2cab6c4426e4acf84083c30440f5063dc36e72b6c2106434c9f3ba9f5679b514

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5439d80cd34b60583820934503ecf7b.exe
Size

591KB
MD5

d5439d80cd34b60583820934503ecf7b
SHA1

3ddae9d758eecedbd6210672636c1ddbf932e8de
SHA256

2cab6c4426e4acf84083c30440f5063dc36e72b6c2106434c9f3ba9f5679b514
SHA512

3f95f72f9c3363c8bc5b331c8f81b516277628943736454d560444f5ec8b10765cb36c3bd797bbdd8286f69be6aa3499e2e196012ace8a32241321b648a9fac8
SSDEEP

12288:n5fWAhZJTuTL2ts+RrUY9OQbJOCY+31acxpDIN48Rkk/t:5+mZxQ2t1RdOQdOCPFacjINbk

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	2792	rundll32.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Loads dropped DLL 14 IoCs

pid	Process
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2840	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe
2792	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\aclnet.dll_xserve = "rundll32.exe \"C:\\Windows\\SysWOW64\\aclnet.dll\",xserve"	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\aclnet.dll	d5439d80cd34b60583820934503ecf7b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2840	2884	d5439d80cd34b60583820934503ecf7b.exe	28
PID 2884 wrote to memory of 2840	2884	d5439d80cd34b60583820934503ecf7b.exe	28
PID 2884 wrote to memory of 2840	2884	d5439d80cd34b60583820934503ecf7b.exe	28
PID 2884 wrote to memory of 2840	2884	d5439d80cd34b60583820934503ecf7b.exe	28
PID 2884 wrote to memory of 2840	2884	d5439d80cd34b60583820934503ecf7b.exe	28
PID 2884 wrote to memory of 2840	2884	d5439d80cd34b60583820934503ecf7b.exe	28
PID 2884 wrote to memory of 2840	2884	d5439d80cd34b60583820934503ecf7b.exe	28
PID 2840 wrote to memory of 2084	2840	rundll32.exe	29
PID 2840 wrote to memory of 2084	2840	rundll32.exe	29
PID 2840 wrote to memory of 2084	2840	rundll32.exe	29
PID 2840 wrote to memory of 2084	2840	rundll32.exe	29
PID 2840 wrote to memory of 2084	2840	rundll32.exe	29
PID 2840 wrote to memory of 2084	2840	rundll32.exe	29
PID 2840 wrote to memory of 2084	2840	rundll32.exe	29
PID 2840 wrote to memory of 2792	2840	rundll32.exe	30
PID 2840 wrote to memory of 2792	2840	rundll32.exe	30
PID 2840 wrote to memory of 2792	2840	rundll32.exe	30
PID 2840 wrote to memory of 2792	2840	rundll32.exe	30
PID 2840 wrote to memory of 2792	2840	rundll32.exe	30
PID 2840 wrote to memory of 2792	2840	rundll32.exe	30
PID 2840 wrote to memory of 2792	2840	rundll32.exe	30

C:\Users\Admin\AppData\Local\Temp\d5439d80cd34b60583820934503ecf7b.exe
"C:\Users\Admin\AppData\Local\Temp\d5439d80cd34b60583820934503ecf7b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Windows\system32\aclnet.dll",install
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\aclnet.dll",watch
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2084
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\system32\aclnet.dll",xserve
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\aclnet.dll

Filesize
477KB

MD5
60ca76bb69c74518a6cb0f148a4cff58

SHA1
4f0e2c0a89450e9f34d44bd1b48a49a38f4e00ba

SHA256
af1407aaebfc05e244aefd8c3079928b2fb19c1e5525277b33c1975c376510cf

SHA512
c8385dc58fff607398f9b0ace0c5d147b7575600273a7e45e2a7411fdc76699ee68cca0cb439bac9bc31807fdd2263e502ed3c02444d10a3a6e580ef2127a6bd

Download Submit
memory/2084-24-0x0000000002530000-0x0000000002630000-memory.dmp

Filesize
1024KB

Download
memory/2084-53-0x0000000002530000-0x0000000002630000-memory.dmp

Filesize
1024KB

Download
memory/2084-50-0x0000000002410000-0x0000000002517000-memory.dmp

Filesize
1.0MB

Download
memory/2084-49-0x00000000747E0000-0x00000000748E7000-memory.dmp

Filesize
1.0MB

Download
memory/2084-16-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/2084-23-0x0000000002410000-0x0000000002517000-memory.dmp

Filesize
1.0MB

Download
memory/2792-30-0x0000000000440000-0x0000000000540000-memory.dmp

Filesize
1024KB

Download
memory/2792-38-0x00000000025D0000-0x00000000026D0000-memory.dmp

Filesize
1024KB

Download
memory/2792-39-0x00000000024C0000-0x00000000025C7000-memory.dmp

Filesize
1.0MB

Download
memory/2792-52-0x00000000024C0000-0x00000000025C7000-memory.dmp

Filesize
1.0MB

Download
memory/2792-51-0x00000000747E0000-0x00000000748E7000-memory.dmp

Filesize
1.0MB

Download
memory/2792-58-0x0000000000440000-0x0000000000540000-memory.dmp

Filesize
1024KB

Download
memory/2792-59-0x00000000025D0000-0x00000000026D0000-memory.dmp

Filesize
1024KB

Download
memory/2840-8-0x00000000747E0000-0x00000000748E7000-memory.dmp

Filesize
1.0MB

Download
memory/2840-9-0x0000000000770000-0x0000000000870000-memory.dmp

Filesize
1024KB

Download
memory/2884-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2884-43-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2884-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download