78523af787241792dd13a765472b439a0a3ba048f5bd7c8597ef55a721dba324

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85d77c6d6cbda81201974986ad9b957d.dll
Size

18KB
MD5

85d77c6d6cbda81201974986ad9b957d
SHA1

2af04537c01d6f0feb2fcb6f008098a1e4523083
SHA256

78523af787241792dd13a765472b439a0a3ba048f5bd7c8597ef55a721dba324
SHA512

e5414f624f3138dd8da01a924987a73a46ecac9e1d45d29f6c1c5b3f486db5a357acfa91a7f7c624d4ea6803e7e662f351360d4d5f5e3f6037291e2775a3e4f4
SSDEEP

384:3/Ypt5KK/DXKgzu6Df6K/fIXg9eVFau58usyrzsbZ:v45KCD6gzdpgw9e7auyusyrzsl

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	regsvr32.exe
File opened (read-only)	\??\U:	regsvr32.exe
File opened (read-only)	\??\G:	regsvr32.exe
File opened (read-only)	\??\I:	regsvr32.exe
File opened (read-only)	\??\J:	regsvr32.exe
File opened (read-only)	\??\K:	regsvr32.exe
File opened (read-only)	\??\L:	regsvr32.exe
File opened (read-only)	\??\M:	regsvr32.exe
File opened (read-only)	\??\W:	regsvr32.exe
File opened (read-only)	\??\Q:	regsvr32.exe
File opened (read-only)	\??\Z:	regsvr32.exe
File opened (read-only)	\??\X:	regsvr32.exe
File opened (read-only)	\??\Y:	regsvr32.exe
File opened (read-only)	\??\E:	regsvr32.exe
File opened (read-only)	\??\N:	regsvr32.exe
File opened (read-only)	\??\O:	regsvr32.exe
File opened (read-only)	\??\P:	regsvr32.exe
File opened (read-only)	\??\T:	regsvr32.exe
File opened (read-only)	\??\V:	regsvr32.exe
File opened (read-only)	\??\H:	regsvr32.exe
File opened (read-only)	\??\S:	regsvr32.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	regsvr32.exe
File opened for modification	F:\autorun.inf	regsvr32.exe
File created	C:\autorun.inf	regsvr32.exe
File opened for modification	C:\autorun.inf	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2992	2936	regsvr32.exe	16
PID 2936 wrote to memory of 2992	2936	regsvr32.exe	16
PID 2936 wrote to memory of 2992	2936	regsvr32.exe	16
PID 2936 wrote to memory of 2992	2936	regsvr32.exe	16
PID 2936 wrote to memory of 2992	2936	regsvr32.exe	16
PID 2936 wrote to memory of 2992	2936	regsvr32.exe	16
PID 2936 wrote to memory of 2992	2936	regsvr32.exe	16

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\85d77c6d6cbda81201974986ad9b957d.dll
1⤵
- Enumerates connected drives
- Drops autorun.inf file
PID:2992

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\85d77c6d6cbda81201974986ad9b957d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads