Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 22:30

General

  • Target

    5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll

  • Size

    760KB

  • MD5

    ca56da32d9e25b16ffb4724a6993598f

  • SHA1

    0ac254bfcf104f062a5ec6ea37b3d2bde0e5935f

  • SHA256

    5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5

  • SHA512

    da11de8e852ddc9a9c22203fa544e36159ff3c98c7e0454ebd8368f9975c61d69052c1e5bbba175576e65f23e4dd95792e85b1b2a7de9da19d496183e2280927

  • SSDEEP

    6144:vi05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTF:qrHGPv5SmptZDmUWuVZkxikdXcq/l

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1340
  • C:\Windows\system32\BitLockerWizard.exe
    C:\Windows\system32\BitLockerWizard.exe
    1⤵
      PID:2812
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\7yXTr.cmd
      1⤵
        PID:2560
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"
          2⤵
            PID:3012
        • C:\Windows\system32\logagent.exe
          C:\Windows\system32\logagent.exe
          1⤵
            PID:2580
          • C:\Windows\system32\wbengine.exe
            C:\Windows\system32\wbengine.exe
            1⤵
              PID:3008
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ZG2R.cmd
              1⤵
              • Drops file in System32 directory
              PID:2304
            • C:\Windows\System32\eventvwr.exe
              "C:\Windows\System32\eventvwr.exe"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2808
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\IKOyebX.cmd
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2868
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Create /F /TN "Bygyxkyzdvxj" /SC minute /MO 60 /TR "C:\Windows\system32\3087\wbengine.exe" /RL highest
                  3⤵
                  • Creates scheduled task(s)
                  PID:2636

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\7yXTr.cmd

              Filesize

              234B

              MD5

              6269cf9d55c096e2e43dd2737f00c11a

              SHA1

              468f035509796131bbd85dbc1e9ad77cdf40fbdd

              SHA256

              6c5069f8adb1b32eb63f9dedfd7a897fb366cf77cf0aa2b1c2cf78187e5179d9

              SHA512

              9ab4bcb40e4f86e83fdc3c0ea72df92357186c178fed204249810538e255cdf0c85405e53e5393696e806db14ea80e5c8b64255e8fd70787834e8a68c4d841e9

            • C:\Users\Admin\AppData\Local\Temp\IKOyebX.cmd

              Filesize

              131B

              MD5

              4c7dcc4d5577f3701b50121677bf01e2

              SHA1

              47793f51cba26400b2be7c07a64d35ab9815b39a

              SHA256

              e8d319414dd9222e093a2c9dd74041e2a532a00f35dca609023a40916116f4b3

              SHA512

              f3ac672d475e5dba3c3441428a465aee7f2fc31616e6015cfd78f35a4f02b1c3a15cad0f266d24a03105f0e5acfad2b1bc2abd2459f1b17fe963eeaed5901ca0

            • C:\Users\Admin\AppData\Local\Temp\S2685.tmp

              Filesize

              760KB

              MD5

              ef0bc0ee7e0b1759979add3129d2d453

              SHA1

              663a116b3c7f37ebddd63027dfe2ba10b22d213d

              SHA256

              f826fb05e0bcbaf1a1ca81f510ec885273f22ab1277350c5219f403aa8d0c68a

              SHA512

              79447400d9815b3b011af0af960c511eb8374336f6b339e3f0654b433ed04cdae5fa7b06220037c097a9f89a5ed782ebe79c98a9ca49878dc2fd35d651522d5a

            • C:\Users\Admin\AppData\Local\Temp\V5u251D.tmp

              Filesize

              764KB

              MD5

              e1fc2dda8901105681d7986f89043ecb

              SHA1

              0cfbf4dfea70189f1615eea1731dbfd094a37a7c

              SHA256

              f8b9b1060d0828e3f7fcec7db02beb0914f4004d4774e02bcc43c095b33f0276

              SHA512

              bf3eafabe67f1dc49fbbb9279752003711d2cff7c553dd123fcf53d3836781c8c8e31ee4a0db411cc8a1dffb4cbb12851f8733901aa76f354b35e1b1b24fa52b

            • C:\Users\Admin\AppData\Local\Temp\ZG2R.cmd

              Filesize

              193B

              MD5

              981f04ddae8a5ef54ef6f2d95cc27ed7

              SHA1

              b467e660582a5d2721318cfd10bc7d52c1ceced6

              SHA256

              8251ef9c6caea24388dcab8f32a418321fe262de2b93bce1dcafe872f8f7612c

              SHA512

              0494e7beeb34a5954fcbb41d0b91d291625ac612b06b17075959caa7590d455ca14e81c3ca70085ca878dcfd1d22716af0dfc4b8b7489c083b951e83d386fd36

            • C:\Users\Admin\AppData\Roaming\5jl0\BitLockerWizard.exe

              Filesize

              98KB

              MD5

              08a761595ad21d152db2417d6fdb239a

              SHA1

              d84c1bc2e8c9afce9fb79916df9bca169f93a936

              SHA256

              ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

              SHA512

              8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

            • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mwyjnbrrs.lnk

              Filesize

              910B

              MD5

              ddaeb0c2277f6ec03db48d039e77f75a

              SHA1

              d65fa0fa748cccd5ee5d4af9666446864980a5c3

              SHA256

              4772c4f086da5c54b07bf01746504bf2686accec479391b91c048dce09551093

              SHA512

              8a7be64080ad8051195a4df9b145cfa74ebd25762ba88943da71f71bffed53947c2a339e19e47b7490991f75230e3062165860b9001ab9d36506acc1c86102ca

            • memory/1208-21-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-16-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-10-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-11-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-12-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-13-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-32-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-31-0x0000000002530000-0x0000000002537000-memory.dmp

              Filesize

              28KB

            • memory/1208-24-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-23-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-22-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-96-0x0000000077A86000-0x0000000077A87000-memory.dmp

              Filesize

              4KB

            • memory/1208-20-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-19-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-17-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-9-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-15-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-14-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-33-0x0000000077B91000-0x0000000077B92000-memory.dmp

              Filesize

              4KB

            • memory/1208-42-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-48-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-47-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-46-0x0000000077CF0000-0x0000000077CF2000-memory.dmp

              Filesize

              8KB

            • memory/1208-18-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-8-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-7-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1208-3-0x0000000077A86000-0x0000000077A87000-memory.dmp

              Filesize

              4KB

            • memory/1208-4-0x0000000002550000-0x0000000002551000-memory.dmp

              Filesize

              4KB

            • memory/1340-6-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB

            • memory/1340-2-0x0000000000170000-0x0000000000177000-memory.dmp

              Filesize

              28KB

            • memory/1340-0-0x0000000140000000-0x00000001400BE000-memory.dmp

              Filesize

              760KB