59f9929ed207c31b1d1cdf149ae3bea5d1187453574b405639bbac240ea1b693 | Triage

Analysis

max time kernel
537s
max time network
538s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29/05/2024, 17:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CleanUp32.dll
Size

4.1MB
MD5

7fd2c316fdd37926e2ca2ec4c7264197
SHA1

aa82bef600f8b3d7dc5696b9d7086ea37666559a
SHA256

59f9929ed207c31b1d1cdf149ae3bea5d1187453574b405639bbac240ea1b693
SHA512

a71902852dd28650bf352932d482dc07220ddf6bd700e30604425791224a5b7f5a7436388980db147c82a1978250d80f64b485b5d22e4374e2ba2eebf98ed8f6
SSDEEP

49152:YCNjjJVOTFkB3dVKeSsq6t21vqM1tn7SMaxV9THdQk/dgW1OxyNKzYNP4M9lPQmd:YCNnOTFiNYexHIkMneRWWQxwPW

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 55 IoCs

flow	pid	Process
2	68	rundll32.exe
3	68	rundll32.exe
4	68	rundll32.exe
6	68	rundll32.exe
7	68	rundll32.exe
8	68	rundll32.exe
9	68	rundll32.exe
10	68	rundll32.exe
11	68	rundll32.exe
12	68	rundll32.exe
14	68	rundll32.exe
15	68	rundll32.exe
16	68	rundll32.exe
17	68	rundll32.exe
18	68	rundll32.exe
19	68	rundll32.exe
20	68	rundll32.exe
22	68	rundll32.exe
23	68	rundll32.exe
24	68	rundll32.exe
26	68	rundll32.exe
32	68	rundll32.exe
44	68	rundll32.exe
45	68	rundll32.exe
46	68	rundll32.exe
47	68	rundll32.exe
48	68	rundll32.exe
49	68	rundll32.exe
50	68	rundll32.exe
51	68	rundll32.exe
52	68	rundll32.exe
53	68	rundll32.exe
54	68	rundll32.exe
55	68	rundll32.exe
56	68	rundll32.exe
57	68	rundll32.exe
58	68	rundll32.exe
59	68	rundll32.exe
60	68	rundll32.exe
61	68	rundll32.exe
62	68	rundll32.exe
63	68	rundll32.exe
64	68	rundll32.exe
65	68	rundll32.exe
66	68	rundll32.exe
67	68	rundll32.exe
68	68	rundll32.exe
69	68	rundll32.exe
70	68	rundll32.exe
71	68	rundll32.exe
72	68	rundll32.exe
73	68	rundll32.exe
74	68	rundll32.exe
75	68	rundll32.exe
76	68	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
864	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 68	4520	rundll32.exe	73
PID 4520 wrote to memory of 68	4520	rundll32.exe	73
PID 4520 wrote to memory of 68	4520	rundll32.exe	73
PID 68 wrote to memory of 864	68	rundll32.exe	74
PID 68 wrote to memory of 864	68	rundll32.exe	74
PID 68 wrote to memory of 864	68	rundll32.exe	74

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\CleanUp32.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\CleanUp32.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:68
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /tn ClearMngs /tr "rundll32 'C:\Users\Admin\AppData\Local\Temp\CleanUp32.dll',Test" /sc hourly /mo 3 /f
    3⤵
    - Creates scheduled task(s)
    PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads