dd5fca4816d8cb6c449dba92f53b9949d1d3f49976e0b23cc9bebc1c1ce5f266

Analysis

max time kernel
135s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 19:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

41c532f60be5f9091588fe33c9e42fca.dll
Size

70KB
MD5

41c532f60be5f9091588fe33c9e42fca
SHA1

66409a4416c28af83fb2e4e1a84a6e7e82decdc0
SHA256

dd5fca4816d8cb6c449dba92f53b9949d1d3f49976e0b23cc9bebc1c1ce5f266
SHA512

bb23832a9e7e6b7b9755771663a404ae7e99799a44e75b5a4a331450c6b2c6ea82ab22e36e7e38afc5f00ffec1ae2efe38e9b26fe4929e4c471d5d760e200778
SSDEEP

1536:FS8H/Io1a4ID8sAgciC4ebDWTpTTZz/w:FS8Hgo4TD8sA36pTTZz/w

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winnet.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeRestorePrivilege	2436	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2436	2788	rundll32.exe	88
PID 2788 wrote to memory of 2436	2788	rundll32.exe	88
PID 2788 wrote to memory of 2436	2788	rundll32.exe	88
PID 2436 wrote to memory of 5044	2436	rundll32.exe	92
PID 2436 wrote to memory of 5044	2436	rundll32.exe	92
PID 2436 wrote to memory of 5044	2436	rundll32.exe	92

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\41c532f60be5f9091588fe33c9e42fca.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\41c532f60be5f9091588fe33c9e42fca.dll,#1
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DelEx.bat" "
    3⤵
    PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DelEx.bat

Filesize
152B

MD5
5390347822bd255bcb75299cfef33c78

SHA1
1ca8c7165dbe2c25ccba5810643e5f6ea47a27fc

SHA256
740c230b59e7cec944d0247d25043068a2398d17730e9b950d6267685f3bf43f

SHA512
8f2476b7fa1042c6100e57b7cae97e296ec7de71950826593714bb54126c215c19e0fad0f653c2f6848c1332cb115a37403d241e6ae0740c269a53fa451f780c

Download Submit