e3ff5ca6952b263f1e3280b8ac648316a25fe1b5be45dae11317918d8856612a

Resubmissions

05-04-2024 15:10

240405-skcr9sfc7s 8

20-12-2023 19:03

231220-xqn5psdhhm 8

Analysis

max time kernel
131s
max time network
137s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

launcher.bat
Size

87B
MD5

864189b29e0ee9338690f34f60d9ed61
SHA1

2f130b692da72031ca0089894b84d716319c3b9a
SHA256

6887bbcea8d76ccb3cdf324d5a7b0feea4a7bbc17e4c05c9e7e07c735ba565a4
SHA512

957853c8a9a67d0555ddeb3981440d9709ff2762a4e4ae7cf48bc2a8a4cb9304154b696411ea4a521871b8322bdb433fd36988e230b91d1656f6c0c8488abafb

Score

8^/10

dave

Malware Config

Signatures

Blocklisted process makes network request 12 IoCs

Processes:

rundll32.exe

flow	pid	process
2	2680	rundll32.exe
3	2680	rundll32.exe
4	2680	rundll32.exe
5	2680	rundll32.exe
6	2680	rundll32.exe
7	2680	rundll32.exe
8	2680	rundll32.exe
9	2680	rundll32.exe
10	2680	rundll32.exe
11	2680	rundll32.exe
12	2680	rundll32.exe
13	2680	rundll32.exe

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral3/memory/2680-2-0x0000000002060000-0x0000000002436000-memory.dmp	dave

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1500 wrote to memory of 3004	1500	cmd.exe	rundll32.exe
PID 1500 wrote to memory of 3004	1500	cmd.exe	rundll32.exe
PID 1500 wrote to memory of 3004	1500	cmd.exe	rundll32.exe
PID 3004 wrote to memory of 2680	3004	rundll32.exe	rundll32.exe
PID 3004 wrote to memory of 2680	3004	rundll32.exe	rundll32.exe
PID 3004 wrote to memory of 2680	3004	rundll32.exe	rundll32.exe
PID 3004 wrote to memory of 2680	3004	rundll32.exe	rundll32.exe
PID 3004 wrote to memory of 2680	3004	rundll32.exe	rundll32.exe
PID 3004 wrote to memory of 2680	3004	rundll32.exe	rundll32.exe
PID 3004 wrote to memory of 2680	3004	rundll32.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\system32\rundll32.exe
rundll32.exe dino.dll ADMISSIONS_get0_admissionAuthority
2⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe dino.dll ADMISSIONS_get0_admissionAuthority
3⤵
- Blocklisted process makes network request
- Checks processor information in registry
PID:2680

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2680-2-0x0000000002060000-0x0000000002436000-memory.dmp

Filesize
3.8MB

Download
memory/2680-0-0x0000000002440000-0x0000000002818000-memory.dmp

Filesize
3.8MB

Download
memory/2680-5-0x0000000002820000-0x0000000002BFF000-memory.dmp

Filesize
3.9MB

Download
memory/2680-13-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download
memory/2680-14-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download
memory/2680-15-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download
memory/2680-16-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download
memory/2680-17-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download
memory/2680-18-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download
memory/2680-19-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download
memory/2680-20-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download
memory/2680-21-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download
memory/2680-22-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download
memory/2680-23-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download
memory/2680-25-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download
memory/2680-26-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download
memory/2680-34-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download
memory/2680-39-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download
memory/2680-42-0x0000000002FD0000-0x00000000037DA000-memory.dmp

Filesize
8.0MB

Download