22f9b48c8f78c9d7e027e5956851b70a889d0b7de6c161486096ca7a2218665c

Resubmissions

25/04/2024, 23:03

240425-21415agb4x 3

25/04/2024, 22:57

240425-2xel3agb37 3

Analysis

max time kernel
138s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lightshot.dll
Size

42.8MB
MD5

adaf397f4411ea601d3f16466e9977b3
SHA1

c4c82f343f1faba0b9ba64812f4fd6fad6158baa
SHA256

22f9b48c8f78c9d7e027e5956851b70a889d0b7de6c161486096ca7a2218665c
SHA512

4b55e32b4a99de5faf2941ab823072ff4f0ba50f35080590e085479b45a1f3fe1f04fa214dcbf26948ef60028df9b5bf5046dc1307558af585cbca7491432e04
SSDEEP

393216:Z6bcFItVoPXkVcFi6xeFbXYh6/U08Vil1/kdC8yFeH6yZ3qA1/elx4Zf1++aD88L:ZpytVgiT+CMzC89Hl/0kzii1oQSPyu

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2600	1560	WerFault.exe	84

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	rundll32.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1560	rundll32.exe
1560	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 1560	4000	rundll32.exe	84
PID 4000 wrote to memory of 1560	4000	rundll32.exe	84
PID 4000 wrote to memory of 1560	4000	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Lightshot.dll,#1
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 816
    3⤵
    - Program crash
    PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1560 -ip 1560
1⤵
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1560-0-0x0000000002480000-0x00000000044AC000-memory.dmp

Filesize
32.2MB

Download
memory/1560-1-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/1560-2-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1560-3-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/1560-4-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1560-5-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1560-6-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/1560-7-0x0000000002480000-0x00000000044AC000-memory.dmp

Filesize
32.2MB

Download
memory/1560-8-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1560-9-0x0000000002480000-0x00000000044AC000-memory.dmp

Filesize
32.2MB

Download
memory/1560-12-0x0000000002480000-0x00000000044AC000-memory.dmp

Filesize
32.2MB

Download