Overview
overview
8Static
static
3LoggingPlatform.dll
windows7-x64
7LoggingPlatform.dll
windows10-2004-x64
7Setup.exe
windows7-x64
7Setup.exe
windows10-2004-x64
7UpdateRing...gs.dll
windows7-x64
7UpdateRing...gs.dll
windows10-2004-x64
7de-DE.dll
windows7-x64
1de-DE.dll
windows10-2004-x64
1msvcp140.dll
windows7-x64
3msvcp140.dll
windows10-2004-x64
3vcruntime140.dll
windows7-x64
1vcruntime140.dll
windows10-2004-x64
3wtsapi32.dll
windows7-x64
7wtsapi32.dll
windows10-2004-x64
7out.iso
windows7-x64
1out.iso
windows10-2004-x64
1Screenshots.lnk
windows7-x64
4Screenshots.lnk
windows10-2004-x64
7__TEMP/Log...rm.dll
windows7-x64
7__TEMP/Log...rm.dll
windows10-2004-x64
7__TEMP/Mic...nt.exe
windows7-x64
7__TEMP/Mic...nt.exe
windows10-2004-x64
7__TEMP/msvcp140.dll
windows7-x64
1__TEMP/msvcp140.dll
windows10-2004-x64
1__TEMP/update.dll
windows7-x64
8__TEMP/update.dll
windows10-2004-x64
1__TEMP/vcr...40.dll
windows7-x64
1__TEMP/vcr...40.dll
windows10-2004-x64
1__TEMP/vcr..._1.dll
windows7-x64
1__TEMP/vcr..._1.dll
windows10-2004-x64
1__TEMP/wtsapi32.dll
windows7-x64
7__TEMP/wtsapi32.dll
windows10-2004-x64
7Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
04-03-2024 08:35
Static task
static1
Behavioral task
behavioral1
Sample
LoggingPlatform.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
LoggingPlatform.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Setup.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
UpdateRingSettings.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
UpdateRingSettings.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
de-DE.dll
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
de-DE.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
msvcp140.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
msvcp140.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
vcruntime140.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
vcruntime140.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
wtsapi32.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
wtsapi32.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
out.iso
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
out.iso
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
Screenshots.lnk
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Screenshots.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
__TEMP/LoggingPlatform.dll
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
__TEMP/LoggingPlatform.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
__TEMP/Microsoft.SharePoint.NativeMessagingClient.exe
Resource
win7-20240215-en
Behavioral task
behavioral22
Sample
__TEMP/Microsoft.SharePoint.NativeMessagingClient.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
__TEMP/msvcp140.dll
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
__TEMP/msvcp140.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
__TEMP/update.dll
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
__TEMP/update.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
__TEMP/vcruntime140.dll
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
__TEMP/vcruntime140.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
__TEMP/vcruntime140_1.dll
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
__TEMP/vcruntime140_1.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
__TEMP/wtsapi32.dll
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
__TEMP/wtsapi32.dll
Resource
win10v2004-20240226-en
General
-
Target
__TEMP/Microsoft.SharePoint.NativeMessagingClient.exe
-
Size
32KB
-
MD5
77c7af9eb3159f9d5ae6e62289451683
-
SHA1
679b02270b6afc50251444e2ee7455d4472bb3b8
-
SHA256
e984d9085ae1b1b0849199d883d05efbccc92242b1546aeca8afd4b1868c54f5
-
SHA512
ead2e8d1a0107bd797862775c0017bf6171612750df6b8b42afbe841ec68d23d362c2cd2721aba92c19c35334c4f0ce126e849cb9923f99d778972ef1ffb3191
-
SSDEEP
384:bnVVzYPO52p9X4kIEp1EKlLme0kVk0HH9X43W7u4whBWuOE8d0z5qslGsfTlj:DVVzYWqlpHlSvn0HHN4dEVsj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Microsoft.SharePoint.NativeMessagingClient.exepid process 2908 Microsoft.SharePoint.NativeMessagingClient.exe -
