Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 22:30

General

  • Target

    5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll

  • Size

    760KB

  • MD5

    ca56da32d9e25b16ffb4724a6993598f

  • SHA1

    0ac254bfcf104f062a5ec6ea37b3d2bde0e5935f

  • SHA256

    5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5

  • SHA512

    da11de8e852ddc9a9c22203fa544e36159ff3c98c7e0454ebd8368f9975c61d69052c1e5bbba175576e65f23e4dd95792e85b1b2a7de9da19d496183e2280927

  • SSDEEP

    6144:vi05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTF:qrHGPv5SmptZDmUWuVZkxikdXcq/l

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5cc3f4aa61f9ed8c5b78fef21d8cfee13dafc584e2320bb9da58e73da09029d5.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4688
  • C:\Windows\system32\provtool.exe
    C:\Windows\system32\provtool.exe
    1⤵
      PID:4832
    • C:\Windows\system32\notepad.exe
      C:\Windows\system32\notepad.exe
      1⤵
        PID:5064
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        1⤵
          PID:5056
        • C:\Windows\system32\wsmprovhost.exe
          C:\Windows\system32\wsmprovhost.exe
          1⤵
            PID:876
          • C:\Windows\system32\LanguageComponentsInstallerComHandler.exe
            C:\Windows\system32\LanguageComponentsInstallerComHandler.exe
            1⤵
              PID:3004
            • C:\Windows\system32\dllhost.exe
              C:\Windows\system32\dllhost.exe
              1⤵
                PID:2640
              • C:\Windows\system32\dpapimig.exe
                C:\Windows\system32\dpapimig.exe
                1⤵
                  PID:4608
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\UXihNCQ.cmd
                  1⤵
                    PID:4084
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{8134eb3e-5b1e-a619-3025-e7d0bcaff737}"
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4684
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{8134eb3e-5b1e-a619-3025-e7d0bcaff737}"
                      2⤵
                        PID:2840
                    • C:\Windows\system32\cmstp.exe
                      C:\Windows\system32\cmstp.exe
                      1⤵
                        PID:2892
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Nj38.cmd
                        1⤵
                        • Drops file in System32 directory
                        PID:3844
                      • C:\Windows\System32\fodhelper.exe
                        "C:\Windows\System32\fodhelper.exe"
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4164
                        • C:\Windows\system32\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\59KmpNH.cmd
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2868
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /Create /F /TN "Fzlrtmppumx" /SC minute /MO 60 /TR "C:\Windows\system32\6000\cmstp.exe" /RL highest
                            3⤵
                            • Creates scheduled task(s)
                            PID:3696

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\1q26EF7.tmp

                        Filesize

                        764KB

                        MD5

                        17f26fe1d14c890a18ca6733264de27a

                        SHA1

                        b5e193999c6592b043e203cb65934ac8844edc1b

                        SHA256

                        f9688590bdab82d6cd36a3150b63ef267687291392e3a38c666334d2635c64d9

                        SHA512

                        353d2530e5ba49a64877c99d925adadab8327f1d6d6310d910fb8f36e793d2d2899dd037e8affdccc0c7dff6628138e1d40ca12034eac40958d520a96622fb42

                      • C:\Users\Admin\AppData\Local\Temp\59KmpNH.cmd

                        Filesize

                        127B

                        MD5

                        09ef23093bfde9c4626cdeb218aad241

                        SHA1

                        4fab0a228fa314a21df3891d22d7ba7d3556e71b

                        SHA256

                        cbd8d9b64f2ea208570b6405e5a24bf5bd28d5bb5ce5c92e9da559b39fcaac3f

                        SHA512

                        179a61c8a691ad4d05b2b50151b6dfe7b95e7f0f00dfe77af4f32bf71b91ed2b356f215bae2b57835fd2dd1cbd40726d3978ca59207e95b8833bfb0f0cb2bb8b

                      • C:\Users\Admin\AppData\Local\Temp\Nj38.cmd

                        Filesize

                        192B

                        MD5

                        cbf5f3d4e9db331746bc15643b92d8b3

                        SHA1

                        700670893ae5f5f4a8158576d0e74a52d2da52de

                        SHA256

                        133953265f7c12fdc9c3ab8b02505134e261de7f4add647afe3b59dc87473b34

                        SHA512

                        2539fe8d44d19002223619e6531170647534ce4d03f96562352d3f24cc79062a351a6847c8c7589efbc16d2c938ca7395937b3db71f2a5566b931eba55adc919

                      • C:\Users\Admin\AppData\Local\Temp\UXihNCQ.cmd

                        Filesize

                        232B

                        MD5

                        5b262cd5693605c516f2ed6dfc40876e

                        SHA1

                        1caf283be70ab1956cc218a1880442962f07bb7e

                        SHA256

                        89fb6e49e57e6d44e56ca84ca2059059a995a1d36ffb3fa7f6ba6173cbfa9c4b

                        SHA512

                        2e898d1c856f737acaf4bb04ff3d7799cf748860780b15c63d36014314682a6f43dbab442bec24774c10df00fb7a5b1a3742c12f2c8393b86adc49b34035a39b

                      • C:\Users\Admin\AppData\Local\Temp\Unv6E3B.tmp

                        Filesize

                        764KB

                        MD5

                        897bf351a9881769449c28173edbae04

                        SHA1

                        3a37f016cd9be27ebc234654fcdbf49eb1785fb1

                        SHA256

                        5a14233ba3900089e955fb61989ce6fca75e1403f85b19ae6f746d762196c303

                        SHA512

                        0d04809c07bb575994b133aec9731a1508f45e622169a832c73ea7b537c75bb0e912a3054582a53bd68500137d5cd742a4423a6de3b1ffa35ff38c45e1d2aff9

                      • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hkwligutpbxhkv.lnk

                        Filesize

                        908B

                        MD5

                        2ed8ba3b5e467ae8c479af62137a4555

                        SHA1

                        3c3ea8e2e1adde1e004e48294464304f62457edd

                        SHA256

                        5871a8c74805f005d66990075362e08bcaf2ec4a5b7c38106e898634df74074a

                        SHA512

                        257ae6ae0b722c88cfde4da001840c7e1c5e4561ad6852440bb0c23a9d057ada70ff43fd8a2ef41bb2c08ad8615fbe2929aa1b4f2f75f93ec262c65badaee4fd

                      • C:\Users\Admin\AppData\Roaming\OBVb3\dpapimig.exe

                        Filesize

                        76KB

                        MD5

                        b6d6477a0c90a81624c6a8548026b4d0

                        SHA1

                        e6eac6941d27f76bbd306c2938c0a962dbf1ced1

                        SHA256

                        a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb

                        SHA512

                        72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

                      • memory/3388-40-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-22-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-19-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-18-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-52-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-6-0x00007FFA14D2A000-0x00007FFA14D2B000-memory.dmp

                        Filesize

                        4KB

                      • memory/3388-7-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-3-0x00000000023D0000-0x00000000023D1000-memory.dmp

                        Filesize

                        4KB

                      • memory/3388-42-0x0000000000550000-0x0000000000557000-memory.dmp

                        Filesize

                        28KB

                      • memory/3388-8-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-31-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-24-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-23-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-43-0x00007FFA16BC0000-0x00007FFA16BD0000-memory.dmp

                        Filesize

                        64KB

                      • memory/3388-21-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-20-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-17-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-16-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-15-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-14-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-13-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-12-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-11-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-10-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/3388-9-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/4688-0-0x000001CE11660000-0x000001CE11667000-memory.dmp

                        Filesize

                        28KB

                      • memory/4688-5-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB

                      • memory/4688-1-0x0000000140000000-0x00000001400BE000-memory.dmp

                        Filesize

                        760KB