54662f731dc665ea5b5d7b2ee66d03109ebd4e681208da22bb61fdb91eca55f1

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36788a49799e83c0a77406c93758ceb5.dll
Size

58KB
MD5

36788a49799e83c0a77406c93758ceb5
SHA1

1c5f7440c71db6ee07c8054d0cc5d086326c8965
SHA256

54662f731dc665ea5b5d7b2ee66d03109ebd4e681208da22bb61fdb91eca55f1
SHA512

38ba08f6f710d42b29535b1d0b1dde7ce16d457920926edbb02eadaa55c602ed32c7726fcd00e85bcfac684333bf53d2a07409dff8c9ac7c38044c93eefd4a93
SSDEEP

1536:Ivm2WqfTdO2M22s1BtQRr4ru6DR7XEQnb4VuXJdi:IvPNrd4YQgu6DhHb443

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Canvas = "RunDll32 \"C:\\Windows\\system32\\Printing_Admin_Scripts\\hostlog.dll\",Init"	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\hostlog.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\hostlog.dll	rundll32.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\srvperf.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\srvperf.dll	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\perfms.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\perfms.dll	rundll32.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	rundll32.exe
Key created	\REGISTRY\MACHINE\HARDWARE\Description\System\MultifunctionAdapter\0\DiskController	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 4332	1708	rundll32.exe	14
PID 1708 wrote to memory of 4332	1708	rundll32.exe	14
PID 1708 wrote to memory of 4332	1708	rundll32.exe	14
PID 4332 wrote to memory of 1916	4332	rundll32.exe	93
PID 4332 wrote to memory of 1916	4332	rundll32.exe	93
PID 4332 wrote to memory of 1916	4332	rundll32.exe	93
PID 4332 wrote to memory of 2592	4332	rundll32.exe	62
PID 4332 wrote to memory of 2592	4332	rundll32.exe	62
PID 4332 wrote to memory of 2620	4332	rundll32.exe	61
PID 4332 wrote to memory of 2620	4332	rundll32.exe	61
PID 4332 wrote to memory of 2800	4332	rundll32.exe	57
PID 4332 wrote to memory of 2800	4332	rundll32.exe	57
PID 4332 wrote to memory of 3520	4332	rundll32.exe	49
PID 4332 wrote to memory of 3520	4332	rundll32.exe	49
PID 4332 wrote to memory of 3704	4332	rundll32.exe	48
PID 4332 wrote to memory of 3704	4332	rundll32.exe	48
PID 4332 wrote to memory of 3892	4332	rundll32.exe	47
PID 4332 wrote to memory of 3892	4332	rundll32.exe	47
PID 4332 wrote to memory of 4040	4332	rundll32.exe	46
PID 4332 wrote to memory of 4040	4332	rundll32.exe	46
PID 4332 wrote to memory of 760	4332	rundll32.exe	45
PID 4332 wrote to memory of 760	4332	rundll32.exe	45
PID 4332 wrote to memory of 3348	4332	rundll32.exe	44
PID 4332 wrote to memory of 3348	4332	rundll32.exe	44
PID 4332 wrote to memory of 4128	4332	rundll32.exe	43
PID 4332 wrote to memory of 4128	4332	rundll32.exe	43
PID 4332 wrote to memory of 4768	4332	rundll32.exe	30
PID 4332 wrote to memory of 4768	4332	rundll32.exe	30
PID 4332 wrote to memory of 3660	4332	rundll32.exe	29
PID 4332 wrote to memory of 3660	4332	rundll32.exe	29
PID 4332 wrote to memory of 1348	4332	rundll32.exe	22
PID 4332 wrote to memory of 1348	4332	rundll32.exe	22
PID 4332 wrote to memory of 5112	4332	rundll32.exe	21
PID 4332 wrote to memory of 5112	4332	rundll32.exe	21
PID 4332 wrote to memory of 4532	4332	rundll32.exe	17
PID 4332 wrote to memory of 4532	4332	rundll32.exe	17
PID 4332 wrote to memory of 1708	4332	rundll32.exe	15
PID 4332 wrote to memory of 1708	4332	rundll32.exe	15
PID 4332 wrote to memory of 2252	4332	rundll32.exe	19
PID 4332 wrote to memory of 2252	4332	rundll32.exe	19
PID 4332 wrote to memory of 4064	4332	rundll32.exe	20
PID 4332 wrote to memory of 4064	4332	rundll32.exe	20
PID 4332 wrote to memory of 2028	4332	rundll32.exe	42
PID 4332 wrote to memory of 2028	4332	rundll32.exe	42
PID 4332 wrote to memory of 1916	4332	rundll32.exe	93
PID 4332 wrote to memory of 1916	4332	rundll32.exe	93
PID 4332 wrote to memory of 3560	4332	rundll32.exe	108
PID 4332 wrote to memory of 3560	4332	rundll32.exe	108

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\36788a49799e83c0a77406c93758ceb5.dll,#1
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32 "C:\Users\Admin\AppData\Local\Temp\36788a49799e83c0a77406c93758ceb5.dll",Init
  2⤵
  PID:1916

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\36788a49799e83c0a77406c93758ceb5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4532

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2252

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4064

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:5112

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:1348

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3660

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4768

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2028

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4128

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3348

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4040

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3704

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2620

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2592

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\perfms.dll

Filesize
58KB

MD5
36788a49799e83c0a77406c93758ceb5

SHA1
1c5f7440c71db6ee07c8054d0cc5d086326c8965

SHA256
54662f731dc665ea5b5d7b2ee66d03109ebd4e681208da22bb61fdb91eca55f1

SHA512
38ba08f6f710d42b29535b1d0b1dde7ce16d457920926edbb02eadaa55c602ed32c7726fcd00e85bcfac684333bf53d2a07409dff8c9ac7c38044c93eefd4a93

Download Submit
memory/1916-10-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1916-9-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1916-12-0x0000000074FA0000-0x0000000074FC3000-memory.dmp

Filesize
140KB

Download
memory/4332-1-0x0000000074FA0000-0x0000000074FC3000-memory.dmp

Filesize
140KB

Download
memory/4332-0-0x0000000074FA0000-0x0000000074FC3000-memory.dmp

Filesize
140KB

Download
memory/4332-11-0x0000000074FA0000-0x0000000074FC3000-memory.dmp

Filesize
140KB

Download