Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll
Resource
win10v2004-20240508-en
General
-
Target
5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll
-
Size
760KB
-
MD5
ca56da32d9e25b16ffb4724a6993598f
-
SHA1
0ac254bfcf104f062a5ec6ea37b3d2bde0e5935f
-
SHA256
5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5
-
SHA512
da11de8e852ddc9a9c22203fa544e36159ff3c98c7e0454ebd8368f9975c61d69052c1e5bbba175576e65f23e4dd95792e85b1b2a7de9da19d496183e2280927
-
SSDEEP
6144:vi05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTF:qrHGPv5SmptZDmUWuVZkxikdXcq/l
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hkwligutpbxhkv = "\"C:\\Users\\Admin\\AppData\\Roaming\\OBVb3\\dpapimig.exe\"" Process not Found -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\6000\cmstp.exe cmd.exe File opened for modification C:\Windows\system32\6000\cmstp.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3696 schtasks.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings Process not Found Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell Process not Found Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open Process not Found Key deleted \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open\command Process not Found Key deleted \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open Process not Found Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open\command Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\59KmpNH.cmd" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell\open\command\DelegateExecute Process not Found Key deleted \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings\shell Process not Found Key deleted \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\ms-settings Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4688 rundll32.exe 4688 rundll32.exe 4688 rundll32.exe 4688 rundll32.exe 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found 3388 Process not Found -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeShutdownPrivilege 3388 Process not Found Token: SeCreatePagefilePrivilege 3388 Process not Found Token: SeShutdownPrivilege 3388 Process not Found Token: SeCreatePagefilePrivilege 3388 Process not Found Token: SeShutdownPrivilege 3388 Process not Found Token: SeCreatePagefilePrivilege 3388 Process not Found Token: SeShutdownPrivilege 3388 Process not Found Token: SeCreatePagefilePrivilege 3388 Process not Found Token: SeShutdownPrivilege 3388 Process not Found Token: SeCreatePagefilePrivilege 3388 Process not Found Token: SeShutdownPrivilege 3388 Process not Found Token: SeCreatePagefilePrivilege 3388 Process not Found Token: SeShutdownPrivilege 3388 Process not Found Token: SeCreatePagefilePrivilege 3388 Process not Found -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 3388 wrote to memory of 4832 3388 Process not Found 84 PID 3388 wrote to memory of 4832 3388 Process not Found 84 PID 3388 wrote to memory of 5064 3388 Process not Found 85 PID 3388 wrote to memory of 5064 3388 Process not Found 85 PID 3388 wrote to memory of 5056 3388 Process not Found 86 PID 3388 wrote to memory of 5056 3388 Process not Found 86 PID 3388 wrote to memory of 876 3388 Process not Found 87 PID 3388 wrote to memory of 876 3388 Process not Found 87 PID 3388 wrote to memory of 3004 3388 Process not Found 88 PID 3388 wrote to memory of 3004 3388 Process not Found 88 PID 3388 wrote to memory of 2640 3388 Process not Found 89 PID 3388 wrote to memory of 2640 3388 Process not Found 89 PID 3388 wrote to memory of 4608 3388 Process not Found 90 PID 3388 wrote to memory of 4608 3388 Process not Found 90 PID 3388 wrote to memory of 4084 3388 Process not Found 91 PID 3388 wrote to memory of 4084 3388 Process not Found 91 PID 3388 wrote to memory of 4684 3388 Process not Found 93 PID 3388 wrote to memory of 4684 3388 Process not Found 93 PID 4684 wrote to memory of 2840 4684 cmd.exe 95 PID 4684 wrote to memory of 2840 4684 cmd.exe 95 PID 3388 wrote to memory of 2892 3388 Process not Found 96 PID 3388 wrote to memory of 2892 3388 Process not Found 96 PID 3388 wrote to memory of 3844 3388 Process not Found 97 PID 3388 wrote to memory of 3844 3388 Process not Found 97 PID 3388 wrote to memory of 4164 3388 Process not Found 99 PID 3388 wrote to memory of 4164 3388 Process not Found 99 PID 4164 wrote to memory of 2868 4164 fodhelper.exe 100 PID 4164 wrote to memory of 2868 4164 fodhelper.exe 100 PID 2868 wrote to memory of 3696 2868 cmd.exe 102 PID 2868 wrote to memory of 3696 2868 cmd.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4688
-
C:\Windows\system32\provtool.exeC:\Windows\system32\provtool.exe1⤵PID:4832
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe1⤵PID:5064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe1⤵PID:5056
-
C:\Windows\system32\wsmprovhost.exeC:\Windows\system32\wsmprovhost.exe1⤵PID:876
-
C:\Windows\system32\LanguageComponentsInstallerComHandler.exeC:\Windows\system32\LanguageComponentsInstallerComHandler.exe1⤵PID:3004
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe1⤵PID:2640
-
C:\Windows\system32\dpapimig.exeC:\Windows\system32\dpapimig.exe1⤵PID:4608
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\UXihNCQ.cmd1⤵PID:4084
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{8134eb3e-5b1e-a619-3025-e7d0bcaff737}"1⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /F /TN "User_Feed_Synchronization-{8134eb3e-5b1e-a619-3025-e7d0bcaff737}"2⤵PID:2840
-
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:2892
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Nj38.cmd1⤵
- Drops file in System32 directory
PID:3844
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\59KmpNH.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Fzlrtmppumx" /SC minute /MO 60 /TR "C:\Windows\system32\6000\cmstp.exe" /RL highest3⤵
- Creates scheduled task(s)
PID:3696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
764KB
MD517f26fe1d14c890a18ca6733264de27a
SHA1b5e193999c6592b043e203cb65934ac8844edc1b
SHA256f9688590bdab82d6cd36a3150b63ef267687291392e3a38c666334d2635c64d9
SHA512353d2530e5ba49a64877c99d925adadab8327f1d6d6310d910fb8f36e793d2d2899dd037e8affdccc0c7dff6628138e1d40ca12034eac40958d520a96622fb42
-
Filesize
127B
MD509ef23093bfde9c4626cdeb218aad241
SHA14fab0a228fa314a21df3891d22d7ba7d3556e71b
SHA256cbd8d9b64f2ea208570b6405e5a24bf5bd28d5bb5ce5c92e9da559b39fcaac3f
SHA512179a61c8a691ad4d05b2b50151b6dfe7b95e7f0f00dfe77af4f32bf71b91ed2b356f215bae2b57835fd2dd1cbd40726d3978ca59207e95b8833bfb0f0cb2bb8b
-
Filesize
192B
MD5cbf5f3d4e9db331746bc15643b92d8b3
SHA1700670893ae5f5f4a8158576d0e74a52d2da52de
SHA256133953265f7c12fdc9c3ab8b02505134e261de7f4add647afe3b59dc87473b34
SHA5122539fe8d44d19002223619e6531170647534ce4d03f96562352d3f24cc79062a351a6847c8c7589efbc16d2c938ca7395937b3db71f2a5566b931eba55adc919
-
Filesize
232B
MD55b262cd5693605c516f2ed6dfc40876e
SHA11caf283be70ab1956cc218a1880442962f07bb7e
SHA25689fb6e49e57e6d44e56ca84ca2059059a995a1d36ffb3fa7f6ba6173cbfa9c4b
SHA5122e898d1c856f737acaf4bb04ff3d7799cf748860780b15c63d36014314682a6f43dbab442bec24774c10df00fb7a5b1a3742c12f2c8393b86adc49b34035a39b
-
Filesize
764KB
MD5897bf351a9881769449c28173edbae04
SHA13a37f016cd9be27ebc234654fcdbf49eb1785fb1
SHA2565a14233ba3900089e955fb61989ce6fca75e1403f85b19ae6f746d762196c303
SHA5120d04809c07bb575994b133aec9731a1508f45e622169a832c73ea7b537c75bb0e912a3054582a53bd68500137d5cd742a4423a6de3b1ffa35ff38c45e1d2aff9
-
Filesize
908B
MD52ed8ba3b5e467ae8c479af62137a4555
SHA13c3ea8e2e1adde1e004e48294464304f62457edd
SHA2565871a8c74805f005d66990075362e08bcaf2ec4a5b7c38106e898634df74074a
SHA512257ae6ae0b722c88cfde4da001840c7e1c5e4561ad6852440bb0c23a9d057ada70ff43fd8a2ef41bb2c08ad8615fbe2929aa1b4f2f75f93ec262c65badaee4fd
-
Filesize
76KB
MD5b6d6477a0c90a81624c6a8548026b4d0
SHA1e6eac6941d27f76bbd306c2938c0a962dbf1ced1
SHA256a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb
SHA51272ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe