Overview

overview

7

Static

static

3

efb2a3a0a0...8b.dll

windows7-x64

7

efb2a3a0a0...8b.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/06/2024, 04:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    efb2a3a0a0a03f5078818c9108f43cb658f92aac0b7b9710f5eccd9e36bc028b.dll

  • Size

    496KB

  • MD5

    af534395bb77e1033cefdc47afa86829

  • SHA1

    9eab83d53442b540554e637ea46fa9c9928c6877

  • SHA256

    efb2a3a0a0a03f5078818c9108f43cb658f92aac0b7b9710f5eccd9e36bc028b

  • SHA512

    1c819463b18db284ea5269c2739a09e0c66ffd38dd501b19d568ce332f6bc51434231dc895c5670639aa68ccc5a46df0b09beddc6193e34ffd70056532c2a999

  • SSDEEP

    6144:Pi05kH9OyU2uv5SRf/FWgFgtBgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:KrHGPv5Smpt6DmUWuVZkxikdXcq

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\efb2a3a0a0a03f5078818c9108f43cb658f92aac0b7b9710f5eccd9e36bc028b.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3060
  • C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe
    1⤵
      PID:4980
    • C:\Windows\system32\audiodg.exe
      C:\Windows\system32\audiodg.exe
      1⤵
        PID:5068
      • C:\Windows\system32\NetCfgNotifyObjectHost.exe
        C:\Windows\system32\NetCfgNotifyObjectHost.exe
        1⤵
          PID:4572
        • C:\Windows\system32\CloudExperienceHostBroker.exe
          C:\Windows\system32\CloudExperienceHostBroker.exe
          1⤵
            PID:1864
          • C:\Windows\system32\VSSVC.exe
            C:\Windows\system32\VSSVC.exe
            1⤵
              PID:2764
            • C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
              C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
              1⤵
                PID:1432
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\qSxmkP9.cmd
                1⤵
                  PID:2248
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{b20545c2-dfb8-18ae-c9b7-e3de899dbcb9}"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3920
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{b20545c2-dfb8-18ae-c9b7-e3de899dbcb9}"
                    2⤵
                      PID:3012
                  • C:\Windows\system32\raserver.exe
                    C:\Windows\system32\raserver.exe
                    1⤵
                      PID:2276
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\v57f.cmd
                      1⤵
                      • Drops file in System32 directory
                      PID:1408
                    • C:\Windows\System32\fodhelper.exe
                      "C:\Windows\System32\fodhelper.exe"
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1940
                      • C:\Windows\system32\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\sbCt.cmd
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4664
                        • C:\Windows\system32\schtasks.exe
                          schtasks.exe /Create /F /TN "Kspyygbb" /SC minute /MO 60 /TR "C:\Windows\system32\2607\raserver.exe" /RL highest
                          3⤵
                          • Creates scheduled task(s)
                          PID:3204

                    Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\o539E.tmp
                            Filesize

                            500KB

                            MD5

                            de109323deef25c42d75615061240bed

                            SHA1

                            df9e048e14b00ab5f7b78e019808dab8647c9665

                            SHA256

                            56f8c9f147a2546477dc9efa81db8494014ac489048d1ea8092870eb8d989a0a

                            SHA512

                            2435b47fa20c77ee6f9c33794ddd0a53a2fd2c251944dcd55785452ff0e64ec3cee654f16f2fd03e2f84d551cfe6dc6d2c52ec3291a2848f6bf0ec9b2361f578

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\qSxmkP9.cmd
                            Filesize

                            245B

                            MD5

                            61e374b140dcf85c8531da2021720abd

                            SHA1

                            53464bd624f005c4c6c742b9c56c463276b036dc

                            SHA256

                            891750bd187ee64a04152e6ecef54d5cd877ad5952861861c0c44912b5736e17

                            SHA512

                            fcab7a544a39012289386b472fbbbc336a0ba6cba39dcf10dd3c03ef06be74566cdf2142e9c7253f3307e145345a239ead8a4dd5b3aca74caee18fa3b0d7675d

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\sbCt.cmd
                            Filesize

                            127B

                            MD5

                            0fc7f0f279e41c77d88f0e96e2209d4e

                            SHA1

                            669ef6ca0a70690e9e67fca6a54f2faf36b3a923

                            SHA256

                            8eea098daa7508f942a887da8a35cf3e72eb99e14761451b639eb6028dfa57b0

                            SHA512

                            17e83f736f8e43f40a5a28a1acc12067b950ee14824b9f8bb609a32420063e2474ebb7ea3e7924aa97cb6298e0e048c5ef91c2c5fea82ae9ebdeab47c74f320d

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\v57f.cmd
                            Filesize

                            196B

                            MD5

                            7d082fbb049187cde8cb5e999162a1d7

                            SHA1

                            fe59958a083386bfe9e9142ee1f475e141fd069d

                            SHA256

                            d538b7ca3eddf856feb90bc01bfaf394c1d475b77d63f7f48cdcb5cc6b85e3a7

                            SHA512

                            c87e3e954708cc0bfd0b52af515f7b84f57f1d0154861615b05c4eff72a50d297b716ae8a41153294e2075be46331d59a7609e5fde420ebcab8eef2b03bb8ff5

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\zr15506.tmp
                            Filesize

                            500KB

                            MD5

                            09259f3ecf48c358a2fa79bfcd167477

                            SHA1

                            f743833b6ef9c7c2af29464d21df443c1859b85c

                            SHA256

                            917edc04438b6af3c921586ce187aa467fe4afd800fd3ff588a0aad116d61320

                            SHA512

                            480454658f0f47bc8f38be7a4ce945e212103a92753fdb06df25ca5a702e8dfba91cdbfe80f5a894c07f089951bf797a22892d76c08d3e427a8c262d2e97ac05

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Kqgt\PasswordOnWakeSettingFlyout.exe
                            Filesize

                            44KB

                            MD5

                            591a98c65f624c52882c2b238d6cd4c4

                            SHA1

                            c960d08c19d777069cf265dcc281807fbd8502d7

                            SHA256

                            5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

                            SHA512

                            1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Welddizcvtwl.lnk
                            Filesize

                            994B

                            MD5

                            3a1563ad8df90b2afd32d6b35863938c

                            SHA1

                            f3edaeca88db5112b41b0825c5760d927faf630f

                            SHA256

                            e03b32fafc1838b09f528ac427189532178c075360cf66fe9bd25983d8a75661

                            SHA512

                            84af811741ffb27889adee9cd485e0c0b30e5107b772a6a8a0379ebed4cd236314c801ba476554d71e5689715c0952d1955cba67cde47ca3ded3e8a46c950a86

                            Download Submit

                          • memory/3060-0-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3060-2-0x000001F64B3E0000-0x000001F64B3E7000-memory.dmp

                            Filesize

                            28KB

                            Download

                          • memory/3060-5-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-17-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-11-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-23-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-22-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-21-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-20-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-19-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-18-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-44-0x0000000000D50000-0x0000000000D57000-memory.dmp

                            Filesize

                            28KB

                            Download

                          • memory/3548-14-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-16-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-13-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-12-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-26-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-10-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-9-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-25-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-8-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-7-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-42-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-45-0x00007FFD607C0000-0x00007FFD607D0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3548-33-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-54-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-24-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-15-0x0000000140000000-0x000000014007C000-memory.dmp

                            Filesize

                            496KB

                            Download

                          • memory/3548-6-0x00007FFD5F4BA000-0x00007FFD5F4BB000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3548-3-0x0000000002600000-0x0000000002601000-memory.dmp

                            Filesize

                            4KB

                            Download