Overview

overview

7

Static

static

3

89a291ea12...d2.dll

windows7-x64

7

89a291ea12...d2.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2024, 00:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89a291ea12e10912f1779ad52be30e590e90451d2d13d0ad009952803a17f6d2.dll

  • Size

    792KB

  • MD5

    c881d9ca9d58c88d30bd2b0a4ee56195

  • SHA1

    3e1b3618235357913e904918ae053e9b9b43500d

  • SHA256

    89a291ea12e10912f1779ad52be30e590e90451d2d13d0ad009952803a17f6d2

  • SHA512

    b6747178aedbf1e8e4a9bd169508d7a10ccd5407ece83f24c355ceb619f597dceb270aac62fd8264e3f0fdca06e40763b6f553e6affa2c2b2ae2ac997cb0aad2

  • SSDEEP

    6144:Si05kH9OyU2uv5SRf/FWgFgtTgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:9rHGPv5SmptEDmUWuVZkxikdXcq

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\89a291ea12e10912f1779ad52be30e590e90451d2d13d0ad009952803a17f6d2.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2752
  • C:\Windows\system32\CloudExperienceHostBroker.exe
    C:\Windows\system32\CloudExperienceHostBroker.exe
    1⤵
      PID:4044
    • C:\Windows\system32\dllhst3g.exe
      C:\Windows\system32\dllhst3g.exe
      1⤵
        PID:5004
      • C:\Windows\system32\RecoveryDrive.exe
        C:\Windows\system32\RecoveryDrive.exe
        1⤵
          PID:3764
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\tJES.cmd
          1⤵
            PID:5068
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{3a9698a7-8b59-5789-8186-33aeee771cee}"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:4860
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{3a9698a7-8b59-5789-8186-33aeee771cee}"
              2⤵
                PID:3560
            • C:\Windows\system32\pospaymentsworker.exe
              C:\Windows\system32\pospaymentsworker.exe
              1⤵
                PID:1896
              • C:\Windows\system32\mstsc.exe
                C:\Windows\system32\mstsc.exe
                1⤵
                  PID:548
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\fXrX.cmd
                  1⤵
                  • Drops file in System32 directory
                  PID:3364
                • C:\Windows\System32\fodhelper.exe
                  "C:\Windows\System32\fodhelper.exe"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3228
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Qny.cmd
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4488
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Create /F /TN "Niazd" /SC minute /MO 60 /TR "C:\Windows\system32\7805\mstsc.exe" /RL highest
                      3⤵
                      • Creates scheduled task(s)
                      PID:2960

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\Qny.cmd
                  Filesize

                  121B

                  MD5

                  11f0d20f2a9aefbc7e5fe1f338ec824d

                  SHA1

                  fd309a6dbc1b926256913c49009e3231f7caf173

                  SHA256

                  a7f635cbebd896c13201c3445376763c1cfb613a7b84371b99b6ea4770abaced

                  SHA512

                  bd3537045775cab23bc1baa953b27fe22685963baff974fce400a7dd423f28bbbc32911df91df5809540f17933737a0ce9748e38c5b13f53481ea62e33e148f3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ZRT6070.tmp
                  Filesize

                  796KB

                  MD5

                  36d1495a46309c5b1dada8c2e1d3fbf8

                  SHA1

                  355bce52818b58a17644ff088040ec11c2cfdfb6

                  SHA256

                  5f1a636c6d6288b36b35aa83f22a288409354a2629780acd61d4dcdfd4d857ee

                  SHA512

                  79487021580c8bc2c6befbb4b122e2778d62a21d70662b78b369b5b95c3708712b037fef0a20d61f54851a38fdf6f050abd68d82ebc2eea5f85b8fe27990cd57

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\fXrX.cmd
                  Filesize

                  191B

                  MD5

                  27162674260aa3f7fdaccd8aff6bfc38

                  SHA1

                  03ebdeda3e53971be9f6aa500785bca2d4e24958

                  SHA256

                  864fd7b1d913298ded024097527c0550243bd07529e8cc9f31555686de701c6e

                  SHA512

                  7d61b27d050d6b3a4c27784616e40cac142f263c54583e11dc0eb4bb9d3a57c0cb1cbfaee4b6fe881dd0463b09381aac81b01bd834e1ff37b52309403bc3b292

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tJES.cmd
                  Filesize

                  239B

                  MD5

                  3b5e81d097e9a2cb7b80535f7cf30e85

                  SHA1

                  045d7b542448d226aa47281b9d4d22ec99e43c55

                  SHA256

                  8683f6e1bd05b27375d7d428d8a2fe8113a93f7b0a65bacbc2c69169a9abecb6

                  SHA512

                  713605fd4c226627b8ead51af1ff97586be9718bf315cfc7fba5440b577bf9943dc97d8fd82ebb3e62679ced0a4b24527746877bfcaef3c3a65cd87b0743ae37

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\xoZ5DA1.tmp
                  Filesize

                  796KB

                  MD5

                  89785f7fa83471c69fc9f18a8f2aaa70

                  SHA1

                  0dc6341b3a59c6e37e9b73ab8626ed8b6de8a95c

                  SHA256

                  6d736fb8e816db82504286c7d17847be5666586bea7bff4f47664fe60116b599

                  SHA512

                  1655c7ad2271b5a2a3b93186abfefa872f73647ab932ca267ee60f8ca87175bb7ae9f82bb6e73811d4444b199099a7ff26c7205a7947c7f0cec54d8c5606ab69

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\7GMXSn\RecoveryDrive.exe
                  Filesize

                  911KB

                  MD5

                  b9b3dc6f2eb89e41ff27400952602c74

                  SHA1

                  24ae07e0db3ace0809d08bbd039db3a9d533e81b

                  SHA256

                  630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

                  SHA512

                  7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iphtcfjrejti.lnk
                  Filesize

                  938B

                  MD5

                  309b1607ebf13bec6ffcdc9fcdcdbbb7

                  SHA1

                  61cf554f95153f70a0255f70d1c18aa3e8a306a1

                  SHA256

                  eeebaad8480f2fc8774040f376e0a5d9c3782551fa2060010bea6ebeebc8e71a

                  SHA512

                  4a3dc99f81d462289e633bdc72c6353ad2aafb012075850a8c51be18c9f37bdd83f8b80212008d0ec7aa1dbd159e826f79b2ad27f4a0c0ebb96d682f7c822d09

                  Download Submit

                • memory/2752-0-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/2752-2-0x00000194C66A0000-0x00000194C66A7000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/2752-5-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-20-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-15-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-29-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-27-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-28-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-26-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-25-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-24-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-22-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-21-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-38-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-19-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-18-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-17-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-16-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-30-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-14-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-13-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-12-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-11-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-10-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-9-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-8-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-23-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-49-0x0000000008990000-0x0000000008997000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/3488-50-0x00007FF80DF40000-0x00007FF80DF50000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3488-47-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-59-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-31-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-7-0x0000000140000000-0x00000001400C6000-memory.dmp

                  Filesize

                  792KB

                  Download

                • memory/3488-6-0x00007FF80C3AA000-0x00007FF80C3AB000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3488-3-0x00000000089B0000-0x00000000089B1000-memory.dmp

                  Filesize

                  4KB

                  Download