402f0315faf2402ddf4c17a19014142e20080ddc76edd9b11a9b205232ece743

General

Target

402f0315faf2402ddf4c17a19014142e20080ddc76edd9b11a9b205232ece743.dll
Size

964KB
MD5

4f2146321b84379dabd81ded9f76827b
SHA1

7ed3cf3e7ce9a5831c511fc6a3901929831f3e0f
SHA256

402f0315faf2402ddf4c17a19014142e20080ddc76edd9b11a9b205232ece743
SHA512

1d1fdc78456c1d51e47b3eba6884bacb1fe9b1f5e7ae6a3e2d835658081a87d56ab0d7b3264f61b69d8ab3c18f8f6e3bae6ede437d8180f2b4dc244359fd4df9
SSDEEP

6144:hi05kH9OyU2uv5SRf/FWgFgt2gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTs:krHGPv5Smpt7DmUWuVZkxikdXcqjixB

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3004	rundll32.exe
3004	rundll32.exe
3004	rundll32.exe
3004	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found
Token: SeShutdownPrivilege	3492	Process not Found
Token: SeCreatePagefilePrivilege	3492	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3492	Process not Found
3492	Process not Found

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 1164	3492	Process not Found	100
PID 3492 wrote to memory of 1164	3492	Process not Found	100

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\402f0315faf2402ddf4c17a19014142e20080ddc76edd9b11a9b205232ece743.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3004

C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
1⤵
PID:1164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4020,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3708 /prefetch:8
1⤵
PID:920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\CB985.cmd
1⤵
PID:1000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6fbc9e50-6a1b-17d9-5db5-133f618c672e}"
1⤵
PID:4680
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6fbc9e50-6a1b-17d9-5db5-133f618c672e}"
  2⤵
  PID:4900

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
1⤵
PID:4276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\32t.cmd
1⤵
PID:1184

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
1⤵
PID:2408
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\LzI.cmd
  2⤵
  PID:2608
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /F /TN "Lgeeulo" /SC minute /MO 60 /TR "C:\Windows\system32\7997\ApplicationFrameHost.exe" /RL highest
    3⤵
    - Creates scheduled task(s)
    PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32t.cmd

Filesize
203B

MD5
591ca46e7763ee54d0e946a7081b807e

SHA1
d3d4ceed7d542d5b6f01ecba3a57f80c16e85331

SHA256
10d1c6d4c9795b18516393c5521fe7ceb7f94d4867b3d76881c402eaf78185d0

SHA512
8bc6e184b552ec7c4da7a85596028c7bfc57ee9da66e4484c2ffec9896753893e80f3400dafe58d8556d5b5eb46e47fd157703826d59e39523bcd7798f1dbdef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CB985.cmd

Filesize
238B

MD5
7a9ede32ad8fe987e4d084dfd6a62a08

SHA1
d2eb244117de6d22734afee554515bf67a801739

SHA256
830161f6603f24fcbc950472d43ba99f399da1865f0fe7244074d1105b7578c0

SHA512
25d26d52c9f020ccc7031a80b22da5150a82df55530cc266dd14f0aeb278e8347eadf889504296824ac4fd71353a63a5b93fa44275ad3a06c63db89e34fa9af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzI.cmd

Filesize
138B

MD5
5bcac58dd0093e7c187c330d795da4b9

SHA1
c166fc3337845e3c4d0f7b329bb8a092049fdca4

SHA256
cca5af811c688fd60e3ae685d6787e28aa014203dec817c3b9ca030713a52113

SHA512
ba94ceb7ea7afee115cd273a825bdee4c2af4e02b2a088befc947a9b79871b4228fa8259e747d5423536f5116ee71efc6722531895cc633f2a98e080821e472b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwF5BB.tmp

Filesize
968KB

MD5
2223d5fc71ba41bc12a0c1379a12528c

SHA1
6ad87e446cf23ebede51d85751c22368e84dab18

SHA256
282542f75c71b34702ea1f44f21b863faa399d3be0aa07f4209f8d0d987fa0e9

SHA512
7596ef2aae9efe3dcf5bc577202075d38b0177227a64516eb1bde25c4cb6781c4527b6270c44992bb647fdda543f112ca458878e5e0a26f96ae07d2093c9750f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rGUF4DF.tmp

Filesize
1.2MB

MD5
fa915c6d5aad1887e46b87aad6ed7757

SHA1
6b4a04c5892b44e9d1c6cd8a366b1d64546e7f31

SHA256
6c16ab6a6388c88caf9f1d67e3c07a262ee8b76b1c5d2ec8c6ca8f0c91b752bc

SHA512
01c85b3bed786b7be86440f272df54a2c0e29c7f85f59115ed6431820d9c8a8da796e12f3cf07795f5c8ecc4b8f2277e03e6f2fb719a37658015ebbc282cc9b4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Esxju.lnk

Filesize
964B

MD5
ea3d397876be01951eddd91669609ef2

SHA1
12342af4f394dbb1708f01693f5e65188102692e

SHA256
e173fcb163ffbe2f887c98ee467952938cc89330c7736c9c56605d93354a2a60

SHA512
22d6ca4bb88ef0c76c0561d0697f873c65f79b08b8dcc270527ad632821c885cf5bb951db4f599e670a6e3cef6b43ba3cecce1b8f2a59bbab399d1ae3963dfda

Download Submit
C:\Users\Admin\AppData\Roaming\jeNU\CameraSettingsUIHost.exe

Filesize
31KB

MD5
9e98636523a653c7a648f37be229cf69

SHA1
bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

SHA256
3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

SHA512
41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

Download Submit
memory/3004-0-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3004-2-0x00007FFFCAA90000-0x00007FFFCAC85000-memory.dmp

Filesize
2.0MB

Download
memory/3004-7-0x00007FFFCAA90000-0x00007FFFCAC85000-memory.dmp

Filesize
2.0MB

Download
memory/3004-6-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-19-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-13-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-22-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-21-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-20-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-40-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-18-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-17-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-16-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-15-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-14-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-24-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-12-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-11-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-10-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-9-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-31-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-42-0x0000000006EB0000-0x0000000006EB7000-memory.dmp

Filesize
28KB

Download
memory/3492-52-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-43-0x00007FFFCAA80000-0x00007FFFCAA90000-memory.dmp

Filesize
64KB

Download
memory/3492-23-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-8-0x0000000140000000-0x00000001400F1000-memory.dmp

Filesize
964KB

Download
memory/3492-3-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/3492-5-0x00007FFFC90AA000-0x00007FFFC90AB000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads