Analysis
-
max time kernel
135s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/04/2024, 13:38
Static task
static1
Behavioral task
behavioral1
Sample
b30b76585ea225bdf8b4c6eedf4e6e99aff0cf8aac7cdf6fb1fa58b8bde68ab3.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b30b76585ea225bdf8b4c6eedf4e6e99aff0cf8aac7cdf6fb1fa58b8bde68ab3.dll
Resource
win10v2004-20240412-en
General
-
Target
b30b76585ea225bdf8b4c6eedf4e6e99aff0cf8aac7cdf6fb1fa58b8bde68ab3.dll
-
Size
908KB
-
MD5
7e7b253fcfe99cf48e171533182005ea
-
SHA1
c6e306fc7b2de1e8b1d904f636113f04fef8d35c
-
SHA256
b30b76585ea225bdf8b4c6eedf4e6e99aff0cf8aac7cdf6fb1fa58b8bde68ab3
-
SHA512
b61dbc28c627db00d651b8957b4ffecdefa4c92151e27a5bc18f497063dbd6fbfd0f8b645e5e6f905cb533626d8e0f7c536cd08ee0038aa607956fa2e75730dd
-
SSDEEP
12288:I+YE32Q8n9FgCBT4jh0rOcazvLbzTq4TYSyPKcaTuxfa:IvEwnfg04jgaXbzG4TYS8KcR
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2992 rundll32.exe 2992 rundll32.exe 2992 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 436 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe Token: SeShutdownPrivilege 436 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe 436 explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b30b76585ea225bdf8b4c6eedf4e6e99aff0cf8aac7cdf6fb1fa58b8bde68ab3.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2992
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:436