c7413113105daed6130ce1662d8bade253b6c085c9dc2c4fc96e01015e827c1c

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cae605b78297b8c24f0cf048a38afbe7.exe
Size

64KB
MD5

cae605b78297b8c24f0cf048a38afbe7
SHA1

fc8a2b19dfe70cff2407774f165dae31f6912906
SHA256

c7413113105daed6130ce1662d8bade253b6c085c9dc2c4fc96e01015e827c1c
SHA512

7808e00e3a57cb14f91272ed7c856d28a68a08d194a4a7d32b0c6e25ad982360f0b0a5e8dfda3e1e5cbf06e17ee3a0f048c2105f6ba2eb4a01c6a648527bf4bd
SSDEEP

1536:7BlhSCnLSDK7vDnvVcXv73RAuiNYtXl1Oqo99Qhy6K4bUM3HO7zI:7B7ScLpLtmv73VEYFTeQPRUmuv

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
2992	rundll32.exe
2992	rundll32.exe
2992	rundll32.exe
2992	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jdalamehiga = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\mdblet.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 1788	628	cae605b78297b8c24f0cf048a38afbe7.exe	28
PID 628 wrote to memory of 1788	628	cae605b78297b8c24f0cf048a38afbe7.exe	28
PID 628 wrote to memory of 1788	628	cae605b78297b8c24f0cf048a38afbe7.exe	28
PID 628 wrote to memory of 1788	628	cae605b78297b8c24f0cf048a38afbe7.exe	28
PID 628 wrote to memory of 1788	628	cae605b78297b8c24f0cf048a38afbe7.exe	28
PID 628 wrote to memory of 1788	628	cae605b78297b8c24f0cf048a38afbe7.exe	28
PID 628 wrote to memory of 1788	628	cae605b78297b8c24f0cf048a38afbe7.exe	28
PID 1788 wrote to memory of 2992	1788	rundll32.exe	29
PID 1788 wrote to memory of 2992	1788	rundll32.exe	29
PID 1788 wrote to memory of 2992	1788	rundll32.exe	29
PID 1788 wrote to memory of 2992	1788	rundll32.exe	29
PID 1788 wrote to memory of 2992	1788	rundll32.exe	29
PID 1788 wrote to memory of 2992	1788	rundll32.exe	29
PID 1788 wrote to memory of 2992	1788	rundll32.exe	29

C:\Users\Admin\AppData\Local\Temp\cae605b78297b8c24f0cf048a38afbe7.exe
"C:\Users\Admin\AppData\Local\Temp\cae605b78297b8c24f0cf048a38afbe7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\mdblet.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\mdblet.dll",iep
    3⤵
    - Loads dropped DLL
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mdblet.dll

Filesize
64KB

MD5
e41c58551e47d7046a4f822a64d55d07

SHA1
5c9e0e35a1da953aaf523aa3bad33b2ffdd9c20a

SHA256
3bed36f58caa0a0213a1fea1b8280db4c5c7db1d2cd1313d75b860e5ea3f22b1

SHA512
6b133ae6102a94e6d6acbf77aa5ddf0b0e03da8a0498426bd11dc2f0474ec27d7af6290c27ed32d2dd5928dd9a5b3788420bd8b48cf994ff9e64e1a72ef9e939

Download Submit
memory/628-12-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/628-16-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/628-1-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/628-17-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/628-0-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/628-2-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/1788-11-0x0000000002130000-0x0000000002170000-memory.dmp

Filesize
256KB

Download
memory/1788-13-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1788-10-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1788-25-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1788-28-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2992-26-0x0000000000930000-0x0000000000970000-memory.dmp

Filesize
256KB

Download
memory/2992-29-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2992-33-0x0000000000930000-0x0000000000970000-memory.dmp

Filesize
256KB

Download