3f64dfb29d43348177eac67aeb66fe07fc5901e57f3592dd5756cced05df0d39

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f64dfb29d43348177eac67aeb66fe07fc5901e57f3592dd5756cced05df0d39.dll
Size

1.1MB
MD5

bec40fa6cb88552a0bb7ba09397f5f3c
SHA1

c34a4420a580a94ba3842e3633454be4eced3103
SHA256

3f64dfb29d43348177eac67aeb66fe07fc5901e57f3592dd5756cced05df0d39
SHA512

c5f49d8349f12905e38d9c712bca5d432df9166cc31b3475cf3525c6401430185f4065bf80e22085cb171f1c04261d205c0f08a979e690c06b0740075c13b741
SSDEEP

6144:pi05kH9OyU2uv5SRf/FWgFgtBgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:MrHGPv5Smpt6DmUWuVZkxikdXcq

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1180	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gdussggr = "\"C:\\Users\\Admin\\AppData\\Roaming\\2c5SP\\shrpubw.exe\""	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\1089\sethc.exe	cmd.exe
File opened for modification	C:\Windows\system32\1089\sethc.exe	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2288	schtasks.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\MSCFile\shell\open\command	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\MSCFile	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\MSCFile\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\MSCFile\shell\open	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\agW.cmd"	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\MSCFile\shell\open\command	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\MSCFile\shell	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\MSCFile	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\MSCFile\shell\open	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
348	rundll32.exe
348	rundll32.exe
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2732	1180	Process not Found	28
PID 1180 wrote to memory of 2732	1180	Process not Found	28
PID 1180 wrote to memory of 2732	1180	Process not Found	28
PID 1180 wrote to memory of 2956	1180	Process not Found	29
PID 1180 wrote to memory of 2956	1180	Process not Found	29
PID 1180 wrote to memory of 2956	1180	Process not Found	29
PID 1180 wrote to memory of 2628	1180	Process not Found	30
PID 1180 wrote to memory of 2628	1180	Process not Found	30
PID 1180 wrote to memory of 2628	1180	Process not Found	30
PID 1180 wrote to memory of 2540	1180	Process not Found	31
PID 1180 wrote to memory of 2540	1180	Process not Found	31
PID 1180 wrote to memory of 2540	1180	Process not Found	31
PID 1180 wrote to memory of 2548	1180	Process not Found	32
PID 1180 wrote to memory of 2548	1180	Process not Found	32
PID 1180 wrote to memory of 2548	1180	Process not Found	32
PID 1180 wrote to memory of 2492	1180	Process not Found	33
PID 1180 wrote to memory of 2492	1180	Process not Found	33
PID 1180 wrote to memory of 2492	1180	Process not Found	33
PID 1180 wrote to memory of 2488	1180	Process not Found	34
PID 1180 wrote to memory of 2488	1180	Process not Found	34
PID 1180 wrote to memory of 2488	1180	Process not Found	34
PID 1180 wrote to memory of 2508	1180	Process not Found	35
PID 1180 wrote to memory of 2508	1180	Process not Found	35
PID 1180 wrote to memory of 2508	1180	Process not Found	35
PID 1180 wrote to memory of 2524	1180	Process not Found	36
PID 1180 wrote to memory of 2524	1180	Process not Found	36
PID 1180 wrote to memory of 2524	1180	Process not Found	36
PID 1180 wrote to memory of 2612	1180	Process not Found	37
PID 1180 wrote to memory of 2612	1180	Process not Found	37
PID 1180 wrote to memory of 2612	1180	Process not Found	37
PID 1180 wrote to memory of 2784	1180	Process not Found	39
PID 1180 wrote to memory of 2784	1180	Process not Found	39
PID 1180 wrote to memory of 2784	1180	Process not Found	39
PID 2784 wrote to memory of 2820	2784	cmd.exe	41
PID 2784 wrote to memory of 2820	2784	cmd.exe	41
PID 2784 wrote to memory of 2820	2784	cmd.exe	41
PID 1180 wrote to memory of 2816	1180	Process not Found	42
PID 1180 wrote to memory of 2816	1180	Process not Found	42
PID 1180 wrote to memory of 2816	1180	Process not Found	42
PID 1180 wrote to memory of 1864	1180	Process not Found	43
PID 1180 wrote to memory of 1864	1180	Process not Found	43
PID 1180 wrote to memory of 1864	1180	Process not Found	43
PID 1180 wrote to memory of 1020	1180	Process not Found	44
PID 1180 wrote to memory of 1020	1180	Process not Found	44
PID 1180 wrote to memory of 1020	1180	Process not Found	44
PID 1180 wrote to memory of 2900	1180	Process not Found	45
PID 1180 wrote to memory of 2900	1180	Process not Found	45
PID 1180 wrote to memory of 2900	1180	Process not Found	45
PID 1180 wrote to memory of 2112	1180	Process not Found	46
PID 1180 wrote to memory of 2112	1180	Process not Found	46
PID 1180 wrote to memory of 2112	1180	Process not Found	46
PID 1180 wrote to memory of 1648	1180	Process not Found	47
PID 1180 wrote to memory of 1648	1180	Process not Found	47
PID 1180 wrote to memory of 1648	1180	Process not Found	47
PID 1180 wrote to memory of 1896	1180	Process not Found	48
PID 1180 wrote to memory of 1896	1180	Process not Found	48
PID 1180 wrote to memory of 1896	1180	Process not Found	48
PID 1180 wrote to memory of 608	1180	Process not Found	49
PID 1180 wrote to memory of 608	1180	Process not Found	49
PID 1180 wrote to memory of 608	1180	Process not Found	49
PID 1180 wrote to memory of 1872	1180	Process not Found	51
PID 1180 wrote to memory of 1872	1180	Process not Found	51
PID 1180 wrote to memory of 1872	1180	Process not Found	51
PID 1872 wrote to memory of 1644	1872	eventvwr.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3f64dfb29d43348177eac67aeb66fe07fc5901e57f3592dd5756cced05df0d39.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:348

C:\Windows\system32\mobsync.exe
C:\Windows\system32\mobsync.exe
1⤵
PID:2732

C:\Windows\system32\CompMgmtLauncher.exe
C:\Windows\system32\CompMgmtLauncher.exe
1⤵
PID:2956

C:\Windows\system32\winrshost.exe
C:\Windows\system32\winrshost.exe
1⤵
PID:2628

C:\Windows\system32\cmdl32.exe
C:\Windows\system32\cmdl32.exe
1⤵
PID:2540

C:\Windows\system32\newdev.exe
C:\Windows\system32\newdev.exe
1⤵
PID:2548

C:\Windows\system32\TapiUnattend.exe
C:\Windows\system32\TapiUnattend.exe
1⤵
PID:2492

C:\Windows\system32\cmdl32.exe
C:\Windows\system32\cmdl32.exe
1⤵
PID:2488

C:\Windows\system32\cleanmgr.exe
C:\Windows\system32\cleanmgr.exe
1⤵
PID:2508

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:2524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\WGupN.cmd
1⤵
PID:2612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6a238b75-ab6b-0508-5bd0-5c205cafaf63}"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6a238b75-ab6b-0508-5bd0-5c205cafaf63}"
  2⤵
  PID:2820

C:\Windows\system32\efsui.exe
C:\Windows\system32\efsui.exe
1⤵
PID:2816

C:\Windows\system32\wlrmdr.exe
C:\Windows\system32\wlrmdr.exe
1⤵
PID:1864

C:\Windows\system32\DeviceEject.exe
C:\Windows\system32\DeviceEject.exe
1⤵
PID:1020

C:\Windows\system32\LogonUI.exe
C:\Windows\system32\LogonUI.exe
1⤵
PID:2900

C:\Windows\system32\resmon.exe
C:\Windows\system32\resmon.exe
1⤵
PID:2112

C:\Windows\system32\mctadmin.exe
C:\Windows\system32\mctadmin.exe
1⤵
PID:1648

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:1896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\2cYB.cmd
1⤵
- Drops file in System32 directory
PID:608

C:\Windows\System32\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\agW.cmd
  2⤵
  PID:1644
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /F /TN "Hplnwst" /SC minute /MO 60 /TR "C:\Windows\system32\1089\sethc.exe" /RL highest
    3⤵
    - Creates scheduled task(s)
    PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2cYB.cmd

