6210798e6ca0e95300f15c7c12320f40906e2d27a76bc5f566d2023e4d96c3de

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6210798e6ca0e95300f15c7c12320f40906e2d27a76bc5f566d2023e4d96c3de.dll
Size

1.1MB
MD5

272c86de56ce13b606e24559924cd686
SHA1

74adcabba5d9e796bbd76cf5d986a75f644ce8fc
SHA256

6210798e6ca0e95300f15c7c12320f40906e2d27a76bc5f566d2023e4d96c3de
SHA512

5a75586c7a22ac1ea249615c9305c90128777ff08e9b2a626da253d946763558ca203a69ed89bb2f69ad50a1aef7206a878f0685d92063213a32348994ad548c
SSDEEP

6144:Mi05kH9OyU2uv5SRf/FWgFgtdgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTV:nrHGPv5SmpteDmUWuVZkxikdXcqNr

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eeaxmqtu = "\"C:\\Users\\Admin\\AppData\\Roaming\\9cpY8k\\mblctr.exe\""	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\8034\dxgiadaptercache.exe	cmd.exe
File created	C:\Windows\system32\8034\dxgiadaptercache.exe	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1608	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open\command\DelegateExecute	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open\command	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open\command	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\BjC.cmd"	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4436	rundll32.exe
4436	rundll32.exe
4436	rundll32.exe
4436	rundll32.exe
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found
Token: SeShutdownPrivilege	3424	Process not Found
Token: SeCreatePagefilePrivilege	3424	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3424	Process not Found

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 3328	3424	Process not Found	87
PID 3424 wrote to memory of 3328	3424	Process not Found	87
PID 3424 wrote to memory of 4088	3424	Process not Found	88
PID 3424 wrote to memory of 4088	3424	Process not Found	88
PID 3424 wrote to memory of 3480	3424	Process not Found	89
PID 3424 wrote to memory of 3480	3424	Process not Found	89
PID 3424 wrote to memory of 5016	3424	Process not Found	90
PID 3424 wrote to memory of 5016	3424	Process not Found	90
PID 3424 wrote to memory of 2820	3424	Process not Found	91
PID 3424 wrote to memory of 2820	3424	Process not Found	91
PID 3424 wrote to memory of 3476	3424	Process not Found	92
PID 3424 wrote to memory of 3476	3424	Process not Found	92
PID 3424 wrote to memory of 3580	3424	Process not Found	93
PID 3424 wrote to memory of 3580	3424	Process not Found	93
PID 3424 wrote to memory of 2956	3424	Process not Found	94
PID 3424 wrote to memory of 2956	3424	Process not Found	94
PID 3424 wrote to memory of 4920	3424	Process not Found	95
PID 3424 wrote to memory of 4920	3424	Process not Found	95
PID 3424 wrote to memory of 2080	3424	Process not Found	97
PID 3424 wrote to memory of 2080	3424	Process not Found	97
PID 2080 wrote to memory of 400	2080	cmd.exe	99
PID 2080 wrote to memory of 400	2080	cmd.exe	99
PID 3424 wrote to memory of 2032	3424	Process not Found	100
PID 3424 wrote to memory of 2032	3424	Process not Found	100
PID 3424 wrote to memory of 3356	3424	Process not Found	101
PID 3424 wrote to memory of 3356	3424	Process not Found	101
PID 3424 wrote to memory of 3284	3424	Process not Found	102
PID 3424 wrote to memory of 3284	3424	Process not Found	102
PID 3424 wrote to memory of 2528	3424	Process not Found	104
PID 3424 wrote to memory of 2528	3424	Process not Found	104
PID 2528 wrote to memory of 2388	2528	fodhelper.exe	105
PID 2528 wrote to memory of 2388	2528	fodhelper.exe	105
PID 2388 wrote to memory of 1608	2388	cmd.exe	107
PID 2388 wrote to memory of 1608	2388	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6210798e6ca0e95300f15c7c12320f40906e2d27a76bc5f566d2023e4d96c3de.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436

C:\Windows\system32\newdev.exe
C:\Windows\system32\newdev.exe
1⤵
PID:3328

C:\Windows\system32\grpconv.exe
C:\Windows\system32\grpconv.exe
1⤵
PID:4088

C:\Windows\system32\bootim.exe
C:\Windows\system32\bootim.exe
1⤵
PID:3480

C:\Windows\system32\cleanmgr.exe
C:\Windows\system32\cleanmgr.exe
1⤵
PID:5016

C:\Windows\system32\rdrleakdiag.exe
C:\Windows\system32\rdrleakdiag.exe
1⤵
PID:2820

C:\Windows\system32\TSTheme.exe
C:\Windows\system32\TSTheme.exe
1⤵
PID:3476

C:\Windows\system32\winver.exe
C:\Windows\system32\winver.exe
1⤵
PID:3580

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:2956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\XSA0D.cmd
1⤵
PID:4920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{35f320fa-3d67-9dff-e346-2c697e2fb343}"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{35f320fa-3d67-9dff-e346-2c697e2fb343}"
  2⤵
  PID:400

