Analysis
-
max time kernel
151s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
30-01-2024 11:57
General
-
Target
826018a8692aa093515ed26e2cf89183.dll
-
Size
252KB
-
MD5
826018a8692aa093515ed26e2cf89183
-
SHA1
79a7efc1b84b0370e902582249abff0b3b6a2966
-
SHA256
b857fd19f10b780f97e3c70cf521ff8a6e442031090f8eab963fac9d17dd9fef
-
SHA512
35ad7d9a4c1d72529657c35f3cdba742625625b3dfa86176b6ec421550504bd675f3f605778b60488516fc02402d44ec5ea836e1183d0cc824e66055de339a3c
-
SSDEEP
6144:dgsjyzscw0ah/ByAVxr62CLFJO6qpAJNzr:dZjw1w0aJBT4BJTJF
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer Protected Mode 1 TTPs 15 IoCs
-
Modifies Internet Explorer Protected Mode Banner 1 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 43 IoCs
-
Modifies registry class 8 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 10 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\826018a8692aa093515ed26e2cf89183.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\826018a8692aa093515ed26e2cf89183.dll,#12⤵
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:224 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD51a510f2f7741e35ecc097c2ec95bc582
SHA1a5887323cb4fb1d9f56ad03f5b75eb118b1a9835
SHA256cb17dcee72c9437d911849bf754e0740541492400218c5f258660e4dd029a707
SHA5126a40efa9eb07c20891a61887d08f70c84cde60c2de23d81d1c0289c4fa6f948ca19b11ed9b9f7cc85254d887a59aa03274c011d9d89288a798672b4bbc23122c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD579f452d07c63ff895389f0ed4b9f59e5
SHA1dde75a0380a7e1f41d2bbdecb1d54a45f5f9b10b
SHA25621883198f4df8094c36f8788133895ac4da74b829a1bdc289c41ad05e2a979ff
SHA512988ce998a13f4534981f1859683531c5dc6b09396bce49daea0c95a0f68b60e10723568495e7f922cf1ce9a69c9267a06c135f09e6fb3201408b64b23c1b350d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z0UNWU5J\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
memory/632-14-0x0000000003FC0000-0x0000000003FF0000-memory.dmpFilesize
192KB
-
memory/632-4-0x0000000003F10000-0x0000000003F40000-memory.dmpFilesize
192KB
-
memory/632-5-0x0000000003F40000-0x0000000003F82000-memory.dmpFilesize
264KB
-
memory/632-6-0x0000000003FC0000-0x0000000003FF0000-memory.dmpFilesize
192KB
-
memory/632-7-0x0000000003FC0000-0x0000000003FF0000-memory.dmpFilesize
192KB
-
memory/632-8-0x0000000003FC0000-0x0000000003FF0000-memory.dmpFilesize
192KB
-
memory/632-15-0x0000000003FC0000-0x0000000003FF0000-memory.dmpFilesize
192KB
-
memory/4656-9-0x0000000004110000-0x0000000004140000-memory.dmpFilesize
192KB
-
memory/4656-11-0x00000000041C0000-0x00000000041F0000-memory.dmpFilesize
192KB
-
memory/4656-10-0x0000000004140000-0x0000000004182000-memory.dmpFilesize
264KB
-
memory/4656-21-0x00000000041C0000-0x00000000041F0000-memory.dmpFilesize
192KB
-
memory/4904-12-0x00000000021F0000-0x0000000002220000-memory.dmpFilesize
192KB
-
memory/4904-13-0x0000000002170000-0x00000000021B2000-memory.dmpFilesize
264KB
-
memory/4904-0-0x0000000002140000-0x0000000002170000-memory.dmpFilesize
192KB
-
memory/4904-2-0x00000000021F0000-0x0000000002220000-memory.dmpFilesize
192KB
-
memory/4904-1-0x0000000002170000-0x00000000021B2000-memory.dmpFilesize
264KB