Filesize
189B

MD5
5c0a738ee3e9b7271574a7c99fd061c7

SHA1
1294a30c793c51f84c3ed97df2886528480e2767

SHA256
031b8e246d3231298a69e4c3ee00dca890d6486e2b3b03ccd3a74bf674b26720

SHA512
36947fdea2307c9e6aa482466fd96925856c15177ce11a01e3b252be65a1978210dc8b6f0cd44123a22820a22ac5c96d682385fdbedb4b4636c9de576ec6c445

Download Submit
C:\Users\Admin\AppData\Local\Temp\9h24EE.tmp

Filesize
1.1MB

MD5
c3817c0b70948da14f8594f67ba656f1

SHA1
aa52cb0871a3d7c221b98f6ccaf8ab1d7eead4f0

SHA256
e11b18a89d0530254dfb92594be774168235bd5dc9c87ebeee631308e8911dd9

SHA512
e317131ac373fd12f332a8aedf2ade1b616421eadd149902f7ada06498a57c6be8dfe2bc03015d30110ff7d47800a3607bba79966a847666b47e55c616ae9505

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGupN.cmd

Filesize
228B

MD5
4a6d79c779b4052a82703420fadc0770

SHA1
29e499e7c44e85475f9ccc5943e2d8193f820b97

SHA256
bdbf40a4492dd41bd747594babd962a4cac63022452929e897956d4d2ad5a7ec

SHA512
2973ca32293be9f50057c65e276f3cea2a0a9d2a3bc716e5392c98a6cd9fde4b343a6a6ab5acdbfab8f28707e22dd61d7d9b797b072f8929b42fe2f2432d9140

Download Submit
C:\Users\Admin\AppData\Local\Temp\agW.cmd

Filesize
123B

MD5
51a99db5a12fd67f5c2c4d8712d8e516

SHA1
d61c68119ef995fbe206d08e513c7d8d80f7f5f7

SHA256
ffedb8b5d536e45f2c279005fd5ccc7b6ef66edbc9712c6e2a109d080b488726

SHA512
14873294c5f641d8fbaf849ac4f0a154d6460ca388806dc087d178ad7ccfdefa18c4a1a90ca4ea8851fef2393b205d7a655fd3ecbafdaabb10f5eaf174f0e4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aw26E3.tmp

Filesize
1.3MB

MD5
02b5cc46aa5a7f911ac2b1516ab78245

SHA1
3c725aad8e22075b120af700439ace55176f27cb

SHA256
cc8d51d4f82784322163460321f1d7ac457f05a7518587179494301c99f12030

SHA512
a0407a880489fbb7394cb190b7ad519f41a40f0cb2d237468f349ef572ad046a8027aef1acdf1bbca65168e15d1e5d03a3b7e77bcc3be19b4830387d6129ddc8

Download Submit
C:\Users\Admin\AppData\Roaming\2c5SP\shrpubw.exe

Filesize
398KB

MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gdussggr.lnk

Filesize
874B

MD5
da56f94640e7a072b6dad91507820e2c

SHA1
c65f09bff1cb53629c2e742b1e29e1c748a9eaa9

SHA256
3bec00c8050561fdfdaed92ac4ab3acee5a15bd662d20834d9bd3e6f15759ebb

SHA512
96f1af06de8d9cd0e1e2a114f60f674499a00b497d81b860903955d1b3f06501b189f639f7cb13ea6334aee1c403eadaebe5e5ab1a748599987669e1107acda6

Download Submit
memory/348-0-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/348-2-0x0000000001D50000-0x0000000001D57000-memory.dmp

Filesize
28KB

Download
memory/348-6-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-15-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-23-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-14-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-16-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-20-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-19-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-18-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-17-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-12-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-21-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-25-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-26-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-34-0x0000000002A90000-0x0000000002A97000-memory.dmp

Filesize
28KB

Download
memory/1180-35-0x00000000778D1000-0x00000000778D2000-memory.dmp

Filesize
4KB

Download
memory/1180-24-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-13-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-22-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-33-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-44-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-45-0x0000000077A30000-0x0000000077A32000-memory.dmp

Filesize
8KB

Download
memory/1180-51-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-11-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-10-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-9-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-8-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-7-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1180-4-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1180-3-0x00000000777C6000-0x00000000777C7000-memory.dmp

Filesize
4KB

Download
memory/1180-98-0x00000000777C6000-0x00000000777C7000-memory.dmp

Filesize
4KB

Download