Analysis
-
max time kernel
1768s -
max time network
1774s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 02:49
Static task
static1
Behavioral task
behavioral1
Sample
CleanUp.dll
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
CleanUp.dll
Resource
win10v2004-20240426-en
General
-
Target
CleanUp.dll
-
Size
472KB
-
MD5
9b589bdef7751d9f6e102d8ec1dd3740
-
SHA1
7af0251fa97aaa8ed0017b93c01a30ae01bc91c0
-
SHA256
bd5a37a8d2cdc44d60e5f550eb02e84fe41e380c341c404a4ffb71f9fc057e4a
-
SHA512
819401f0a74efc80001110b83c360765ebdb88ffe4738092b4abd2dd8e1bf51d32b54b2190af0f7bbae3830ab797456ea22ecd4275c261727fbb2b3c0536ee10
-
SSDEEP
12288:USXo1x8EicZyXeATBSrEW5bl+wtWVkhxUnMBRKl+ebeg0Lz:UgeE0+wtWVOxDBAl+6eg0n
Malware Config
Signatures
-
Blocklisted process makes network request 26 IoCs
Processes:
rundll32.exeflow pid process 21 1436 rundll32.exe 68 1436 rundll32.exe 69 1436 rundll32.exe 70 1436 rundll32.exe 74 1436 rundll32.exe 76 1436 rundll32.exe 77 1436 rundll32.exe 78 1436 rundll32.exe 79 1436 rundll32.exe 80 1436 rundll32.exe 81 1436 rundll32.exe 82 1436 rundll32.exe 84 1436 rundll32.exe 85 1436 rundll32.exe 86 1436 rundll32.exe 87 1436 rundll32.exe 88 1436 rundll32.exe 89 1436 rundll32.exe 90 1436 rundll32.exe 91 1436 rundll32.exe 92 1436 rundll32.exe 93 1436 rundll32.exe 94 1436 rundll32.exe 95 1436 rundll32.exe 96 1436 rundll32.exe 97 1436 rundll32.exe -
Executes dropped EXE 2 IoCs
Processes:
getresult.exegetresult.exepid process 3508 getresult.exe 4992 getresult.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1436 rundll32.exe 1436 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
rundll32.exerundll32.execmd.execmd.exedescription pid process target process PID 3724 wrote to memory of 1436 3724 rundll32.exe rundll32.exe PID 3724 wrote to memory of 1436 3724 rundll32.exe rundll32.exe PID 3724 wrote to memory of 1436 3724 rundll32.exe rundll32.exe PID 1436 wrote to memory of 1876 1436 rundll32.exe cmd.exe PID 1436 wrote to memory of 1876 1436 rundll32.exe cmd.exe PID 1436 wrote to memory of 1876 1436 rundll32.exe cmd.exe PID 1876 wrote to memory of 3136 1876 cmd.exe cmd.exe PID 1876 wrote to memory of 3136 1876 cmd.exe cmd.exe PID 3136 wrote to memory of 3508 3136 cmd.exe getresult.exe PID 3136 wrote to memory of 3508 3136 cmd.exe getresult.exe PID 3136 wrote to memory of 4992 3136 cmd.exe getresult.exe PID 3136 wrote to memory of 4992 3136 cmd.exe getresult.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\CleanUp.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\CleanUp.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\getresult.exegetresult.exe 15⤵
- Executes dropped EXE
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\getresult.exegetresult.exe 15⤵
- Executes dropped EXE
PID:4992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Local StateFilesize
130KB
MD52683fb59f868612b7e52ede9c21c7e30
SHA1005cca39aeac90c9370afe02c84fca6cfe056998
SHA25608715313d2417be76c049e61fb06cfdfc75eb231f23f95e812c078e1e537c5e8
SHA512e6b4a3b0059664e7a91fe1ff415adfaab3f753f5d1685412e0e6af7c42cf44344fecd1600801e40528c4715563713e5d6d38f3a2b125bc88db7eea8002d58034
-
C:\Users\Admin\AppData\Local\Temp\Local StateFilesize
8KB
MD5a64314040678df8514f5ca1f5e553fa6
SHA1ca524eade485f1d17116a6fee4ebb8a5a8eaa415
SHA2561fe046bd3e6db71a519efc4efb62ad0fabadd94b0f55c31c04e9f7551d081835
SHA5126ac9102f14e4c11521584bf2cb8a28a3ff0c091fcff2c0553dabda994df08c6d59b5b555c34929942cfdaa8f52d070f7fcb79db9524ba5de08b277444063a761
-
C:\Users\Admin\AppData\Local\Temp\Login DataFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\Login DataFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\cleanup.txtFilesize
4B
MD5639d79cc857a6c76c2723b7e014fccb0
SHA1adfd09d30e05fd65b66767c0debe17a886cc47cd
SHA25660f3014617bfa4ed073bfbc1cda889c1b85e92427fa6d63ede6bb9b35c662a1d
SHA512dd2c770964f8aa993b793fae3f583b950e06b39fdb016b09d4504908878bae215d5642fafe717ce0d6235fcb6211b479b8badc8147750ff0772a46658162fa61
-
C:\Users\Admin\AppData\Local\Temp\getresult.exeFilesize
5.0MB
MD575b9e9a264f240f3fe53738ae77a4f69
SHA12de9ddb4954e7c3ae6969b0338ab4a732eeff9b1
SHA256fbd85129473a8a0f017bcbdc9fa4d4e1b41dda94ffd02b8199ff8452aee69344
SHA512e6d46d06cd3f165d9457f90dde0bfe1e07eaf5bc84a3b628a53cfc2b86d7ad812d3058695c28dbd7987f31a7b7a081443ceb9fb5022e65fcb9c5469e9ef31326
-
memory/3508-11-0x00007FF637AF0000-0x00007FF637FFC000-memory.dmpFilesize
5.0MB
-
memory/3508-12-0x0000000140000000-0x00000001404CF000-memory.dmpFilesize
4.8MB
-
memory/3508-26-0x00007FF637AF0000-0x00007FF637FFC000-memory.dmpFilesize
5.0MB
-
memory/4992-33-0x00007FF637AF0000-0x00007FF637FFC000-memory.dmpFilesize
5.0MB
-
memory/4992-47-0x00007FF637AF0000-0x00007FF637FFC000-memory.dmpFilesize
5.0MB