Overview
overview
8Static
static
3LoggingPlatform.dll
windows7-x64
7LoggingPlatform.dll
windows10-2004-x64
7Setup.exe
windows7-x64
7Setup.exe
windows10-2004-x64
7UpdateRing...gs.dll
windows7-x64
7UpdateRing...gs.dll
windows10-2004-x64
7de-DE.dll
windows7-x64
1de-DE.dll
windows10-2004-x64
1msvcp140.dll
windows7-x64
3msvcp140.dll
windows10-2004-x64
3vcruntime140.dll
windows7-x64
1vcruntime140.dll
windows10-2004-x64
3wtsapi32.dll
windows7-x64
7wtsapi32.dll
windows10-2004-x64
7out.iso
windows7-x64
1out.iso
windows10-2004-x64
1Screenshots.lnk
windows7-x64
4Screenshots.lnk
windows10-2004-x64
7__TEMP/Log...rm.dll
windows7-x64
7__TEMP/Log...rm.dll
windows10-2004-x64
7__TEMP/Mic...nt.exe
windows7-x64
7__TEMP/Mic...nt.exe
windows10-2004-x64
7__TEMP/msvcp140.dll
windows7-x64
1__TEMP/msvcp140.dll
windows10-2004-x64
1__TEMP/update.dll
windows7-x64
8__TEMP/update.dll
windows10-2004-x64
1__TEMP/vcr...40.dll
windows7-x64
1__TEMP/vcr...40.dll
windows10-2004-x64
1__TEMP/vcr..._1.dll
windows7-x64
1__TEMP/vcr..._1.dll
windows10-2004-x64
1__TEMP/wtsapi32.dll
windows7-x64
7__TEMP/wtsapi32.dll
windows10-2004-x64
7Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-03-2024 08:35
Static task
static1
Behavioral task
behavioral1
Sample
LoggingPlatform.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
LoggingPlatform.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Setup.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
UpdateRingSettings.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
UpdateRingSettings.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
de-DE.dll
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
de-DE.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
msvcp140.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
msvcp140.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
vcruntime140.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
vcruntime140.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
wtsapi32.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
wtsapi32.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
out.iso
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
out.iso
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
Screenshots.lnk
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Screenshots.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
__TEMP/LoggingPlatform.dll
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
__TEMP/LoggingPlatform.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
__TEMP/Microsoft.SharePoint.NativeMessagingClient.exe
Resource
win7-20240215-en
Behavioral task
behavioral22
Sample
__TEMP/Microsoft.SharePoint.NativeMessagingClient.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
__TEMP/msvcp140.dll
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
__TEMP/msvcp140.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
__TEMP/update.dll
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
__TEMP/update.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
__TEMP/vcruntime140.dll
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
__TEMP/vcruntime140.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
__TEMP/vcruntime140_1.dll
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
__TEMP/vcruntime140_1.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
__TEMP/wtsapi32.dll
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
__TEMP/wtsapi32.dll
Resource
win10v2004-20240226-en
General
-
Target
__TEMP/Microsoft.SharePoint.NativeMessagingClient.exe
-
Size
32KB
-
MD5
77c7af9eb3159f9d5ae6e62289451683
-
SHA1
679b02270b6afc50251444e2ee7455d4472bb3b8
-
SHA256
e984d9085ae1b1b0849199d883d05efbccc92242b1546aeca8afd4b1868c54f5
-
SHA512
ead2e8d1a0107bd797862775c0017bf6171612750df6b8b42afbe841ec68d23d362c2cd2721aba92c19c35334c4f0ce126e849cb9923f99d778972ef1ffb3191
-
SSDEEP
384:bnVVzYPO52p9X4kIEp1EKlLme0kVk0HH9X43W7u4whBWuOE8d0z5qslGsfTlj:DVVzYWqlpHlSvn0HHN4dEVsj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Microsoft.SharePoint.NativeMessagingClient.exepid process 4588 Microsoft.SharePoint.NativeMessagingClient.exe -
Loads dropped DLL 7 IoCs
Processes:
Microsoft.SharePoint.NativeMessagingClient.exepid process 4588 Microsoft.SharePoint.NativeMessagingClient.exe 4588 Microsoft.SharePoint.NativeMessagingClient.exe 4588 Microsoft.SharePoint.NativeMessagingClient.exe 4588 Microsoft.SharePoint.NativeMessagingClient.exe 4588 Microsoft.SharePoint.NativeMessagingClient.exe 4588 Microsoft.SharePoint.NativeMessagingClient.exe 4588 Microsoft.SharePoint.NativeMessagingClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Microsoft.SharePoint.NativeMessagingClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft.SharePoint = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\SharepointFiles\\Microsoft.SharePoint.NativeMessagingClient.exe" Microsoft.SharePoint.NativeMessagingClient.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Microsoft.SharePoint.NativeMessagingClient.exedescription pid process target process PID 1796 wrote to memory of 4588 1796 Microsoft.SharePoint.NativeMessagingClient.exe Microsoft.SharePoint.NativeMessagingClient.exe PID 1796 wrote to memory of 4588 1796 Microsoft.SharePoint.NativeMessagingClient.exe Microsoft.SharePoint.NativeMessagingClient.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\__TEMP\Microsoft.SharePoint.NativeMessagingClient.exe"C:\Users\Admin\AppData\Local\Temp\__TEMP\Microsoft.SharePoint.NativeMessagingClient.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\SharepointFiles\Microsoft.SharePoint.NativeMessagingClient.exe"C:\Users\Admin\AppData\Local\Microsoft\SharepointFiles\Microsoft.SharePoint.NativeMessagingClient.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\SharepointFiles\LoggingPlatform.DLLFilesize
603KB
MD56c080b38918928b7154f5df346cbf12e
SHA1fb5d9e15d23d80d014da6a29b2460da29fdfd1bb
SHA25656ac00856b19b41bc388ecf749eb4651369e7ced0529e9bf422284070de457b6
SHA512766d556ef60dd1c299d021b1579bf76614f95f469799040a541a938fc5d1e144fc7dfba59fe2526650df47593808fcbffed03e53e3bdcbca8ef1a3fd0e2134a5
-
C:\Users\Admin\AppData\Local\Microsoft\SharepointFiles\Microsoft.SharePoint.NativeMessagingClient.exeFilesize
32KB
MD577c7af9eb3159f9d5ae6e62289451683
SHA1679b02270b6afc50251444e2ee7455d4472bb3b8
SHA256e984d9085ae1b1b0849199d883d05efbccc92242b1546aeca8afd4b1868c54f5
SHA512ead2e8d1a0107bd797862775c0017bf6171612750df6b8b42afbe841ec68d23d362c2cd2721aba92c19c35334c4f0ce126e849cb9923f99d778972ef1ffb3191
-
C:\Users\Admin\AppData\Local\Microsoft\SharepointFiles\VCRUNTIME140.dllFilesize
94KB
MD5ec4109f025f2d664fec3b106ed9afae2
SHA10da547e4ba570a5adfae647ed1b5bee65751eac0
SHA25622017c9b022e6f2560fee7d544a83ea9e3d85abee367f2f20b3b0448691fe2d4
SHA512923b7607c33f1b88728aa5689b57b7a85fb85896794a10820aec42a4a39f9c685cbab814e256e2aae89890e0a590da301ea9deed68cfe7644b3cfeffda9bd2fa
-
C:\Users\Admin\AppData\Local\Microsoft\SharepointFiles\msvcp140.dllFilesize
551KB
MD5e0d7fbc2cbe2ed088725d4436d69e689
SHA172c4c13e710311cbd2824eab6543f0e088a84f5f
SHA256dad53a78662707d182cdb230e999ef6effc0b259def31c196c51cc3e8c42a9b8
SHA512dfa761e57950d0033e9404ce7d0cf002345e596a9257e319226a5296c0d39b2203167b9ca4f4ed4860c8c47f591be34e1ccbc2e9e7db2ea4577e031120ef7dec
-
C:\Users\Admin\AppData\Local\Microsoft\SharepointFiles\vcruntime140_1.dllFilesize
35KB
MD577f839bfbb6aff750d962bfc35de15ee
SHA1f826650c8da7453249013c9fa6ad5db103769021
SHA2561f26e0435628959ba26d194a4f9c96d20929d3dba48277751796f863cd3d9b99
SHA5126aa2bf4a3f345b8c762a88250c1c39535312cdb20d398c9dae22e447dca6c862e1b50045092bc3f901b0f5e068a6eba6f35befdd385d153c459f3e058c288673
-
C:\Users\Admin\AppData\Local\Microsoft\SharepointFiles\wtsapi32.dllFilesize
400KB
MD501cbaddd7a269521bf7b80f4a9a1982f
SHA1cb5f9111abc6c74f507fd6a6c3c6608279105177
SHA256ae99ef9475cf553e3396419f08faec8b7965cb1fdd2f08d42dd190e376c445e0
SHA512bd896a2e7848b65c1e90772b1f2729df7a7290969831e09e11c99071feb009dbd35de26dccde4ce025249be1f15c1171e82f34b96c58d620ec94ece2e702aa30