44c054d85826f22deb01177b0eb40581af345cb3db55ce430a735a172396fd47

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 21:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d722e0bd19dc4700f5d5d96f3700037b.exe
Size

96KB
MD5

d722e0bd19dc4700f5d5d96f3700037b
SHA1

bc715dedeea4bbf4761732f95e68cd33d83dfdb6
SHA256

44c054d85826f22deb01177b0eb40581af345cb3db55ce430a735a172396fd47
SHA512

4fc2f40659c04142fcb53a7f93bf2fe37bce8150473f47b05cf3ce9921806385ee7972346e5afbafcf252290f22936d4cce6cca3389bd87d39f8fb69d95b587a
SSDEEP

1536:Wpxbg5heTzavxxFUt7ohtR2H4LLKZSVZMIn7JXs8hzOoF:4Fg5heTzIxFUt7Ut4Hifj1sgzZ

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2912	rundll32.exe
2912	rundll32.exe
2912	rundll32.exe
2912	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe
2588	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fgubudocayewi = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\DESpapi.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2912	rundll32.exe
2912	rundll32.exe
2912	rundll32.exe
2912	rundll32.exe
2912	rundll32.exe
2912	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2912	2372	d722e0bd19dc4700f5d5d96f3700037b.exe	28
PID 2372 wrote to memory of 2912	2372	d722e0bd19dc4700f5d5d96f3700037b.exe	28
PID 2372 wrote to memory of 2912	2372	d722e0bd19dc4700f5d5d96f3700037b.exe	28
PID 2372 wrote to memory of 2912	2372	d722e0bd19dc4700f5d5d96f3700037b.exe	28
PID 2372 wrote to memory of 2912	2372	d722e0bd19dc4700f5d5d96f3700037b.exe	28
PID 2372 wrote to memory of 2912	2372	d722e0bd19dc4700f5d5d96f3700037b.exe	28
PID 2372 wrote to memory of 2912	2372	d722e0bd19dc4700f5d5d96f3700037b.exe	28
PID 2912 wrote to memory of 2588	2912	rundll32.exe	29
PID 2912 wrote to memory of 2588	2912	rundll32.exe	29
PID 2912 wrote to memory of 2588	2912	rundll32.exe	29
PID 2912 wrote to memory of 2588	2912	rundll32.exe	29
PID 2912 wrote to memory of 2588	2912	rundll32.exe	29
PID 2912 wrote to memory of 2588	2912	rundll32.exe	29
PID 2912 wrote to memory of 2588	2912	rundll32.exe	29

C:\Users\Admin\AppData\Local\Temp\d722e0bd19dc4700f5d5d96f3700037b.exe
"C:\Users\Admin\AppData\Local\Temp\d722e0bd19dc4700f5d5d96f3700037b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\DESpapi.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\DESpapi.dll",iep
    3⤵
    - Loads dropped DLL
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DESpapi.dll

Filesize
96KB

MD5
9e61cea8b1400aa106cead6e264fbe70

SHA1
fd4e752f433b3fd11efc31d159e29a1478b9b6ce

SHA256
3b4f860868646ee22a8a302bfbb1a3583e0b77141c65b895a8e6f11421f7c2c0

SHA512
16ce0de699757bbf2379c503a3dbf3ee21d8381b9085f8c914fddb5ca1e4a840796e6cb7db6a4ac2684df674a7388f1a057956259c21be9ccd3c7589ff86244b

Download Submit
memory/2372-12-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2372-1-0x0000000001E80000-0x0000000001EC0000-memory.dmp

Filesize
256KB

Download
memory/2372-0-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2372-2-0x0000000001E80000-0x0000000001EC0000-memory.dmp

Filesize
256KB

Download
memory/2372-16-0x0000000001E80000-0x0000000001EC0000-memory.dmp

Filesize
256KB

Download
memory/2372-17-0x0000000001E80000-0x0000000001EC0000-memory.dmp

Filesize
256KB

Download
memory/2588-25-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

Filesize
256KB

Download
memory/2588-28-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2588-26-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

Filesize
256KB

Download
memory/2912-11-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/2912-24-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2912-13-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2912-10-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2912-27-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download