Analysis
-
max time kernel
150s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
03/06/2024, 20:07
General
-
Target
3262f65c6ca78751b7c0a6266c4852d9be85d1901407716bcd4c6cbaf90c8cfb.dll
-
Size
524KB
-
MD5
798d4e683fb22c7acf5f87072030b6b4
-
SHA1
14e7e48185b49eb952a3cc6ce845d90f0c06f2a7
-
SHA256
3262f65c6ca78751b7c0a6266c4852d9be85d1901407716bcd4c6cbaf90c8cfb
-
SHA512
d24be8f0c7fec1f639aee4000e7b6ce86c4342a505b0f8bd74a65327e4f21fc982927c40e4c1dd92f2c5dcb335dfc0998ed31fa4750bbaf568005f457f40691c
-
SSDEEP
6144:Pi05kH9OyU2uv5SRf/FWgFgtBgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:KrHGPv5Smpt6DmUWuVZkxikdXcq
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3262f65c6ca78751b7c0a6266c4852d9be85d1901407716bcd4c6cbaf90c8cfb.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\Narrator.exeC:\Windows\system32\Narrator.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\dNGVAb.cmd1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{b20545c2-dfb8-18ae-c9b7-e3de899dbcb9}"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /F /TN "User_Feed_Synchronization-{b20545c2-dfb8-18ae-c9b7-e3de899dbcb9}"2⤵
-
-
C:\Windows\system32\CompMgmtLauncher.exeC:\Windows\system32\CompMgmtLauncher.exe1⤵
-
C:\Windows\system32\SyncAppvPublishingServer.exeC:\Windows\system32\SyncAppvPublishingServer.exe1⤵
-
C:\Windows\system32\LicensingUI.exeC:\Windows\system32\LicensingUI.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\40rMzw.cmd1⤵
- Drops file in System32 directory
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\K3NUZ.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Kspyygbb" /SC minute /MO 60 /TR "C:\Windows\system32\3789\LicensingUI.exe" /RL highest3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196B
MD5fcd488116b5ef7dffde8e8067c4421cc
SHA19b4be34208d50ed739d96e84f81ff93cad8e2eb7
SHA2566755a6add9edd4e46522145a295152946a1ab60d040e318637f6d5675a27faac
SHA5129e2b92d3fc6498ff660dad2fec27db5ef37735ab17902f7880e05134810a2700787fb928fc50b732bdc8407d26540d28cb956ce7bd3b47be2570267263611ed5
-
Filesize
804KB
MD5bfcd9ebb305761960a15d70a86c82fa7
SHA1381c0d0ad601fe56e2d030770df47932042f15c9
SHA256ad99566bca170c9afb8620b8a3fbd644110892097c0ac83887d19ac773fa0371
SHA5124d6220e9570c8b73cc414c36608241742b0d503b62929951c50140f95ed34e0596aae822dd37c03728834f84afa7657b0b03d69a611a5b31d13517b08890b7f1
-
Filesize
528KB
MD56ff153aa7edf9f71b11f9e1ae156bfd9
SHA1469b62c07cf68aa615cf3ccf42417e109ad41629
SHA25695430270ab1c61393ba5e9b60b5b64e989b0e865d774f8709d7b50a8d08d2c67
SHA512e5eb41cc3077b1dab16c09c273ea85ad51dec68dfef0f85166f3b574bdfb0d7fda5cd8544ff7ed8ba5e398cd412b24153fde1eb30467ebc09c359ef001b059f1
-
Filesize
130B
MD5d84bd356496add95637aad9a683f4fbd
SHA1415b7b23c8bc06e93f3ea3aa77420ad0a03a91bc
SHA256239135c910bb263822b938ab6ee820f933e5e619cec981e511a0ac8cf8948e4a
SHA5120d7d42dcbcc8a3e2b2938e2747812acfaf97874f5b832d481c06df83a09dce3e93a8bf9bd0c5f469d1bfe10bf5af09a3029d5daa49e7101ac66e8203b4c3132a
-
Filesize
225B
MD5230d5513b3847a75ec6afdb52c713efb
SHA1e58ca0e630ce115e6b881d4ae5e0b4ffddf21496
SHA25626db1d906580a8199c4e8c2220600f69483f544c6611d6868d827d79556da037
SHA51201639595f420a47f117bb65ba349e1d7ebf1ea6d79b49326372cf025aa03c3484ec1f44fac3637e18d5d720eb33a8edb4e51b9d0cf610f535e843e3b2e3de440
-
Filesize
900B
MD5fa25c025d2f54e72f5a78dbac62f65aa
SHA1fb18c109903a437f7b58d2d9b05ea1d01d750895
SHA25676cfa0d2a88241c9d49c14e9d47d469154d9185788becdbc78c97563f7bc2201
SHA512a0b6c845836ddcc6b6d54f7973cb9c0db42ba5ff7a7995fd6cf6417778db4560892aa96e926aef260c807dc06f65ac82bffcd3ad550d8fe37ff59ca48c068a90
-
Filesize
521KB
MD5d92defaa4d346278480d2780325d8d18
SHA16494d55b2e5064ffe8add579edfcd13c3e69fffe
SHA25669b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83
SHA512b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
64KB
-
Filesize
524KB
-
Filesize
28KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
4KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
4KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
28KB