baeeffe4cc8f0064662586cc291572f035298d9831d4d3a75cc1f5f8d5cd90cb

Analysis

max time kernel
145s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/01/2024, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

730fc8b5469ca6505a8523d62fa9d7a4.dll
Size

29KB
MD5

730fc8b5469ca6505a8523d62fa9d7a4
SHA1

6504f29f5ed80e22fad046ea2ce3b474b3aaef16
SHA256

baeeffe4cc8f0064662586cc291572f035298d9831d4d3a75cc1f5f8d5cd90cb
SHA512

cd7f70d0d8ac8b56abcef0120ce5e29a1eee919b430c70951a2f6b298be69bc226a2eef273317262702bc9f0752f49be12cbc396cb87963deac562a4cd90dcc7
SSDEEP

768:LWsyqAgg/PeKZhdVkfDJbOhM64mb1q3CTv:SsyqFg/Pzh2lOh4okSTv

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2844	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
2556	rundll32.exe
2556	rundll32.exe
2556	rundll32.exe
2556	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDLL (sysmgr.dll) = "rundll32.exe C:\\Windows\\system32\\sysmgr.dll,start"	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysmgr.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\sysmgr.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 2104	860	rundll32.exe	28
PID 860 wrote to memory of 2104	860	rundll32.exe	28
PID 860 wrote to memory of 2104	860	rundll32.exe	28
PID 860 wrote to memory of 2104	860	rundll32.exe	28
PID 860 wrote to memory of 2104	860	rundll32.exe	28
PID 860 wrote to memory of 2104	860	rundll32.exe	28
PID 860 wrote to memory of 2104	860	rundll32.exe	28
PID 2104 wrote to memory of 2556	2104	rundll32.exe	29
PID 2104 wrote to memory of 2556	2104	rundll32.exe	29
PID 2104 wrote to memory of 2556	2104	rundll32.exe	29
PID 2104 wrote to memory of 2556	2104	rundll32.exe	29
PID 2104 wrote to memory of 2556	2104	rundll32.exe	29
PID 2104 wrote to memory of 2556	2104	rundll32.exe	29
PID 2104 wrote to memory of 2556	2104	rundll32.exe	29
PID 2104 wrote to memory of 2844	2104	rundll32.exe	31
PID 2104 wrote to memory of 2844	2104	rundll32.exe	31
PID 2104 wrote to memory of 2844	2104	rundll32.exe	31
PID 2104 wrote to memory of 2844	2104	rundll32.exe	31
PID 2104 wrote to memory of 2844	2104	rundll32.exe	31
PID 2104 wrote to memory of 2844	2104	rundll32.exe	31
PID 2104 wrote to memory of 2844	2104	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\730fc8b5469ca6505a8523d62fa9d7a4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\730fc8b5469ca6505a8523d62fa9d7a4.dll,#1
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\system32\sysmgr.dll,start
    3⤵
    - Loads dropped DLL
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\uninstall.bat" "
    3⤵
    - Deletes itself
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uninstall.bat

Filesize
238B

MD5
180345f20440d5fb684035a52a2cfb19

SHA1
21e16bda29e5815429723c6ae17ec4e928d9b363

SHA256
c3331f5f7f93f978d9b4c7b0f9859c1d2a3387fd57dc394486345d1f69364d1a

SHA512
267dc94e6cfc19de704ba1f7b7eb220b7f94801d4480df9d35cd240ce130905c3c64d1ae104c3636055eb817126f7c5fe63f540dfb1642920bfb1067dacc450a

Download Submit
\Windows\SysWOW64\sysmgr.dll

Filesize
29KB

MD5
730fc8b5469ca6505a8523d62fa9d7a4

SHA1
6504f29f5ed80e22fad046ea2ce3b474b3aaef16

SHA256
baeeffe4cc8f0064662586cc291572f035298d9831d4d3a75cc1f5f8d5cd90cb

SHA512
cd7f70d0d8ac8b56abcef0120ce5e29a1eee919b430c70951a2f6b298be69bc226a2eef273317262702bc9f0752f49be12cbc396cb87963deac562a4cd90dcc7

Download Submit
memory/2104-2-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/2104-18-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/2556-15-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/2556-16-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads