402f0315faf2402ddf4c17a19014142e20080ddc76edd9b11a9b205232ece743

General

Target

402f0315faf2402ddf4c17a19014142e20080ddc76edd9b11a9b205232ece743.dll
Size

964KB
MD5

4f2146321b84379dabd81ded9f76827b
SHA1

7ed3cf3e7ce9a5831c511fc6a3901929831f3e0f
SHA256

402f0315faf2402ddf4c17a19014142e20080ddc76edd9b11a9b205232ece743
SHA512

1d1fdc78456c1d51e47b3eba6884bacb1fe9b1f5e7ae6a3e2d835658081a87d56ab0d7b3264f61b69d8ab3c18f8f6e3bae6ede437d8180f2b4dc244359fd4df9
SSDEEP

6144:hi05kH9OyU2uv5SRf/FWgFgt2gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTs:krHGPv5Smpt7DmUWuVZkxikdXcqjixB

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1916	rundll32.exe
1916	rundll32.exe
1196	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2688	1196	Process not Found	28
PID 1196 wrote to memory of 2688	1196	Process not Found	28
PID 1196 wrote to memory of 2688	1196	Process not Found	28
PID 1196 wrote to memory of 2240	1196	Process not Found	29
PID 1196 wrote to memory of 2240	1196	Process not Found	29
PID 1196 wrote to memory of 2240	1196	Process not Found	29
PID 1196 wrote to memory of 2864	1196	Process not Found	30
PID 1196 wrote to memory of 2864	1196	Process not Found	30
PID 1196 wrote to memory of 2864	1196	Process not Found	30
PID 1196 wrote to memory of 2476	1196	Process not Found	31
PID 1196 wrote to memory of 2476	1196	Process not Found	31
PID 1196 wrote to memory of 2476	1196	Process not Found	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\402f0315faf2402ddf4c17a19014142e20080ddc76edd9b11a9b205232ece743.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe
1⤵
PID:2688

C:\Windows\system32\AxInstUI.exe
C:\Windows\system32\AxInstUI.exe
1⤵
PID:2240

C:\Windows\system32\VaultSysUi.exe
C:\Windows\system32\VaultSysUi.exe
1⤵
PID:2864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Z6qQZR.cmd
1⤵
PID:2476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{ea1aa314-bdaf-1e0a-932a-fb0ef1f17f06}"
1⤵
PID:2436
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{ea1aa314-bdaf-1e0a-932a-fb0ef1f17f06}"
  2⤵
  PID:2484

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:2516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Ve8d.cmd
1⤵
PID:3052

C:\Windows\System32\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
1⤵
PID:2500
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\aAzrya.cmd
  2⤵
  PID:3000
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /F /TN "Wtytwvz" /SC minute /MO 60 /TR "C:\Windows\system32\1671\BdeUISrv.exe" /RL highest
    3⤵
    - Creates scheduled task(s)
    PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ni251E.tmp

Filesize
968KB

MD5
15dc6f46e14e805f1e2c5dac5e14bfbd

SHA1
c665ff92808735378c97adae7e1c6857f735edb0

SHA256
140098c0fd28257bce139c7b571f5e379ca4e23ab0b5c6128dc40713cbf9e6e0

SHA512
59993c118a0872fdf99a218d90e9f2929672b42ef73aa60864d79a187b81f330759f83c86981f5254bc5ca78d9969f32f5a473cc37d368221304fab125af3d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uz2424.tmp

Filesize
968KB

MD5
b2b11a2562059e260fed3692dce3e56c

SHA1
f6c76e0ddc0fd2bd6d62be0b57a6fc8e1de5ff3e

SHA256
853405c18defc877cded05efc94e8b8da05501593ee94690eda82712994abb4f

SHA512
8dca9bbf750ece34b87a4942080c0c712e23ddb28531772b4421953fe8328960bce823c665d8dccb5fe3aeaac64ec3ccb413676d9e97c895115193b0225e4ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ve8d.cmd

Filesize
195B

MD5
4e6a998514e282bbfc34e70ffb08539f

SHA1
b49b55b22d132ef30b27f5e1bd4756edfb8dcddf

SHA256
bdf7f2267f4c0e2179743fdff59d7973d5053089f2c96f33b8d314b24016e9c2

SHA512
adb61e30c32df282946eb21fe596dc9f5c82e3ecfae34e33071fb6f98aa8bf9cf1255e05bc40c39896257232217a9c22867d8da703ac14c2d3bb35a4388e28a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z6qQZR.cmd

Filesize
231B

MD5
f3690d97fa46f156836fdc06df592273

SHA1
e4d2f89cf42a2af89eedd03d038c07f2d2d1cd40

SHA256
742e912399ede4f56e603aa802bfe544f126780c13bc8344c1fd26e86f89a716

SHA512
70b62a874b2d8fa39f768ff9022ab3c817a9f5f6f25e3ff395bea3dd6fe5a0282f6fbbee3a8db6796256a8582d911912f052098217b6c98e91d8b715ae9ff095

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAzrya.cmd

Filesize
126B

MD5
309517261951080759744e159c4d824c

SHA1
49f6a5501e974735a0d31929e2170876b8092b1f

SHA256
5d8aa570e98c94944dd8413c895eabf135119858cdd911a5255afdd2eb8c6d88

SHA512
98cd3f5145b9889bd42034541be98d962acb439b18028bbc470cf8c2adcfbeaafac1e856ce7f6783a8281ae4b04c52464c5333b391d9eceae7f0967e2d7926eb

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ybhspkdtbke.lnk

Filesize
890B

MD5
8a4f6fbbc366a459577deb124d10a146

SHA1
6f5b4a1b34ca22a4c950727257b8a2f7c2454541

SHA256
bb2a26a0265ba895499a22de1e6f6f522323d63f4c58f18b54bc33ccb487bd81

SHA512
398a74ce7c8d0dc1bbc50db7017c4c8c4a0098214cd8a87d6fc9636df83b685653ed429facc0aa8f7687aa7b0e2417fd9ce02ae4c16c313e9145a0a89254d1fd

Download Submit
\Users\Admin\AppData\Roaming\hSs43\VaultSysUi.exe

Filesize
39KB

MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
memory/1196-45-0x0000000077480000-0x0000000077482000-memory.dmp

Filesize
8KB

Download
memory/1196-16-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-19-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-34-0x0000000077321000-0x0000000077322000-memory.dmp

Filesize
4KB

Download
memory/1196-28-0x0000000002DA0000-0x0000000002DA7000-memory.dmp

Filesize
28KB

Download
memory/1196-7-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-4-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/1196-96-0x0000000077216000-0x0000000077217000-memory.dmp

Filesize
4KB

Download
memory/1196-3-0x0000000077216000-0x0000000077217000-memory.dmp

Filesize
4KB

Download
memory/1196-47-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-46-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-8-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-41-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-18-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-17-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-31-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-15-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-23-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-14-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-22-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-13-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-12-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-21-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-20-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-11-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-10-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1196-9-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1916-2-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/1916-0-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/1916-6-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads