Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2024, 02:35
Behavioral task
behavioral1
Sample
b076bcb501485446eb9cdb450e4714a6.dll
Resource
win7-20240221-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
b076bcb501485446eb9cdb450e4714a6.dll
Resource
win10v2004-20240226-en
5 signatures
150 seconds
General
-
Target
b076bcb501485446eb9cdb450e4714a6.dll
-
Size
377KB
-
MD5
b076bcb501485446eb9cdb450e4714a6
-
SHA1
3060798a91f01f729f0a8988643d48b576a708d6
-
SHA256
c69c2902135acc0c8511418682b3d0685c5b29f9ef2312d4775f25260bfbbc0d
-
SHA512
557deac7a36f735a516dbf0825b23174031a9ccd37491c77779cd97e51d43a276130444470184fbac7dec2911701554e84c0bc88c8854827d0515235e4082a12
-
SSDEEP
6144:8sot2A39Lm4lbN+U8xApz/orIiY5+HCp+RKe5MX3Zw6Xva1Q7n6IN4JC0bvm0Llz:8stom4v+SDoctkHCURjqZw6XvayPwjmC
Score
6/10
Malware Config
Signatures
-
Modifies WinLogon 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS rundll32.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\240634203.dat rundll32.exe File created C:\Windows\240634390.dat rundll32.exe File created C:\Windows\240634640.dat rundll32.exe File created C:\Windows\help\nishiernai.dll rundll32.exe File opened for modification C:\Windows\help\nishiernai.dll rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2320 rundll32.exe 2320 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeRestorePrivilege 2320 rundll32.exe Token: SeBackupPrivilege 2320 rundll32.exe Token: SeRestorePrivilege 2320 rundll32.exe Token: SeBackupPrivilege 2320 rundll32.exe Token: SeRestorePrivilege 2320 rundll32.exe Token: SeBackupPrivilege 2320 rundll32.exe Token: SeRestorePrivilege 2320 rundll32.exe Token: SeBackupPrivilege 2320 rundll32.exe Token: SeRestorePrivilege 2320 rundll32.exe Token: SeBackupPrivilege 2320 rundll32.exe Token: SeDebugPrivilege 2320 rundll32.exe Token: SeDebugPrivilege 2320 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3568 wrote to memory of 2320 3568 rundll32.exe 90 PID 3568 wrote to memory of 2320 3568 rundll32.exe 90 PID 3568 wrote to memory of 2320 3568 rundll32.exe 90 PID 2320 wrote to memory of 584 2320 rundll32.exe 5
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:584
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b076bcb501485446eb9cdb450e4714a6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b076bcb501485446eb9cdb450e4714a6.dll,#12⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
-