Overview

overview

7

Static

static

3

235af3de0a...80.dll

windows7-x64

7

235af3de0a...80.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    235af3de0ac763c04428d827b5ee59e3f733951050137af6d6b6bba90d338c80.dll

  • Size

    568KB

  • MD5

    3d366c8734bf744294f50fe9aac17b1b

  • SHA1

    e3765ed57be72a40a29d881ace7aaa18a0211b16

  • SHA256

    235af3de0ac763c04428d827b5ee59e3f733951050137af6d6b6bba90d338c80

  • SHA512

    81903034b3e88613d26807122d52f6a7614ae475ed5310a47d4fc23319adc9311dbd3b649d23b168e35e28f4d7277896beac6b53f8d7337490cb02ae77538b94

  • SSDEEP

    6144:ei05kH9OyU2uv5SRf/FWgFgtBgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:xrHGPv5Smpt6DmUWuVZkxikdXcq

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\235af3de0ac763c04428d827b5ee59e3f733951050137af6d6b6bba90d338c80.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4028
  • C:\Windows\system32\RemotePosWorker.exe
    C:\Windows\system32\RemotePosWorker.exe
    1⤵
      PID:3364
    • C:\Windows\system32\dmcertinst.exe
      C:\Windows\system32\dmcertinst.exe
      1⤵
        PID:5024
      • C:\Windows\system32\raserver.exe
        C:\Windows\system32\raserver.exe
        1⤵
          PID:1812
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\mKBMH7.cmd
          1⤵
            PID:392
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:4980
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"
              2⤵
                PID:4156
            • C:\Windows\system32\RdpSaUacHelper.exe
              C:\Windows\system32\RdpSaUacHelper.exe
              1⤵
                PID:4352
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\5V1wMd.cmd
                1⤵
                • Drops file in System32 directory
                PID:1044
              • C:\Windows\System32\fodhelper.exe
                "C:\Windows\System32\fodhelper.exe"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:2580
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\LLS.cmd
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3044
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Create /F /TN "Fdxhngjjnp" /SC minute /MO 60 /TR "C:\Windows\system32\5142\RdpSaUacHelper.exe" /RL highest
                    3⤵
                    • Creates scheduled task(s)
                    PID:2184

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\5V1wMd.cmd
                Filesize

                199B

                MD5

                5110bea88eccef23c3c3ce0d99fe36ba

                SHA1

                1b81b14123db349a6e59432c85dfb5b0320c8a8a

                SHA256

                4d8b68e1539a5bff3eaddd2aeb982182c5836279f4d3920aa84039605d71a785

                SHA512

                b87d851089eb7c343c0093b8c21add5096ffa7958f34af2e72ec9d16d0521a9dd3378f554cdb1c079be4bf7aa3813f9b916dd2dc7e4ab6802fe885793bdc2422

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\LLS.cmd
                Filesize

                135B

                MD5

                1d871ee95ea6cd07f6109e2dd6e198ca

                SHA1

                e107ecc62dc1da6047fdbc08d4229bd1571d2838

                SHA256

                09626bbce68f8f4a331f75433ea93f635d02b3e891b0b5f37004f1dc6e1da58c

                SHA512

                e49e1a638261670dd38a73b99c00a748acd21f5aa4baed7700dae0493b0f773c1c57732f51d9955599f484597fe486432ad2ab9fe6c4a789af358fafce59bdb4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\U5F18.tmp
                Filesize

                572KB

                MD5

                c292780c80942ac5e635c5ec235bcf7c

                SHA1

                6590f5688f0b2fd4b43a783507cbd180e4e9d7ee

                SHA256

                8c70a933adc53bd9281abcbcf6e882c7f95c9459f90260f9c366286c697f6a6e

                SHA512

                465c486cf403d52eacc225bd69535b557c724500f96870f6e23432dd53b42bcb30b9f576baf54c0e88319259b9c2e185914382c2fdb0f27d9dcbf7babca202a4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\bc5FD4.tmp
                Filesize

                576KB

                MD5

                07dd290bee75be703310aaf2c2703d8e

                SHA1

                82818e5222cc22f170c54f7fe809a1056ee9cdb4

                SHA256

                9999e15885044b4e77ef3f3ce293feed63bc75924cde114a984fb19215d50c97

                SHA512

                aa91b429b4495034d17f997ed24e6e2e27eedceeed4d1c22a39e8fddae1e424daa73a01550d26aeb941090a6855cbaee857ac83fd82155d16bbcd43f8b3eb523

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\mKBMH7.cmd
                Filesize

                236B

                MD5

                4b96b5e60b7e022b3a4bd6388cc69ae5

                SHA1

                3d5f6e89ca8472a1ad8c082c85dec7072e1d7ec3

                SHA256

                89ade23dd94900c144a81393202f8f6fc518e1ef0b89d996c30d6135a8c1f0bd

                SHA512

                1d3f70541da9834c026141d568e354dc97bbe0f987ed905f5c302533f91f58d2ea7c856216231e61e69cf8b9e9db9ed20137e47c4707e9304e908ee259c91210

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Ic6uJuU\raserver.exe
                Filesize

                132KB

                MD5

                d1841c6ee4ea45794ced131d4b68b60e

                SHA1

                4be6d2116060d7c723ac2d0b5504efe23198ea01

                SHA256

                38732626242988cc5b8f97fe8d3b030d483046ef66ea90d7ea3607f1adc0600d

                SHA512

                d8bad215872c5956c6e8acac1cd3ad19b85f72b224b068fb71cfd1493705bc7d3390853ba923a1aa461140294f8793247df018484a378e4f026c2a12cb3fa5c9

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pruztwesow.lnk
                Filesize

                918B

                MD5

                7b2914c3c85b4917c19fe3fee78aff64

                SHA1

                8a43c6b0423976b63455d803a0c1455fd96aeb69

                SHA256

                a6dfb79e0a49471bf27b2cf41496c2c6961531d89bb651d7d56a3c6c5388b143

                SHA512

                4fe16e36a09cd84f6aa36c98f43a306ff136c87853df9c5ba6b71962a1e30623c85ef3c26cfdbe66c169a6237e45ae4c84b0b7031670d7d3349a4a5ef26c2adb

                Download Submit

              • memory/3444-29-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-22-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-27-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-23-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-14-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-4-0x00007FFAB294A000-0x00007FFAB294B000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3444-3-0x0000000002C10000-0x0000000002C11000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3444-49-0x00007FFAB2B20000-0x00007FFAB2B30000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3444-48-0x0000000002BC0000-0x0000000002BC7000-memory.dmp

                Filesize

                28KB

                Download

              • memory/3444-46-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-37-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-30-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-28-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-15-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-26-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-25-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-24-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-58-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-21-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-20-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-19-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-18-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-16-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-13-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-12-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-11-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-10-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-9-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-8-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-7-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/3444-17-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/4028-1-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/4028-6-0x0000000140000000-0x000000014008E000-memory.dmp

                Filesize

                568KB

                Download

              • memory/4028-2-0x000001D2B4A10000-0x000001D2B4A17000-memory.dmp

                Filesize

                28KB

                Download