Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll
Resource
win10v2004-20240508-en
General
-
Target
5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll
-
Size
760KB
-
MD5
ca56da32d9e25b16ffb4724a6993598f
-
SHA1
0ac254bfcf104f062a5ec6ea37b3d2bde0e5935f
-
SHA256
5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5
-
SHA512
da11de8e852ddc9a9c22203fa544e36159ff3c98c7e0454ebd8368f9975c61d69052c1e5bbba175576e65f23e4dd95792e85b1b2a7de9da19d496183e2280927
-
SSDEEP
6144:vi05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTF:qrHGPv5SmptZDmUWuVZkxikdXcq/l
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1208 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwyjnbrrs = "\"C:\\Users\\Admin\\AppData\\Roaming\\5jl0\\BitLockerWizard.exe\"" Process not Found -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\3087\wbengine.exe cmd.exe File opened for modification C:\Windows\system32\3087\wbengine.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2636 schtasks.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell Process not Found Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open Process not Found Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell Process not Found Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile Process not Found Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open\command Process not Found Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile Process not Found Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\IKOyebX.cmd" Process not Found Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open\command Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1340 rundll32.exe 1340 rundll32.exe 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1208 wrote to memory of 2812 1208 Process not Found 28 PID 1208 wrote to memory of 2812 1208 Process not Found 28 PID 1208 wrote to memory of 2812 1208 Process not Found 28 PID 1208 wrote to memory of 2560 1208 Process not Found 29 PID 1208 wrote to memory of 2560 1208 Process not Found 29 PID 1208 wrote to memory of 2560 1208 Process not Found 29 PID 1208 wrote to memory of 2608 1208 Process not Found 31 PID 1208 wrote to memory of 2608 1208 Process not Found 31 PID 1208 wrote to memory of 2608 1208 Process not Found 31 PID 2608 wrote to memory of 3012 2608 cmd.exe 33 PID 2608 wrote to memory of 3012 2608 cmd.exe 33 PID 2608 wrote to memory of 3012 2608 cmd.exe 33 PID 1208 wrote to memory of 2580 1208 Process not Found 34 PID 1208 wrote to memory of 2580 1208 Process not Found 34 PID 1208 wrote to memory of 2580 1208 Process not Found 34 PID 1208 wrote to memory of 3008 1208 Process not Found 35 PID 1208 wrote to memory of 3008 1208 Process not Found 35 PID 1208 wrote to memory of 3008 1208 Process not Found 35 PID 1208 wrote to memory of 2304 1208 Process not Found 36 PID 1208 wrote to memory of 2304 1208 Process not Found 36 PID 1208 wrote to memory of 2304 1208 Process not Found 36 PID 1208 wrote to memory of 2808 1208 Process not Found 38 PID 1208 wrote to memory of 2808 1208 Process not Found 38 PID 1208 wrote to memory of 2808 1208 Process not Found 38 PID 2808 wrote to memory of 2868 2808 eventvwr.exe 39 PID 2808 wrote to memory of 2868 2808 eventvwr.exe 39 PID 2808 wrote to memory of 2868 2808 eventvwr.exe 39 PID 2868 wrote to memory of 2636 2868 cmd.exe 41 PID 2868 wrote to memory of 2636 2868 cmd.exe 41 PID 2868 wrote to memory of 2636 2868 cmd.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340
-
C:\Windows\system32\BitLockerWizard.exeC:\Windows\system32\BitLockerWizard.exe1⤵PID:2812
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\7yXTr.cmd1⤵PID:2560
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"1⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"2⤵PID:3012
-
-
C:\Windows\system32\logagent.exeC:\Windows\system32\logagent.exe1⤵PID:2580
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵PID:3008
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ZG2R.cmd1⤵
- Drops file in System32 directory
PID:2304
-
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\IKOyebX.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Bygyxkyzdvxj" /SC minute /MO 60 /TR "C:\Windows\system32\3087\wbengine.exe" /RL highest3⤵
- Creates scheduled task(s)
PID:2636
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
234B
MD56269cf9d55c096e2e43dd2737f00c11a
SHA1468f035509796131bbd85dbc1e9ad77cdf40fbdd
SHA2566c5069f8adb1b32eb63f9dedfd7a897fb366cf77cf0aa2b1c2cf78187e5179d9
SHA5129ab4bcb40e4f86e83fdc3c0ea72df92357186c178fed204249810538e255cdf0c85405e53e5393696e806db14ea80e5c8b64255e8fd70787834e8a68c4d841e9
-
Filesize
131B
MD54c7dcc4d5577f3701b50121677bf01e2
SHA147793f51cba26400b2be7c07a64d35ab9815b39a
SHA256e8d319414dd9222e093a2c9dd74041e2a532a00f35dca609023a40916116f4b3
SHA512f3ac672d475e5dba3c3441428a465aee7f2fc31616e6015cfd78f35a4f02b1c3a15cad0f266d24a03105f0e5acfad2b1bc2abd2459f1b17fe963eeaed5901ca0
-
Filesize
760KB
MD5ef0bc0ee7e0b1759979add3129d2d453
SHA1663a116b3c7f37ebddd63027dfe2ba10b22d213d
SHA256f826fb05e0bcbaf1a1ca81f510ec885273f22ab1277350c5219f403aa8d0c68a
SHA51279447400d9815b3b011af0af960c511eb8374336f6b339e3f0654b433ed04cdae5fa7b06220037c097a9f89a5ed782ebe79c98a9ca49878dc2fd35d651522d5a
-
Filesize
764KB
MD5e1fc2dda8901105681d7986f89043ecb
SHA10cfbf4dfea70189f1615eea1731dbfd094a37a7c
SHA256f8b9b1060d0828e3f7fcec7db02beb0914f4004d4774e02bcc43c095b33f0276
SHA512bf3eafabe67f1dc49fbbb9279752003711d2cff7c553dd123fcf53d3836781c8c8e31ee4a0db411cc8a1dffb4cbb12851f8733901aa76f354b35e1b1b24fa52b
-
Filesize
193B
MD5981f04ddae8a5ef54ef6f2d95cc27ed7
SHA1b467e660582a5d2721318cfd10bc7d52c1ceced6
SHA2568251ef9c6caea24388dcab8f32a418321fe262de2b93bce1dcafe872f8f7612c
SHA5120494e7beeb34a5954fcbb41d0b91d291625ac612b06b17075959caa7590d455ca14e81c3ca70085ca878dcfd1d22716af0dfc4b8b7489c083b951e83d386fd36
-
Filesize
98KB
MD508a761595ad21d152db2417d6fdb239a
SHA1d84c1bc2e8c9afce9fb79916df9bca169f93a936
SHA256ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620
SHA5128b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9
-
Filesize
910B
MD5ddaeb0c2277f6ec03db48d039e77f75a
SHA1d65fa0fa748cccd5ee5d4af9666446864980a5c3
SHA2564772c4f086da5c54b07bf01746504bf2686accec479391b91c048dce09551093
SHA5128a7be64080ad8051195a4df9b145cfa74ebd25762ba88943da71f71bffed53947c2a339e19e47b7490991f75230e3062165860b9001ab9d36506acc1c86102ca