Overview

overview

7

Static

static

3

d94704356d...31.dll

windows7-x64

7

d94704356d...31.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 03:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d94704356d193cb7e271da4ff6f1e36722ce4508b0ea9d8768a4c59b43fba131.dll

  • Size

    520KB

  • MD5

    4cd048efbfcbfcf4d7c411bdad4afa7f

  • SHA1

    492565cd6833e366dc27971722388152ffecc905

  • SHA256

    d94704356d193cb7e271da4ff6f1e36722ce4508b0ea9d8768a4c59b43fba131

  • SHA512

    5b723fa17f05003fe232b91af4c5ef6b4ee491bde5e115a14d62c42e915360d37e97184dac32ba852cb872131a7cb1081db6e87365f8158b7bb280d165122fec

  • SSDEEP

    6144:Ki05kH9OyU2uv5SRf/FWgFgtBgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:VrHGPv5Smpt6DmUWuVZkxikdXcq

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d94704356d193cb7e271da4ff6f1e36722ce4508b0ea9d8768a4c59b43fba131.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3380
  • C:\Windows\system32\slui.exe
    C:\Windows\system32\slui.exe
    1⤵
      PID:3520
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Z9Xll.cmd
      1⤵
        PID:4404
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4464
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"
          2⤵
            PID:3240
        • C:\Windows\system32\fvenotify.exe
          C:\Windows\system32\fvenotify.exe
          1⤵
            PID:436
          • C:\Windows\system32\wiaacmgr.exe
            C:\Windows\system32\wiaacmgr.exe
            1⤵
              PID:4692
            • C:\Windows\system32\mstsc.exe
              C:\Windows\system32\mstsc.exe
              1⤵
                PID:3296
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Ur421W.cmd
                1⤵
                • Drops file in System32 directory
                PID:3244
              • C:\Windows\System32\fodhelper.exe
                "C:\Windows\System32\fodhelper.exe"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:4260
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\lsW1.cmd
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1728
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Create /F /TN "Fdxhngjjnp" /SC minute /MO 60 /TR "C:\Windows\system32\1498\mstsc.exe" /RL highest
                    3⤵
                    • Creates scheduled task(s)
                    PID:5080

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\Oy6A73.tmp
                Filesize

                524KB

                MD5

                83a86dbc1c8e083771cc3bccdf538633

                SHA1

                51531399725b1a350f8172c021b4ebe92bb5d410

                SHA256

                b189748ef2be16d0618af9b9631ea65f89e0de0b00a49cc7b68af969b9475a35

                SHA512

                8f0e8ac452a2ceccd8ba454884f6fb22f61a6976d6ff00b2b39868926905e3caa48a5d9c7f414446a3df4c311154c4ff7ec89936166f799f5e2008947518f29b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Ur421W.cmd
                Filesize

                191B

                MD5

                58dfce56524dbf7b22cf19f46d370f3b

                SHA1

                65b9d7e7f8cbc9dd494432bb2b6a9a8a6304a003

                SHA256

                9db33c382a1401fff45493037f12ec7bf877a73cee5e09782d1011ac8e3ec69a

                SHA512

                e884d03ba2ae81f50742ff690e28b1a300851bd765f61353aee2a393b70a0f7ed37f5db0c5dd236cf9db62f289e066e38f18d8ce5a05934641825eec3f142989

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Z9Xll.cmd
                Filesize

                225B

                MD5

                ef1a6efeecd8f813766c8e29b27f6808

                SHA1

                6864820d888118f6c8b6cd224744989821324f48

                SHA256

                db510897ba96237b604d4189e47242e5c7432c838eed4aa93ea26a222b88b9fb

                SHA512

                8e097d7cbf5ede1308363cba10ee64d5b2f143498dc47c045354dbb50e6eeac85b60c6853baacd99abe141cc82f771c5f9e83ce0237ea4d6cfd6cccf63cb21d1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\dOA68CC.tmp
                Filesize

                524KB

                MD5

                df1708b19d4affe18e24774ed16b22cd

                SHA1

                1e00dfb6504c3a08f477cde060785b7d19fc8b22

                SHA256

                6d9c4ee6d9e8119935a3e61f41a62e2c7a171cbdd7358c6be0cd9cf572ad351f

                SHA512

                8bf917914db3a1e9c633a740b022424da473a718bdde5c7de65761485fa783044210082434cd1636df91b53d3098647c336bb9924e009c3c1db68042cbca4e91

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\lsW1.cmd
                Filesize

                126B

                MD5

                ed1c55917f20edef9a5c98d66d71fbd2

                SHA1

                c86f18bfa400277289975acae20d4d8754064cba

                SHA256

                12c2242ead9ff2b6629c572b2d34048ec0429387bf4ce7ec120f12dda3cae350

                SHA512

                52df969bbfaddcee46ab8604d71cd9e21eb8b97d3c81f607771fca4f2368eed5334f1024371feb313069ef48ccb4a557e1692d9b228d48558e8b5175adaddf42

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pruztwesow.lnk
                Filesize

                884B

                MD5

                09edf5991d5ea0fd11800d9860105b3e

                SHA1

                185365b8a7aecfca40a3b7d1142727b3177ecb60

                SHA256

                5cb3f83fe1015efc5a921a60479719124a8dc905094998ecaf426b6d12523f23

                SHA512

                00d64fbb3a4ef82640e8ebb1fbe3fc59f3942cbd2fc4a0a5c5e72661b02e54b7e78d93d5080697ae1c2cb09fdde9707b026f3b309d1520f7e5d223223ee18a0d

                Download Submit

              • C:\Users\Admin\AppData\Roaming\SUJD\slui.exe
                Filesize

                534KB

                MD5

                eb725ea35a13dc18eac46aa81e7f2841

                SHA1

                c0b3304c970324952e18c4a51073e3bdec73440b

                SHA256

                25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

                SHA512

                39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

                Download Submit

              • memory/3380-0-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3380-2-0x0000000001390000-0x0000000001397000-memory.dmp

                Filesize

                28KB

                Download

              • memory/3380-6-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-22-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-13-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-30-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-31-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-29-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-27-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-28-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-25-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-26-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-24-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-48-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-21-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-18-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-17-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-16-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-15-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-14-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-32-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-12-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-11-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-10-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-9-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-8-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-7-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-20-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-50-0x0000000003550000-0x0000000003557000-memory.dmp

                Filesize

                28KB

                Download

              • memory/3548-51-0x00007FFC0ED80000-0x00007FFC0ED90000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3548-39-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-60-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-23-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-19-0x0000000140000000-0x0000000140082000-memory.dmp

                Filesize

                520KB

                Download

              • memory/3548-5-0x00007FFC0CF4A000-0x00007FFC0CF4B000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3548-3-0x00000000077D0000-0x00000000077D1000-memory.dmp

                Filesize

                4KB

                Download