Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/05/2024, 00:07
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
86ca4fd1b19b8bcd919b8b31cbc68981b2d8e217b15994307cfa70eb01b465b8.dll
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
86ca4fd1b19b8bcd919b8b31cbc68981b2d8e217b15994307cfa70eb01b465b8.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
86ca4fd1b19b8bcd919b8b31cbc68981b2d8e217b15994307cfa70eb01b465b8.dll
-
Size
811KB
-
MD5
f2caf53bc06c67b2cb232f6491e15a71
-
SHA1
8d03ac0f81b228993fd84c5dbda90024a2ce8b40
-
SHA256
86ca4fd1b19b8bcd919b8b31cbc68981b2d8e217b15994307cfa70eb01b465b8
-
SHA512
31a0c9c1e073a8c2cf402b3572bb761616677f25187a1a4fc60bc42be5d9d1cdd5f2711e2c93cde8bd6e601f99fff2a5868d753ed422c643d8815d092033be56
-
SSDEEP
24576:gUd3+qlEWNXB7RQhV6JzzHVKJ3GJ4Mlz:guzW4JRQi5L0yP
Score
9/10
Malware Config
Signatures
-
Detects Windows executables referencing non-Windows User-Agents 3 IoCs
resource yara_rule behavioral1/memory/2684-12-0x0000000000400000-0x00000000004CF000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/files/0x000c00000001445e-9.dat INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2168-7-0x00000000003C0000-0x000000000048F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Executes dropped EXE 1 IoCs
pid Process 2684 hrl80F3.tmp -
Loads dropped DLL 2 IoCs
pid Process 2168 rundll32.exe 2168 rundll32.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2684 hrl80F3.tmp -
Suspicious behavior: MapViewOfSection 23 IoCs
pid Process 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp 2684 hrl80F3.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2684 hrl80F3.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2168 2256 rundll32.exe 28 PID 2256 wrote to memory of 2168 2256 rundll32.exe 28 PID 2256 wrote to memory of 2168 2256 rundll32.exe 28 PID 2256 wrote to memory of 2168 2256 rundll32.exe 28 PID 2256 wrote to memory of 2168 2256 rundll32.exe 28 PID 2256 wrote to memory of 2168 2256 rundll32.exe 28 PID 2256 wrote to memory of 2168 2256 rundll32.exe 28 PID 2168 wrote to memory of 2684 2168 rundll32.exe 29 PID 2168 wrote to memory of 2684 2168 rundll32.exe 29 PID 2168 wrote to memory of 2684 2168 rundll32.exe 29 PID 2168 wrote to memory of 2684 2168 rundll32.exe 29 PID 2684 wrote to memory of 372 2684 hrl80F3.tmp 3 PID 2684 wrote to memory of 372 2684 hrl80F3.tmp 3 PID 2684 wrote to memory of 372 2684 hrl80F3.tmp 3 PID 2684 wrote to memory of 372 2684 hrl80F3.tmp 3 PID 2684 wrote to memory of 372 2684 hrl80F3.tmp 3 PID 2684 wrote to memory of 372 2684 hrl80F3.tmp 3 PID 2684 wrote to memory of 372 2684 hrl80F3.tmp 3 PID 2684 wrote to memory of 384 2684 hrl80F3.tmp 4 PID 2684 wrote to memory of 384 2684 hrl80F3.tmp 4 PID 2684 wrote to memory of 384 2684 hrl80F3.tmp 4 PID 2684 wrote to memory of 384 2684 hrl80F3.tmp 4 PID 2684 wrote to memory of 384 2684 hrl80F3.tmp 4 PID 2684 wrote to memory of 384 2684 hrl80F3.tmp 4 PID 2684 wrote to memory of 384 2684 hrl80F3.tmp 4 PID 2684 wrote to memory of 420 2684 hrl80F3.tmp 5 PID 2684 wrote to memory of 420 2684 hrl80F3.tmp 5 PID 2684 wrote to memory of 420 2684 hrl80F3.tmp 5 PID 2684 wrote to memory of 420 2684 hrl80F3.tmp 5 PID 2684 wrote to memory of 420 2684 hrl80F3.tmp 5 PID 2684 wrote to memory of 420 2684 hrl80F3.tmp 5 PID 2684 wrote to memory of 420 2684 hrl80F3.tmp 5 PID 2684 wrote to memory of 468 2684 hrl80F3.tmp 6 PID 2684 wrote to memory of 468 2684 hrl80F3.tmp 6 PID 2684 wrote to memory of 468 2684 hrl80F3.tmp 6 PID 2684 wrote to memory of 468 2684 hrl80F3.tmp 6 PID 2684 wrote to memory of 468 2684 hrl80F3.tmp 6 PID 2684 wrote to memory of 468 2684 hrl80F3.tmp 6 PID 2684 wrote to memory of 468 2684 hrl80F3.tmp 6 PID 2684 wrote to memory of 476 2684 hrl80F3.tmp 7 PID 2684 wrote to memory of 476 2684 hrl80F3.tmp 7 PID 2684 wrote to memory of 476 2684 hrl80F3.tmp 7 PID 2684 wrote to memory of 476 2684 hrl80F3.tmp 7 PID 2684 wrote to memory of 476 2684 hrl80F3.tmp 7 PID 2684 wrote to memory of 476 2684 hrl80F3.tmp 7 PID 2684 wrote to memory of 476 2684 hrl80F3.tmp 7 PID 2684 wrote to memory of 484 2684 hrl80F3.tmp 8 PID 2684 wrote to memory of 484 2684 hrl80F3.tmp 8 PID 2684 wrote to memory of 484 2684 hrl80F3.tmp 8 PID 2684 wrote to memory of 484 2684 hrl80F3.tmp 8 PID 2684 wrote to memory of 484 2684 hrl80F3.tmp 8 PID 2684 wrote to memory of 484 2684 hrl80F3.tmp 8 PID 2684 wrote to memory of 484 2684 hrl80F3.tmp 8 PID 2684 wrote to memory of 584 2684 hrl80F3.tmp 9 PID 2684 wrote to memory of 584 2684 hrl80F3.tmp 9 PID 2684 wrote to memory of 584 2684 hrl80F3.tmp 9 PID 2684 wrote to memory of 584 2684 hrl80F3.tmp 9 PID 2684 wrote to memory of 584 2684 hrl80F3.tmp 9 PID 2684 wrote to memory of 584 2684 hrl80F3.tmp 9 PID 2684 wrote to memory of 584 2684 hrl80F3.tmp 9 PID 2684 wrote to memory of 664 2684 hrl80F3.tmp 10 PID 2684 wrote to memory of 664 2684 hrl80F3.tmp 10 PID 2684 wrote to memory of 664 2684 hrl80F3.tmp 10 PID 2684 wrote to memory of 664 2684 hrl80F3.tmp 10
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:372
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:584
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:792
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:664
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:744
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:804
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1316
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:844
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:980
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:300
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:108
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:532
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1224
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:3056
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1992
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:476
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:484
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1364
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\86ca4fd1b19b8bcd919b8b31cbc68981b2d8e217b15994307cfa70eb01b465b8.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\86ca4fd1b19b8bcd919b8b31cbc68981b2d8e217b15994307cfa70eb01b465b8.dll,#13⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\hrl80F3.tmpC:\Users\Admin\AppData\Local\Temp\hrl80F3.tmp4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
803KB
MD54f339c90801694bdef3ab459c4af447e
SHA1b623fe3c6f7b64875e07809efb68faa15ec868ec
SHA2564a4653c5273b84a4c4e61da383c013abbdab0bc671c655f6f5e44630b64c5540
SHA51201a40c1d86f9b42c713f5790b0a30fff51e744938177157f70940382bbffe4351b957f8803fc4d41526fb77675dea46287d632a46fdfb5dc20d40ec50a111f1e