Loads dropped DLL 7 IoCs
Processes:
Microsoft.SharePoint.NativeMessagingClient.exeMicrosoft.SharePoint.NativeMessagingClient.exepid process 2900 Microsoft.SharePoint.NativeMessagingClient.exe 2900 Microsoft.SharePoint.NativeMessagingClient.exe 2908 Microsoft.SharePoint.NativeMessagingClient.exe 2908 Microsoft.SharePoint.NativeMessagingClient.exe 2908 Microsoft.SharePoint.NativeMessagingClient.exe 2908 Microsoft.SharePoint.NativeMessagingClient.exe 2908 Microsoft.SharePoint.NativeMessagingClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Microsoft.SharePoint.NativeMessagingClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft.SharePoint = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\SharepointFiles\\Microsoft.SharePoint.NativeMessagingClient.exe" Microsoft.SharePoint.NativeMessagingClient.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Microsoft.SharePoint.NativeMessagingClient.exedescription pid process target process PID 2900 wrote to memory of 2908 2900 Microsoft.SharePoint.NativeMessagingClient.exe Microsoft.SharePoint.NativeMessagingClient.exe PID 2900 wrote to memory of 2908 2900 Microsoft.SharePoint.NativeMessagingClient.exe Microsoft.SharePoint.NativeMessagingClient.exe PID 2900 wrote to memory of 2908 2900 Microsoft.SharePoint.NativeMessagingClient.exe Microsoft.SharePoint.NativeMessagingClient.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\__TEMP\Microsoft.SharePoint.NativeMessagingClient.exe"C:\Users\Admin\AppData\Local\Temp\__TEMP\Microsoft.SharePoint.NativeMessagingClient.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\SharepointFiles\Microsoft.SharePoint.NativeMessagingClient.exe"C:\Users\Admin\AppData\Local\Microsoft\SharepointFiles\Microsoft.SharePoint.NativeMessagingClient.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\SharepointFiles\VCRUNTIME140.dllFilesize
94KB
MD5ec4109f025f2d664fec3b106ed9afae2
SHA10da547e4ba570a5adfae647ed1b5bee65751eac0
SHA25622017c9b022e6f2560fee7d544a83ea9e3d85abee367f2f20b3b0448691fe2d4
SHA512923b7607c33f1b88728aa5689b57b7a85fb85896794a10820aec42a4a39f9c685cbab814e256e2aae89890e0a590da301ea9deed68cfe7644b3cfeffda9bd2fa
-
C:\Users\Admin\AppData\Local\Microsoft\SharepointFiles\VCRUNTIME140_1.dllFilesize
35KB
MD577f839bfbb6aff750d962bfc35de15ee
SHA1f826650c8da7453249013c9fa6ad5db103769021
SHA2561f26e0435628959ba26d194a4f9c96d20929d3dba48277751796f863cd3d9b99
SHA5126aa2bf4a3f345b8c762a88250c1c39535312cdb20d398c9dae22e447dca6c862e1b50045092bc3f901b0f5e068a6eba6f35befdd385d153c459f3e058c288673
-
C:\Users\Admin\AppData\Local\Microsoft\SharepointFiles\WTSAPI32.dllFilesize
400KB
MD501cbaddd7a269521bf7b80f4a9a1982f
SHA1cb5f9111abc6c74f507fd6a6c3c6608279105177
SHA256ae99ef9475cf553e3396419f08faec8b7965cb1fdd2f08d42dd190e376c445e0
SHA512bd896a2e7848b65c1e90772b1f2729df7a7290969831e09e11c99071feb009dbd35de26dccde4ce025249be1f15c1171e82f34b96c58d620ec94ece2e702aa30
-
\Users\Admin\AppData\Local\Microsoft\SharepointFiles\LoggingPlatform.dllFilesize
603KB
MD56c080b38918928b7154f5df346cbf12e
SHA1fb5d9e15d23d80d014da6a29b2460da29fdfd1bb
SHA25656ac00856b19b41bc388ecf749eb4651369e7ced0529e9bf422284070de457b6
SHA512766d556ef60dd1c299d021b1579bf76614f95f469799040a541a938fc5d1e144fc7dfba59fe2526650df47593808fcbffed03e53e3bdcbca8ef1a3fd0e2134a5
-
\Users\Admin\AppData\Local\Microsoft\SharepointFiles\Microsoft.SharePoint.NativeMessagingClient.exeFilesize
32KB
MD577c7af9eb3159f9d5ae6e62289451683
SHA1679b02270b6afc50251444e2ee7455d4472bb3b8
SHA256e984d9085ae1b1b0849199d883d05efbccc92242b1546aeca8afd4b1868c54f5
SHA512ead2e8d1a0107bd797862775c0017bf6171612750df6b8b42afbe841ec68d23d362c2cd2721aba92c19c35334c4f0ce126e849cb9923f99d778972ef1ffb3191
-
\Users\Admin\AppData\Local\Microsoft\SharepointFiles\msvcp140.dllFilesize
551KB
MD5e0d7fbc2cbe2ed088725d4436d69e689
SHA172c4c13e710311cbd2824eab6543f0e088a84f5f
SHA256dad53a78662707d182cdb230e999ef6effc0b259def31c196c51cc3e8c42a9b8
SHA512dfa761e57950d0033e9404ce7d0cf002345e596a9257e319226a5296c0d39b2203167b9ca4f4ed4860c8c47f591be34e1ccbc2e9e7db2ea4577e031120ef7dec