22f9b48c8f78c9d7e027e5956851b70a889d0b7de6c161486096ca7a2218665c

Resubmissions

25/04/2024, 23:03

240425-21415agb4x 3

25/04/2024, 22:57

240425-2xel3agb37 3

Analysis

max time kernel
32s
max time network
18s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lightshot.dll
Size

42.8MB
MD5

adaf397f4411ea601d3f16466e9977b3
SHA1

c4c82f343f1faba0b9ba64812f4fd6fad6158baa
SHA256

22f9b48c8f78c9d7e027e5956851b70a889d0b7de6c161486096ca7a2218665c
SHA512

4b55e32b4a99de5faf2941ab823072ff4f0ba50f35080590e085479b45a1f3fe1f04fa214dcbf26948ef60028df9b5bf5046dc1307558af585cbca7491432e04
SSDEEP

393216:Z6bcFItVoPXkVcFi6xeFbXYh6/U08Vil1/kdC8yFeH6yZ3qA1/elx4Zf1++aD88L:ZpytVgiT+CMzC89Hl/0kzii1oQSPyu

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2576	2172	WerFault.exe	28

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2172	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2172	1400	rundll32.exe	28
PID 1400 wrote to memory of 2172	1400	rundll32.exe	28
PID 1400 wrote to memory of 2172	1400	rundll32.exe	28
PID 1400 wrote to memory of 2172	1400	rundll32.exe	28
PID 1400 wrote to memory of 2172	1400	rundll32.exe	28
PID 1400 wrote to memory of 2172	1400	rundll32.exe	28
PID 1400 wrote to memory of 2172	1400	rundll32.exe	28
PID 2172 wrote to memory of 2576	2172	rundll32.exe	29
PID 2172 wrote to memory of 2576	2172	rundll32.exe	29
PID 2172 wrote to memory of 2576	2172	rundll32.exe	29
PID 2172 wrote to memory of 2576	2172	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#1
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 328
    3⤵
    - Program crash
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2172-0-0x0000000001F50000-0x0000000003F7C000-memory.dmp

Filesize
32.2MB

Download
memory/2172-1-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2172-3-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2172-5-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2172-6-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2172-8-0x0000000001F50000-0x0000000003F7C000-memory.dmp

Filesize
32.2MB

Download
memory/2172-9-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2172-11-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2172-12-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2172-14-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2172-16-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2172-19-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2172-21-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2172-24-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2172-26-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2172-29-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2172-31-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2172-34-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2172-36-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2172-39-0x0000000001F50000-0x0000000003F7C000-memory.dmp

Filesize
32.2MB

Download