59f9929ed207c31b1d1cdf149ae3bea5d1187453574b405639bbac240ea1b693 | Triage

Analysis

max time kernel
577s
max time network
583s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 17:42

Sharing

Report Analysis Logs

General

Target

CleanUp32.dll
Size

4.1MB
MD5

7fd2c316fdd37926e2ca2ec4c7264197
SHA1

aa82bef600f8b3d7dc5696b9d7086ea37666559a
SHA256

59f9929ed207c31b1d1cdf149ae3bea5d1187453574b405639bbac240ea1b693
SHA512

a71902852dd28650bf352932d482dc07220ddf6bd700e30604425791224a5b7f5a7436388980db147c82a1978250d80f64b485b5d22e4374e2ba2eebf98ed8f6
SSDEEP

49152:YCNjjJVOTFkB3dVKeSsq6t21vqM1tn7SMaxV9THdQk/dgW1OxyNKzYNP4M9lPQmd:YCNnOTFiNYexHIkMneRWWQxwPW

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 64 IoCs

flow	pid	Process
2	2096	rundll32.exe
4	2096	rundll32.exe
5	2096	rundll32.exe
6	2096	rundll32.exe
7	2096	rundll32.exe
8	2096	rundll32.exe
9	2096	rundll32.exe
10	2096	rundll32.exe
11	2096	rundll32.exe
12	2096	rundll32.exe
13	2096	rundll32.exe
14	2096	rundll32.exe
15	2096	rundll32.exe
17	2096	rundll32.exe
18	2096	rundll32.exe
19	2096	rundll32.exe
20	2096	rundll32.exe
21	2096	rundll32.exe
22	2096	rundll32.exe
23	2096	rundll32.exe
24	2096	rundll32.exe
25	2096	rundll32.exe
26	2096	rundll32.exe
27	2096	rundll32.exe
29	2096	rundll32.exe
30	2096	rundll32.exe
31	2096	rundll32.exe
32	2096	rundll32.exe
33	2096	rundll32.exe
34	2096	rundll32.exe
35	2096	rundll32.exe
36	2096	rundll32.exe
37	2096	rundll32.exe
38	2096	rundll32.exe
39	2096	rundll32.exe
40	2096	rundll32.exe
41	2096	rundll32.exe
42	2096	rundll32.exe
43	2096	rundll32.exe
44	2096	rundll32.exe
45	2096	rundll32.exe
46	2096	rundll32.exe
47	2096	rundll32.exe
48	2096	rundll32.exe
49	2096	rundll32.exe
50	2096	rundll32.exe
51	2096	rundll32.exe
52	2096	rundll32.exe
53	2096	rundll32.exe
54	2096	rundll32.exe
55	2096	rundll32.exe
56	2096	rundll32.exe
57	2096	rundll32.exe
58	2096	rundll32.exe
59	2096	rundll32.exe
60	2096	rundll32.exe
61	2096	rundll32.exe
62	2096	rundll32.exe
63	2096	rundll32.exe
64	2096	rundll32.exe
65	2096	rundll32.exe
66	2096	rundll32.exe
67	2096	rundll32.exe
68	2096	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
1980	schtasks.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2096	1968	rundll32.exe	28
PID 1968 wrote to memory of 2096	1968	rundll32.exe	28
PID 1968 wrote to memory of 2096	1968	rundll32.exe	28
PID 1968 wrote to memory of 2096	1968	rundll32.exe	28
PID 1968 wrote to memory of 2096	1968	rundll32.exe	28
PID 1968 wrote to memory of 2096	1968	rundll32.exe	28
PID 1968 wrote to memory of 2096	1968	rundll32.exe	28
PID 2096 wrote to memory of 1980	2096	rundll32.exe	29
PID 2096 wrote to memory of 1980	2096	rundll32.exe	29
PID 2096 wrote to memory of 1980	2096	rundll32.exe	29
PID 2096 wrote to memory of 1980	2096	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\CleanUp32.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\CleanUp32.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /tn ClearMngs /tr "rundll32 'C:\Users\Admin\AppData\Local\Temp\CleanUp32.dll',Test" /sc hourly /mo 3 /f
    3⤵
    - Creates scheduled task(s)
    PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads