Overview
overview
10Static
static
7IESecurity.dll
windows7-x64
6IESecurity.dll
windows10-2004-x64
6ProcMon.dll
windows7-x64
1ProcMon.dll
windows10-2004-x64
1SpySheriff.exe
windows7-x64
8SpySheriff.exe
windows10-2004-x64
7Uninstall.exe
windows7-x64
1Uninstall.exe
windows10-2004-x64
1heur000.dll
windows7-x64
1heur000.dll
windows10-2004-x64
1heur001.dll
windows7-x64
1heur001.dll
windows10-2004-x64
1heur002.dll
windows7-x64
4heur002.dll
windows10-2004-x64
4heur003.dll
windows7-x64
10heur003.dll
windows10-2004-x64
10Analysis
-
max time kernel
134s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 20:23
Behavioral task
behavioral1
Sample
IESecurity.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
IESecurity.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
ProcMon.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
ProcMon.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
SpySheriff.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
SpySheriff.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
Uninstall.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
Uninstall.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
heur000.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
heur000.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
heur001.dll
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
heur001.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
heur002.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
heur002.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
heur003.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
heur003.dll
Resource
win10v2004-20240508-en
General
-
Target
heur003.dll
-
Size
118KB
-
MD5
bb06f2c0d34812d455aecc790aab74d4
-
SHA1
b206b3f29a3823ac4dad859c13e32dfa1f5f92f0
-
SHA256
45f6c21d358f56679acb89adeda25e296ab0eb5518eda33a175a1e22cfd71e19
-
SHA512
f5a4d616fa5e55072c360101216fee9a43c26572910d68ad2b7b68e8fbd3ad0f68aeaa84ffc6bbcbfb8c32e2e82eb2a6f0f5b51d33e640e70c4fd495222042ad
-
SSDEEP
3072:+CL0FKkhYyoAwOSxoPMVsf0nQla8vxgs2N+r3rWM:+4Q9/RgPvSCsDr3r
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" rundll32.exe -
Modifies AppInit DLL entries 2 TTPs
-
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1492 wrote to memory of 4084 1492 rundll32.exe rundll32.exe PID 1492 wrote to memory of 4084 1492 rundll32.exe rundll32.exe PID 1492 wrote to memory of 4084 1492 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\heur003.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\heur003.dll,#12⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4084-1-0x0000000000980000-0x00000000009AC000-memory.dmpFilesize
176KB
-
memory/4084-0-0x0000000010000000-0x0000000010024000-memory.dmpFilesize
144KB
-
memory/4084-10-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB
-
memory/4084-9-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/4084-8-0x00000000009B0000-0x00000000009B1000-memory.dmpFilesize
4KB
-
memory/4084-7-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/4084-6-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/4084-5-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB
-
memory/4084-4-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/4084-3-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/4084-2-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/4084-12-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/4084-11-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB