Overview

overview

8

Static

static

3

5aeb1039de...53.dll

windows7-x64

8

5aeb1039de...53.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    140s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/01/2024, 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5aeb1039de7d883978b35d410bb29353.dll

  • Size

    440KB

  • MD5

    5aeb1039de7d883978b35d410bb29353

  • SHA1

    178f7a3b303f3ad836376cd2f2a3d39b08c12c23

  • SHA256

    67002889213553f31c8775c3ed22475f92962f065b5588fa38faabbc5121a5f7

  • SHA512

    3cff2dbda5ee9e72f87fb9aea3c2ea4968834c9501e97d489db0a2c82a6d16257708c46287d24d4c4f229c28da191cc2a2bbf744305936dd5b7a7c0d712a62ab

  • SSDEEP

    6144:XEN8vwHBlynwyi0ixDazRf9p7bgeVmcUlgkUkr+MjXSv9NRhUb4dG3ZCl:XhvwHBlyn3rnNHgeV96LLSBVG3Zo

Score
8/10
evasion

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Modifies Windows Firewall 1 TTPs 3 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5aeb1039de7d883978b35d410bb29353.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4468
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5aeb1039de7d883978b35d410bb29353.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram C:\windows\system\nppagent.exe
        3⤵
        • Modifies Windows Firewall
        PID:1088
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram %tmp%\win.exe
        3⤵
        • Modifies Windows Firewall
        PID:4888
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram C:\windows\system\sysmod.exe
        3⤵
        • Modifies Windows Firewall
        PID:5088
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k start wmplayer.exe
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
          "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:888
          • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
            "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
            5⤵
              PID:1276
            • C:\Windows\SysWOW64\unregmp2.exe
              "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2968
              • C:\Windows\system32\unregmp2.exe
                "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
                6⤵
                • Enumerates connected drives
                • Suspicious use of AdjustPrivilegeToken
                PID:1392
        • C:\Windows\SysWOW64\cmd.exe
          cmd /k MD C:\daemon
          3⤵
            PID:4340
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 580
            3⤵
            • Program crash
            PID:4424
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4008 -ip 4008
        1⤵
          PID:4052

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
          Filesize

          64KB

          MD5

          fc240c081ec382df4b74d591d7d37a45

          SHA1

          396e9d8accb2ff8b32e6c3957808cb87d23ad47c

          SHA256

          8cfeb277627a0fc9f2596c83dc37f9a3d8871293cd88dadd08f32098bf936038

          SHA512

          d8f83773c330b88b43f9ebc6220aa98368854e44a75b73a8575e7171f6c32e784d404e5a2e2e7787d3c71c0cfecdbb983631b639d9fee879b374d498d2ef0ab7

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
          Filesize

          9KB

          MD5

          7050d5ae8acfbe560fa11073fef8185d

          SHA1

          5bc38e77ff06785fe0aec5a345c4ccd15752560e

          SHA256

          cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

          SHA512

          a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
          Filesize

          1KB

          MD5

          ca3cf4caa0bfa5a4ef098fc2b63322b4

          SHA1

          408e2463fb0bcd3cffaab2f7c9f6f9c558486c5e

          SHA256

          8ad0721b9aabb1ce627588d44c56dca3d5a866f9af02d5be9a027d3e457fe966

          SHA512

          5552c1df2769d37856fd707f3052d13f9e40b00efa06d7926f709eaf3632a2bb0ef19c76acffb814453028c6bd67e5eabe3a1d2bd9716574bcb38f2c21625915

          Download Submit

        • memory/4008-0-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/4008-34-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download