Overview

overview

7

Static

static

3

e85b862f94...c6.dll

windows7-x64

7

e85b862f94...c6.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03/06/2024, 05:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e85b862f940e6ee522b74384346a4cf196b6827ab5a81d8f0f6170b9b0c0e5c6.dll

  • Size

    736KB

  • MD5

    b8e030600df3d279215a9d943166ed68

  • SHA1

    306c0e5c29dcdc60f884827919bddfae85a23443

  • SHA256

    e85b862f940e6ee522b74384346a4cf196b6827ab5a81d8f0f6170b9b0c0e5c6

  • SHA512

    05c6c1c2bb266fc455417e59d56dd0c7a7da3685bae84f6832c112da7d076f33f461bbaa59b97f7ea51653e157dfacf9da4d088d55049c33041fb5b31b0200c6

  • SSDEEP

    6144:Oi05kH9OyU2uv5SRf/FWgFgtegqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:hrHGPv5SmptjDmUWuVZkxikdXcq

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e85b862f940e6ee522b74384346a4cf196b6827ab5a81d8f0f6170b9b0c0e5c6.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2848
  • C:\Windows\system32\fvenotify.exe
    C:\Windows\system32\fvenotify.exe
    1⤵
      PID:2560
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\guEkh.cmd
      1⤵
        PID:2656
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{33819f3b-2f8d-cfcb-0a23-a942879f9636}"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{33819f3b-2f8d-cfcb-0a23-a942879f9636}"
          2⤵
            PID:2980
        • C:\Windows\system32\wsmprovhost.exe
          C:\Windows\system32\wsmprovhost.exe
          1⤵
            PID:2404
          • C:\Windows\system32\rrinstaller.exe
            C:\Windows\system32\rrinstaller.exe
            1⤵
              PID:2948
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\0wm5.cmd
              1⤵
              • Drops file in System32 directory
              PID:1312
            • C:\Windows\System32\eventvwr.exe
              "C:\Windows\System32\eventvwr.exe"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2832
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\wgHRy.cmd
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2564
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Create /F /TN "Vmvmshnity" /SC minute /MO 60 /TR "C:\Windows\system32\8738\rrinstaller.exe" /RL highest
                  3⤵
                  • Creates scheduled task(s)
                  PID:1868

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\0wm5.cmd
                    Filesize

                    195B

                    MD5

                    ef3667197d4e80be697539354adaf1ff

                    SHA1

                    8dc6c80ba17c7c8909a3d6baaeebedf4cd55f294

                    SHA256

                    cb744609de598f7c3e2e6f9a81beaefaa201ec75106d6b15f594cb1c5120c7cd

                    SHA512

                    f3bb27261bedcf5681de2ecc04664cb5442127f67fea54de98b467273321231b49fced25d93ec21e113badba0c151448f18d89aa0d529e6682e67cecd605bff8

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\I2B26.tmp
                    Filesize

                    740KB

                    MD5

                    bc4c8639649b285019cf19ab1399272d

                    SHA1

                    4efedc272fa0f155273adc1a85732a34f2674076

                    SHA256

                    955472f659e6e1ec06770af5d55eea1d2a2900039a83ce72d84096bff604273c

                    SHA512

                    7798ce693ea6b66e62df4cdb82f9a40f70782791e5b409aa6acf3d168ade0e786fb2f88796fa8f81e67a87c279a6ba096ab29da4d92dea2563324187329cf71b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\guEkh.cmd
                    Filesize

                    229B

                    MD5

                    fe17e08b540ed7f3cc796b040b4711d5

                    SHA1

                    932ab86143109ea5e37083c7e95cb5318f005ae9

                    SHA256

                    b8f7d7e7d3e4284a00167a0c7134aa63dd4a4c10e4fd73ed5f38cff22c9e6e2c

                    SHA512

                    45064989807613a3f45b45c3835ab5cadf020ac1c128bc6f83e5569c83f4b8d5531676c1416c74e96bc432130c088ea5daeebec636aa7ddae230b6b8b7227b49

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\q2D29.tmp
                    Filesize

                    744KB

                    MD5

                    ef0058399c6ce1317e66febf1d8d3e14

                    SHA1

                    e174dd25b56b2ed7aa44e68c676399a670846642

                    SHA256

                    cc3539934ce5a96e72e2597c2bb2351a335e2aae27c87e3e1011aaace243297c

                    SHA512

                    2adb411c02927389d47cd9cbd97796d4cf67009d32351afe3b09f10ba1a95cd80f7328128acf91a5c2596f916f65ca36b64ada8ba77b41c9daf60490c9cee641

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\wgHRy.cmd
                    Filesize

                    132B

                    MD5

                    10e79f6cb7b1d022c86ce439df31af12

                    SHA1

                    d38fa2093adc3c84e1c5e6d0cc37e6d0fea8027a

                    SHA256

                    e651a6ad31abbedeaa020d839448dc1a564fdf210fb81e2f553ecb03085d442e

                    SHA512

                    aaf8ba291532d6683457c8f3ec5ed8063389beec99cfbe80423d5536cc47c23f24c652236962ac6ff24407bc50a1ba89a16c4ea98b5ad750d5091f0823db344c

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\EnNToH\fvenotify.exe
                    Filesize

                    117KB

                    MD5

                    e61d644998e07c02f0999388808ac109

                    SHA1

                    183130ad81ff4c7997582a484e759bf7769592d6

                    SHA256

                    15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

                    SHA512

                    310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tonqjizj.lnk
                    Filesize

                    890B

                    MD5

                    4742e5baad13e89b2636cd70ae97b6d4

                    SHA1

                    c6e7b3d773a9adcac0206731937ef02ed6d3f3a7

                    SHA256

                    221e4f85a73d79ff60177f93cef3a5fbb776a9c6deee840a66efd6794c2037f6

                    SHA512

                    8fa7f56905e581dbf1aa00eaad041468638a63c1d555966c98ec612d64c4ad58f8a31af4050403bf0e30f3a2916367da35ecdf6d9db16be5be665d24ff2c48f3

                    Download Submit

                  • memory/1188-18-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-14-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-24-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-36-0x0000000002DD0000-0x0000000002DD7000-memory.dmp

                    Filesize

                    28KB

                    Download

                  • memory/1188-35-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-28-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-27-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-26-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-25-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-23-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-22-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-21-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-20-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-100-0x0000000077876000-0x0000000077877000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1188-17-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-16-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-15-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-13-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-12-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-11-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-10-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-9-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-37-0x0000000077A81000-0x0000000077A82000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1188-46-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-51-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/1188-52-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-53-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-19-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-7-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-8-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/1188-3-0x0000000077876000-0x0000000077877000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1188-4-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2848-6-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download

                  • memory/2848-2-0x00000000001F0000-0x00000000001F7000-memory.dmp

                    Filesize

                    28KB

                    Download

                  • memory/2848-0-0x0000000140000000-0x00000001400B8000-memory.dmp

                    Filesize

                    736KB

                    Download