C:\Windows\system32\cleanmgr.exe
C:\Windows\system32\cleanmgr.exe
1⤵
PID:2032

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:3356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\k48CHg5.cmd
1⤵
- Drops file in System32 directory
PID:3284

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\BjC.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /F /TN "Jactb" /SC minute /MO 60 /TR "C:\Windows\system32\8034\dxgiadaptercache.exe" /RL highest
    3⤵
    - Creates scheduled task(s)
    PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BjC.cmd

Filesize
132B

MD5
ab4d6bcc4cf578096c0ecdc380a5d43d

SHA1
efa9415adb3467efc3c17d7d90cc1d8a02af066a

SHA256
ea0d2ee9f1f6e0eb220aa4cebe7202870f4bb7d8a290489acb780be77b44f0f2

SHA512
f732d7a0a105303732c9fb45d7c6b4d1ebb41b2dcd33c8ccb2eb3f0d85637e70eeea3af5ee8c85b32b982e379dd73053d5e0c8c72d625f584f1afc76fd2a176e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XSA0D.cmd

Filesize
232B

MD5
890c913631fbaeb1ee809f90de1b0591

SHA1
4129ebbad916cca5f203acb8fc2a53103c7ff181

SHA256
7362f16cbe16df7d9d2e2afe44bd5ab8a8a32af0296887674c955ebadf1060d8

SHA512
8b52d35230b15699679e89a67361f7d37e1b7bfe8093eab2b92f32ee6747ce1867675efd6b09d49bf10b2e98f036de32d08db5948b29439d962a07a30da5f9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\k48CHg5.cmd

Filesize
200B

MD5
fa5f1c8ad0dcde78ebea2751aca8a8a4

SHA1
f8f34de5b2efbba8342ff2693c4f9b88b563784e

SHA256
11eded72a5080abd12f3a595c613a790ca2cedbdbe9a83e917d5de73e8a6a6e1

SHA512
5a7336a8d718341fa5c842e3527a8cb180084c2d885c68bb9e543ab3f3cb6b7d622a52d50ae065f84f5e7785fbde68ba922e98bee8a3e152ff8addd787cf5a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\sVe6216.tmp

Filesize
1.1MB

MD5
9bacdcb7768ba0b13843d9d726a9456d

SHA1
59687089d92d860d9bf17abf1c0f2590bba3917e

SHA256
86b248bde22fba6851e543375d8e71d23dd0c6bba5dc76c2bbf04ac4e495e813

SHA512
5834543542385ec178d03549bb299f19ae003effb364402a87b5e5e8b83b23939342318eebbdf14b3ab10c64be332ce85507594038e89bb0aaba3df04a581a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tSO613A.tmp

Filesize
1.1MB

MD5
e48f607cc94154148d2046c34aa28821

SHA1
cc17ae79c6bdc1b847caf9ae6820687289c7eeb7

SHA256
31d883ee2b4e09d16cb65ce02ef09e836a1bae4e666717383e3995e2ef9855e1

SHA512
9fe768b1ae7fdf3aaeb1808aedcb49786d9eed14cd38cab41a750ed74945915faf3d6c698c8905109e4634a0e59dedf353ae0d6bc2f364924df728d095fa6aaa

Download Submit
C:\Users\Admin\AppData\Roaming\9cpY8k\mblctr.exe

Filesize
790KB

MD5
d3db14eabb2679e08020bcd0c96fa9f6

SHA1
578dca7aad29409634064579d269e61e1f07d9dd

SHA256
3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69

SHA512
14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eeaxmqtu.lnk

Filesize
904B

MD5
00b4d8d0b18abf685b98c876844202d0

SHA1
8f8ef570dc39848447eaedfc14d8bcffff794833

SHA256
74379a653a0db02e00624bc323eb48c45077e79f4eb7d45845ff93a13c704ede

SHA512
0598fb8ee426bb790d09d69ccbd506888d5f2ce30fa104e8eac310d835043feb80bfdef0b8ec692fd2c3b5617bb73523a41b6d6c384b2803242875ae83fa80ee

Download Submit
memory/3424-26-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-22-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-46-0x00007FFD9A580000-0x00007FFD9A590000-memory.dmp

Filesize
64KB

Download
memory/3424-20-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-19-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-13-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-55-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-6-0x00007FFD9908A000-0x00007FFD9908B000-memory.dmp

Filesize
4KB

Download
memory/3424-3-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/3424-44-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-27-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-17-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-25-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-24-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-23-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-45-0x0000000000830000-0x0000000000837000-memory.dmp

Filesize
28KB

Download
memory/3424-21-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-18-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-16-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-15-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-14-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-34-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-12-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-11-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-10-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-9-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-8-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/3424-7-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/4436-0-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/4436-5-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/4436-2-0x0000022303F80000-0x0000022303F87000-memory.dmp

Filesize
28KB

Download