Overview

overview

7

Static

static

3

e529f42090...c7.dll

windows7-x64

7

e529f42090...c7.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 04:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e529f420900539bbf58bb2a04f6ed73a46a37e1aa6a4cd584df57ef7d00dcfc7.dll

  • Size

    1.0MB

  • MD5

    965d74e22a34da838f1f4f922002465e

  • SHA1

    760dfc1106f85a5e8ab70788ac39128a9a377ffb

  • SHA256

    e529f420900539bbf58bb2a04f6ed73a46a37e1aa6a4cd584df57ef7d00dcfc7

  • SHA512

    2e93b7d1e082b80cafca881220e2405ba098af68722cb33dc26afbfe93c8086d4d015c8cc7cc69a8db17d42d65c77a4ac804dc6edf66050c465bd8778566fe09

  • SSDEEP

    6144:gi05kH9OyU2uv5SRf/FWgFgtMgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:TrHGPv5SmptxDmUWuVZkxikdXcq

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e529f420900539bbf58bb2a04f6ed73a46a37e1aa6a4cd584df57ef7d00dcfc7.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2320
  • C:\Windows\system32\TpmInit.exe
    C:\Windows\system32\TpmInit.exe
    1⤵
      PID:2736
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\EaS6cU.cmd
      1⤵
        PID:2484
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{0f3f26ce-e23a-888f-036b-ddb6939885d4}"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{0f3f26ce-e23a-888f-036b-ddb6939885d4}"
          2⤵
            PID:2984
        • C:\Windows\system32\javaws.exe
          C:\Windows\system32\javaws.exe
          1⤵
            PID:2732
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\8FyUuMy.cmd
            1⤵
            • Drops file in System32 directory
            PID:2228
          • C:\Windows\System32\eventvwr.exe
            "C:\Windows\System32\eventvwr.exe"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2832
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ASAhT.cmd
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2864
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Create /F /TN "Lizdxxpaecrde" /SC minute /MO 60 /TR "C:\Windows\system32\6374\javaws.exe" /RL highest
                3⤵
                • Creates scheduled task(s)
                PID:2828

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\64j2655.tmp
                  Filesize

                  1.0MB

                  MD5

                  d56f8967ea00991dcae618e59dcee1aa

                  SHA1

                  b0dcb89279f6e442c7fe572bc36e6dc1d4440297

                  SHA256

                  a8d0e2d673f8ba38d0452b066ae987c56b1454b2aa3690647f793ed03a1a22c2

                  SHA512

                  c3a847c9d9b1062cc26f32a1a77d57b483f83d738463c55820cb3f354999f862cb1f73595b6409cad1e0e6b3fdd48b443bdaee7b4d7094d93d7fbb717861adc2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\8FyUuMy.cmd
                  Filesize

                  192B

                  MD5

                  812b51e12d67a295c09f2163b1dc736e

                  SHA1

                  0710bfb6ff03298776fceafc353187eb7ae20176

                  SHA256

                  a9d3ccd5e1403c1903e8cf275baf8a2215ac6479b92b9d69a28140fb481fa4ae

                  SHA512

                  f00c95465dfc8bd6ba127b77540c857293bcd0fc4688cf7764232f6e91878963a1fe4e2faa5244b46c40c14262b24829f386e7d348f965063fb420b5ed45b901

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ASAhT.cmd
                  Filesize

                  130B

                  MD5

                  810a7fffddea43ce08bd562fff810ba7

                  SHA1

                  d7f4a3698afd0577f72dcb6e845a02af28a3b768

                  SHA256

                  657c80cf46d2fd3d07d2a020efaf9546362933a5588003f80e48c768194e8ba2

                  SHA512

                  50c79694c02c71fa051ca3c8bfab8707be799dfb6b4b4c3b7d7d622be0db77ad4db2b5240e4202467027c7977e961a21e18beb0e90b131721fd98cc55cdb5398

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\EaS6cU.cmd
                  Filesize

                  230B

                  MD5

                  c9e9b6b1d0a38dd2ef4f54cae8b056d7

                  SHA1

                  af73fcfb97ddfb7023b660516835196dfd86d482

                  SHA256

                  bbd4f6ec383e9d9dc22bbe81a6049b1b842981b447dee2b5c0d75371d8bd6a99

                  SHA512

                  fb066cb75cf878b194038c3a2f3372ae12f2ef07ed2885e0dfd111b04924119adee988fc4af96816ba25cbd82e6afd9ac4d95fac04b01d9f00713d03b185cd26

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\l626C3.tmp
                  Filesize

                  1.0MB

                  MD5

                  654895c603df6db445895f36444d010b

                  SHA1

                  2188188d2c0b5b1ee36754fb37ca4fd74360656f

                  SHA256

                  c368fa47b2f49e7f9ee0c144199ae647be61237896f764c0419d4056a272cd0f

                  SHA512

                  52bef9558f261d36f16f928ee335282579b42906d3b46876c2dfbcf0c061ba0c661e32a337a655487e9e8eae22f9edb4e128416959458e7c7b02cec822a27a2a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Javhf.lnk
                  Filesize

                  878B

                  MD5

                  50db45fdbdaaa46fbd5e5ac0bb6f93df

                  SHA1

                  4181697a6b60125d8bf30ddaa3bdded9c80208d4

                  SHA256

                  a6b663465bb47d165107b0690d4592a3f0c9dc36063a75809ec267ab00a8b0f2

                  SHA512

                  7d841dca6ef16da4ae8a58e1ea9da91a4c94b58e5505c1fb8dbee4bd50aa9b1e129ff6651427679377091692ebdba46f70f55cbe6f77758214fac7e3109fcb99

                  Download Submit

                • \Users\Admin\AppData\Roaming\ZVUGy\TpmInit.exe
                  Filesize

                  112KB

                  MD5

                  8b5eb38e08a678afa129e23129ca1e6d

                  SHA1

                  a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

                  SHA256

                  4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

                  SHA512

                  a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

                  Download Submit

                • memory/1232-11-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-32-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-15-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-23-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-25-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-21-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-19-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-17-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-16-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-36-0x0000000076EF1000-0x0000000076EF2000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1232-13-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-94-0x0000000076DE6000-0x0000000076DE7000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1232-10-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-9-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-33-0x00000000025B0000-0x00000000025B7000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1232-14-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-24-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-22-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-20-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-18-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-39-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-45-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-12-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-7-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-8-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1232-44-0x0000000077050000-0x0000000077052000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1232-4-0x00000000025D0000-0x00000000025D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1232-3-0x0000000076DE6000-0x0000000076DE7000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2320-6-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/2320-0-0x0000000140000000-0x000000014010B000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/2320-2-0x00000000000A0000-0x00000000000A7000-memory.dmp

                  Filesize

                  28KB

                  Download