492 2264 rundll32.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\188202eedc45fc7c3f1799fbf449209a.exe"C:\Users\Admin\AppData\Local\Temp\188202eedc45fc7c3f1799fbf449209a.exe"1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe snjava.dll,snjava C:\Users\Admin\AppData\Local\Temp\188202eedc45fc7c3f1799fbf449209a.exe2⤵
- Modifies firewall policy service
- Blocklisted process makes network request
- Drops file in Drivers directory
- Deletes itself
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 7683⤵
- Program crash
PID:1492
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Browser Extensions
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD50379dacc71dbfbde873f5683f83a4f65
SHA1f4dbb8bf2d34b6f5e7330ca0b6f9217f8e41f0d0
SHA2568bae64289b178ed447f8e86510cc4c33686d35ef0b00ab90765886a961075e8b
SHA5123d628d1370a858d1779bed3d152687878257bb5a4676060719bb1fa2e4b5c0416707476ab94789f68f3549c6650c1e162ed3c6a72ff0259f4a6f71163e4bc65f
-
Filesize
23KB
MD539123acb617e2d8366b919203731d1ea
SHA13eed3486087125c9b771d90560d7cef2fd6ef7ca
SHA256ac2025072e00fde01ca6560371f8af9cecd036e0ed42d4d2cc17d082c6ffb15f
SHA512be5269016b42a4bd3fa212e2f404a047aea31637e132154f5f1b0e60c2c3f1534da5dd7d4ac390476fee149eac33f662144e73b5f51e5d9e2c4ee88b64e840c8