Overview

overview

7

Static

static

3

efb2a3a0a0...8b.dll

windows7-x64

7

efb2a3a0a0...8b.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 04:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    efb2a3a0a0a03f5078818c9108f43cb658f92aac0b7b9710f5eccd9e36bc028b.dll

  • Size

    496KB

  • MD5

    af534395bb77e1033cefdc47afa86829

  • SHA1

    9eab83d53442b540554e637ea46fa9c9928c6877

  • SHA256

    efb2a3a0a0a03f5078818c9108f43cb658f92aac0b7b9710f5eccd9e36bc028b

  • SHA512

    1c819463b18db284ea5269c2739a09e0c66ffd38dd501b19d568ce332f6bc51434231dc895c5670639aa68ccc5a46df0b09beddc6193e34ffd70056532c2a999

  • SSDEEP

    6144:Pi05kH9OyU2uv5SRf/FWgFgtBgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:KrHGPv5Smpt6DmUWuVZkxikdXcq

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\efb2a3a0a0a03f5078818c9108f43cb658f92aac0b7b9710f5eccd9e36bc028b.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3000
  • C:\Windows\system32\wpnpinst.exe
    C:\Windows\system32\wpnpinst.exe
    1⤵
      PID:2552
    • C:\Windows\system32\irftp.exe
      C:\Windows\system32\irftp.exe
      1⤵
        PID:2920
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\0UuSm.cmd
        1⤵
          PID:2700
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2076
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"
            2⤵
              PID:1728
          • C:\Windows\system32\wx6deg.exe
            C:\Windows\system32\wx6deg.exe
            1⤵
              PID:2248
            • C:\Windows\system32\WerFaultSecure.exe
              C:\Windows\system32\WerFaultSecure.exe
              1⤵
                PID:2540
              • C:\Windows\system32\DWWIN.EXE
                C:\Windows\system32\DWWIN.EXE
                1⤵
                  PID:1524
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\yMc9M.cmd
                  1⤵
                  • Drops file in System32 directory
                  PID:2904
                • C:\Windows\System32\eventvwr.exe
                  "C:\Windows\System32\eventvwr.exe"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2940
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\iNRtM.cmd
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3068
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Create /F /TN "Bygyxkyzdvxj" /SC minute /MO 60 /TR "C:\Windows\system32\1420\DWWIN.EXE" /RL highest
                      3⤵
                      • Creates scheduled task(s)
                      PID:3064

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\0UuSm.cmd
                  Filesize

                  229B

                  MD5

                  cd9b98a3c219821934bcb826e902d883

                  SHA1

                  ce82761543f97252c813bf0cf0393e101a978cbc

                  SHA256

                  f8b6a4ff2b6b209d5ac9bf4d63c3a57cf58ab81887251f0b24a5672c4106b7af

                  SHA512

                  0348e8c0b8160cec65d13c050e4f1d4822b28abc295bf33a1b93b6eade446d51944b624f8859a826765d93c89c69a74ddd3a98563cc6a50feb7c60e41bbf1d1c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\LyE1B4E.tmp
                  Filesize

                  504KB

                  MD5

                  5b2a45f9d09622b849de7e5e3650a60c

                  SHA1

                  e0ded7f6271fd80f76e0c20e7deb1fac452938d0

                  SHA256

                  501337b09e1a03fb5c4d377efd4ce5999b58db78f87dc1ebf9d2dd6bac9416a1

                  SHA512

                  18924abd3ada9804f67e3020f8b3f07c08272f3266795716f508d169ed347457aa99193fec40490573830f1bc5bf785e6d0974261e111ee19e537c10f0c57c95

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Pu1D80.tmp
                  Filesize

                  500KB

                  MD5

                  586b1e997edc3c1a3311338e6712cdfc

                  SHA1

                  720a87fb5e063f953a295854a2d7fb90590853fd

                  SHA256

                  5900144aed79d012c3ad7d286f908324f0f4178f2a454d2314bf6b479c264715

                  SHA512

                  7581d6e7a48243624745ee9bc78f2f8e76dea692085b17bb8939f0491bf43f641137f8dfb136e1f176c5b03cdbc43bf1fbfbcc72375ba22f438e987828d06cea

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\iNRtM.cmd
                  Filesize

                  128B

                  MD5

                  64976466735181fcf044aaab1a2bc358

                  SHA1

                  b08bb52a0fd48be2dc41e82979c9e8dc529e18af

                  SHA256

                  747b56906f2c8ea2a8d04a7c8616d16b9b54cabce969e69782d4fd3595d07789

                  SHA512

                  efe2709e02d873672e21f26af1b1755710a833390f548e68445e8ac0d700d856b8f63a69bb43baf67e8557e3b0c8818a4b4576089e6224cfa148fe3dc1bd57a8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\yMc9M.cmd
                  Filesize

                  191B

                  MD5

                  3fef7b50249b28f1f3f6dfc8f17c1d81

                  SHA1

                  07ef88ad888bd425a99112984e48987e49db44ff

                  SHA256

                  16b92b14c134507ebadfa72ba31b5eec9d718c47402c7050c2a658c571536b2e

                  SHA512

                  97c3c58765018746fa1947feeacb1cc177fc60041a6c28e53d8f1541eea52b227496cbded4fd4a77299153588dc857adb7a09b59a4ce60b30c707277d3a61ae1

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mwyjnbrrs.lnk
                  Filesize

                  870B

                  MD5

                  ec0bd8003101ed818493fae0737f74bf

                  SHA1

                  09ba81349dd0988a4357deb6ef0bd56c607efa64

                  SHA256

                  2cb67cf838977e06660c30a36ed54f84a5d4c9c729cc78914add1590f3a681e5

                  SHA512

                  70dd6d680e1f876fd9239ecfdeeca383f9e641087cf0097afb3e3d01a8444d415a74b9a556c25811b628b2c7e4aa9fa0e096e17af4a25d2672d55c40a13fc554

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\y7zsZk\irftp.exe
                  Filesize

                  192KB

                  MD5

                  0cae1fb725c56d260bfd6feba7ae9a75

                  SHA1

                  102ac676a1de3ec3d56401f8efd518c31c8b0b80

                  SHA256

                  312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

                  SHA512

                  db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

                  Download Submit

                • memory/1228-17-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-13-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-34-0x0000000002D10000-0x0000000002D17000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1228-26-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-25-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-24-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-23-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-22-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-21-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-19-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-18-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-98-0x0000000076C96000-0x0000000076C97000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1228-16-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-15-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-14-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-33-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-12-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-11-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-10-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-9-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-35-0x0000000076EA1000-0x0000000076EA2000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1228-44-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-45-0x0000000077000000-0x0000000077002000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1228-50-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-20-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-7-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-8-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/1228-3-0x0000000076C96000-0x0000000076C97000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1228-4-0x0000000002D30000-0x0000000002D31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3000-6-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/3000-2-0x0000000001D50000-0x0000000001D57000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/3000-0-0x0000000140000000-0x000000014007C000-memory.dmp

                  Filesize

                  496KB

                  Download