Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
04-06-2024 03:52
General
-
Target
d94704356d193cb7e271da4ff6f1e36722ce4508b0ea9d8768a4c59b43fba131.dll
-
Size
520KB
-
MD5
4cd048efbfcbfcf4d7c411bdad4afa7f
-
SHA1
492565cd6833e366dc27971722388152ffecc905
-
SHA256
d94704356d193cb7e271da4ff6f1e36722ce4508b0ea9d8768a4c59b43fba131
-
SHA512
5b723fa17f05003fe232b91af4c5ef6b4ee491bde5e115a14d62c42e915360d37e97184dac32ba852cb872131a7cb1081db6e87365f8158b7bb280d165122fec
-
SSDEEP
6144:Ki05kH9OyU2uv5SRf/FWgFgtBgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:VrHGPv5Smpt6DmUWuVZkxikdXcq
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\d94704356d193cb7e271da4ff6f1e36722ce4508b0ea9d8768a4c59b43fba131.dll1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\iscsicpl.exeC:\Windows\system32\iscsicpl.exe1⤵
-
C:\Windows\system32\ocsetup.exeC:\Windows\system32\ocsetup.exe1⤵
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe1⤵
-
C:\Windows\system32\LocationNotifications.exeC:\Windows\system32\LocationNotifications.exe1⤵
-
C:\Windows\system32\MultiDigiMon.exeC:\Windows\system32\MultiDigiMon.exe1⤵
-
C:\Windows\system32\rdrleakdiag.exeC:\Windows\system32\rdrleakdiag.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\571aYHe.cmd1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"2⤵
-
-
C:\Windows\system32\WPDShextAutoplay.exeC:\Windows\system32\WPDShextAutoplay.exe1⤵
-
C:\Windows\system32\gpscript.exeC:\Windows\system32\gpscript.exe1⤵
-
C:\Windows\system32\sdchange.exeC:\Windows\system32\sdchange.exe1⤵
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe1⤵
-
C:\Windows\system32\fvenotify.exeC:\Windows\system32\fvenotify.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\LtRV7.cmd1⤵
- Drops file in System32 directory
-
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\CkETgx.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Bygyxkyzdvxj" /SC minute /MO 60 /TR "C:\Windows\system32\5887\fvenotify.exe" /RL highest3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228B
MD5a3e0beadbf6d2992abc2cd3f2691be9d
SHA1ca93aec9e22a577460b09d5dc9d1e632e82b90fa
SHA25658c3db63d0a1839e621c653fd4c081abbd9fb8bad6e7fa40753f903ffc882d1e
SHA5120ef0e758712d14444884bcdaf1c12339d2a2c230cc26ce78b1ca51cdedc5302c3076d81d3e4f25c80f30cd2a7c9b7f71f3117302d3278a1e9cb37fc39bd9007f
-
Filesize
132B
MD580e8b06d982d13b99252dbcd5af30633
SHA1a2763bf055454034efa7c1559d19ac5f658cf68b
SHA25666d4860a0693edb20632b79af431d8318e1559ae94696ffc9e16e55fee255e5d
SHA512bfa46ddeb3ae080a3eb46081d91d181f0dce0f583b815b91a94a35075be2d60aa123639d3be7f5ce3c0ec17300dfcd5b325d82ad68d8c2bfa0262164b680addf
-
Filesize
524KB
MD57798b9c711c03de987b4ea605d61b07d
SHA14b1ffb4eca6027f6705cf3937ce7fc5aa7a4530e
SHA2563d73a0337bddc822351b51b5bbd023d1b4ef505370191d987c4af55239322759
SHA512f758c07291356a776b76cfb11ae86c690d4d2c64eb1e79b6a9db0fd318934efcd6543c57978106d55b4d47c96ff35b717376c2aaaf0fe81db901a35f1c1d2e02
-
Filesize
190B
MD5c5d399101e0fa8e162c49e521f3b70cd
SHA1c5bfef06ebee8c4c5b6079c90fe0519237d2e2da
SHA2562aa0e80b272d4521b503fcb45ce6c8a663497f44eff3acc464d110ed8ae52724
SHA512d2b899206364dfd5d8668ac84311725ddfc46253bfb9c87ad7c0e167b7d38591ab1079f2f9fbd97122def95980689d6133c7b6153f3902cb85bd9c995f2087f5
-
Filesize
524KB
MD51d50ec3a5ae3895b448c80aa4ac36095
SHA1b512b90b19e7c4c47f838c3e3652445c99f4f237
SHA2567186a6e1ffb0d003a95dc32d2f825778fbc0641ebcc7b32fdb0a26f5c06b5aba
SHA5120b3d2b94ab2d9ab1b4851e02780c1d6fdd8948801b8aeb64182e4a986afe571b203f9f3932a35c2d1730438ca1d0d13d47e69c3cbd009da1ec532c8a60eae029
-
Filesize
894B
MD5a1e5f2092c412ce10721416704da7dcd
SHA1b4b9840309964699ef64515f74077416a982fc05
SHA256bfc732f8ede0e0907566713975f05f7cf14936f524a963f94df5a4002fb4dac4
SHA512c2d0127da8e98276206a7d107c1c781fc422e546faa7ed85c9e8bae362390667c485adbc27661e32b1ba6100ba7c7948a3aca21ba2f1055d04dc11649d976729
-
Filesize
39KB
MD55e058566af53848541fa23fba4bb5b81
SHA1769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6
SHA256ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409
SHA512352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
28KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
4KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
4KB
-
Filesize
520KB
-
Filesize
8KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
520KB
-
Filesize
28KB
-
Filesize
520KB