3f64dfb29d43348177eac67aeb66fe07fc5901e57f3592dd5756cced05df0d39

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f64dfb29d43348177eac67aeb66fe07fc5901e57f3592dd5756cced05df0d39.dll
Size

1.1MB
MD5

bec40fa6cb88552a0bb7ba09397f5f3c
SHA1

c34a4420a580a94ba3842e3633454be4eced3103
SHA256

3f64dfb29d43348177eac67aeb66fe07fc5901e57f3592dd5756cced05df0d39
SHA512

c5f49d8349f12905e38d9c712bca5d432df9166cc31b3475cf3525c6401430185f4065bf80e22085cb171f1c04261d205c0f08a979e690c06b0740075c13b741
SSDEEP

6144:pi05kH9OyU2uv5SRf/FWgFgtBgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:MrHGPv5Smpt6DmUWuVZkxikdXcq

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Esxju = "\"C:\\Users\\Admin\\AppData\\Roaming\\v41EKF\\EhStorAuthn.exe\""	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\0146\ie4uinit.exe	cmd.exe
File opened for modification	C:\Windows\system32\0146\ie4uinit.exe	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3616	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command\DelegateExecute	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\4GXaBeR.cmd"	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
744	rundll32.exe
744	rundll32.exe
744	rundll32.exe
744	rundll32.exe
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3504	Process not Found

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 1484	3504	Process not Found	103
PID 3504 wrote to memory of 1484	3504	Process not Found	103
PID 3504 wrote to memory of 1752	3504	Process not Found	104
PID 3504 wrote to memory of 1752	3504	Process not Found	104
PID 3504 wrote to memory of 3104	3504	Process not Found	105
PID 3504 wrote to memory of 3104	3504	Process not Found	105
PID 3504 wrote to memory of 772	3504	Process not Found	107
PID 3504 wrote to memory of 772	3504	Process not Found	107
PID 772 wrote to memory of 1908	772	cmd.exe	109
PID 772 wrote to memory of 1908	772	cmd.exe	109
PID 3504 wrote to memory of 2208	3504	Process not Found	110
PID 3504 wrote to memory of 2208	3504	Process not Found	110
PID 3504 wrote to memory of 3380	3504	Process not Found	111
PID 3504 wrote to memory of 3380	3504	Process not Found	111
PID 3504 wrote to memory of 4844	3504	Process not Found	112
PID 3504 wrote to memory of 4844	3504	Process not Found	112
PID 3504 wrote to memory of 5032	3504	Process not Found	114
PID 3504 wrote to memory of 5032	3504	Process not Found	114
PID 5032 wrote to memory of 1548	5032	fodhelper.exe	115
PID 5032 wrote to memory of 1548	5032	fodhelper.exe	115
PID 1548 wrote to memory of 3616	1548	cmd.exe	117
PID 1548 wrote to memory of 3616	1548	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3f64dfb29d43348177eac67aeb66fe07fc5901e57f3592dd5756cced05df0d39.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:744

C:\Windows\system32\dusmtask.exe
C:\Windows\system32\dusmtask.exe
1⤵
PID:1484

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:1752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Ruo.cmd
1⤵
PID:3104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6fbc9e50-6a1b-17d9-5db5-133f618c672e}"
1⤵
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6fbc9e50-6a1b-17d9-5db5-133f618c672e}"
  2⤵
  PID:1908

C:\Windows\system32\wuapihost.exe
C:\Windows\system32\wuapihost.exe
1⤵
PID:2208

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:3380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\TZs.cmd
1⤵
- Drops file in System32 directory
PID:4844

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\4GXaBeR.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /F /TN "Lgeeulo" /SC minute /MO 60 /TR "C:\Windows\system32\0146\ie4uinit.exe" /RL highest
    3⤵
    - Creates scheduled task(s)
    PID:3616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4276,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8
1⤵
PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4GXaBeR.cmd

Filesize
126B

MD5
13952454cdeb7bad5e5420ba4b114b3e

SHA1
33db926887083d736cbee4cdfa5495dc28b64f2c

SHA256
d8a53c048c73e0d9612eb3dd1d6fb7847101e785c8018149dc2108641e2d9dde

SHA512
aa17ac216364e58572bb163739815db21289af5ba362832b1f148346656f438ef97d153c584d035b4aaae8f1385ebf188e8c7973dc884b3a09f13776c71a3aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\L1BE0.tmp

Filesize
1.1MB

MD5
2ac85820a731a74dc44d7aab0ddbe7e8

SHA1
80623a7ff18c2148a5b9ad2d27c9fcbc1562ee07

SHA256
a54cbb09caf17f1d83287e81443de4f273f7eea5ab64e8b120f8c7201978c643

SHA512
34e7784a9d49fdeccb1389f4683a4aa62cee117922e94918d0560b70af3862fcead0b85af754398efd7f16febd2517a9bdff4490f7074af119c511505e6d7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruo.cmd

Filesize
235B

MD5
d23a71386161f68b1914973c04253be6

SHA1
7ebac62a977bdf6974c4e43e32974ff14bbfea46

SHA256
cd1914b7afe24470ac1903feb1141c91e7c9b1313bf2331a652fe676735caf24

SHA512
397cb0decc4a1bfde371c81144177718d71154545ac8745e022194c56a08305879710c942167db9321a2930eb35bf40369c9a1e0ed97a642c409718c66c6cbbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TZs.cmd

Filesize
193B

MD5
8cb8592a3acc1408826c68d6464da56c

SHA1
1a709de756b2d633302554fbaf7634bdae2ec598

SHA256
c1622db5d15fef49be314afb71eb02108e859d787a270e71ec09118dc060198a

SHA512
c07dd4791e87e68f49e3e74bcda61f1e273101b2147697266105e86f839044bc19e00c71e28e068d977da8f074c13bc50af751a439a77a591863b078b2b521b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\l1CCB.tmp

Filesize
1.1MB

MD5
b0777132ba7bd9dc59b465bff83bdbd7

SHA1
b3cf60c6b98cecb2b8268d0689e534e8855c38cb

SHA256
4f1eec9b00580bbbdb8ce76c4293ba2b5c69fcb3256781ad2d8195f09e3ce38f

SHA512
ff76df6fd4028e24e9a22b8e8356174b2b79ab1be7790f2af8e5d6ea84a50456c1364481af516922636987f479c9b0f59b51d5ea6148b14b3da53b64886a528b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Esxju.lnk

Filesize
928B

MD5
b1567b02ba335011a1a763907124d144

SHA1
c16526f7ca1f8ece19a4734815342ce439b8895c

SHA256
5c4d68f59d77088ae940b2d4cc65d5e618fddb1468ae93c2244013fe43374f99

SHA512
f12694f34991cfec94d623106fd55543ed49e1c6723a5283ff378e106d9ec7c4b23a59fc0d4978aa0b99f0ed36eb14123d701b52db017d42585ac01cab9851f3

Download Submit
C:\Users\Admin\AppData\Roaming\v41EKF\EhStorAuthn.exe

Filesize
128KB

MD5
d45618e58303edb4268a6cca5ec99ecc

SHA1
1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

SHA256
d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

SHA512
5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

Download Submit
memory/744-1-0x0000021AAE5B0000-0x0000021AAE5B7000-memory.dmp

Filesize
28KB

Download
memory/744-0-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/744-6-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-24-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-19-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-45-0x00007FF9B07E0000-0x00007FF9B07F0000-memory.dmp

Filesize
64KB

Download
memory/3504-25-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-44-0x0000000000600000-0x0000000000607000-memory.dmp

Filesize
28KB

Download
memory/3504-42-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-33-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-26-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-3-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3504-23-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-22-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-21-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-20-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-54-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-17-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-18-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-16-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-15-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-13-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-12-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-11-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-10-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-9-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-8-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-7-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-14-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/3504-5-0x00007FF9AF94A000-0x00007FF9AF94B000-memory.dmp

Filesize
4KB

Download