cac511a98c5457c476d2f5fe61e35b54e2711a1fedddfbd6a231d5aafdb3b084

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cac511a98c5457c476d2f5fe61e35b54e2711a1fedddfbd6a231d5aafdb3b084.dll
Size

724KB
MD5

6b05b22403aab1bf11541a6c835199ff
SHA1

fc0edac7ac6a1c15667db448bb7412fc4fee746b
SHA256

cac511a98c5457c476d2f5fe61e35b54e2711a1fedddfbd6a231d5aafdb3b084
SHA512

fdec6eb29f451590a6cf2b2aebc2ccb1fbebe3e0852317f894d5c77767c6d3da5be76801bda96bce2b696109f5cbd1bf9362c2764ac8c440a048682d704e00fe
SSDEEP

6144:Bi05kH9OyU2uv5SRf/FWgFgt2gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTb:ErHGPv5Smpt7DmUWuVZkxikdXcq

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1196	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ydmmtcuy = "\"C:\\Users\\Admin\\AppData\\Roaming\\dDm9oEi\\FXSCOVER.exe\""	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\4276\rrinstaller.exe	cmd.exe
File opened for modification	C:\Windows\system32\4276\rrinstaller.exe	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2844	schtasks.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MSCFile\shell	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MSCFile\shell\open\command	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MSCFile\shell\open	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MSCFile	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MSCFile\shell\open\command	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MSCFile	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MSCFile\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MSCFile\shell\open	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\Ijl3Ag.cmd"	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	rundll32.exe
2176	rundll32.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2548	1196	Process not Found	28
PID 1196 wrote to memory of 2548	1196	Process not Found	28
PID 1196 wrote to memory of 2548	1196	Process not Found	28
PID 1196 wrote to memory of 2644	1196	Process not Found	29
PID 1196 wrote to memory of 2644	1196	Process not Found	29
PID 1196 wrote to memory of 2644	1196	Process not Found	29
PID 1196 wrote to memory of 2436	1196	Process not Found	31
PID 1196 wrote to memory of 2436	1196	Process not Found	31
PID 1196 wrote to memory of 2436	1196	Process not Found	31
PID 2436 wrote to memory of 2484	2436	cmd.exe	33
PID 2436 wrote to memory of 2484	2436	cmd.exe	33
PID 2436 wrote to memory of 2484	2436	cmd.exe	33
PID 1196 wrote to memory of 2552	1196	Process not Found	34
PID 1196 wrote to memory of 2552	1196	Process not Found	34
PID 1196 wrote to memory of 2552	1196	Process not Found	34
PID 1196 wrote to memory of 2992	1196	Process not Found	35
PID 1196 wrote to memory of 2992	1196	Process not Found	35
PID 1196 wrote to memory of 2992	1196	Process not Found	35
PID 1196 wrote to memory of 2320	1196	Process not Found	37
PID 1196 wrote to memory of 2320	1196	Process not Found	37
PID 1196 wrote to memory of 2320	1196	Process not Found	37
PID 2320 wrote to memory of 2716	2320	eventvwr.exe	38
PID 2320 wrote to memory of 2716	2320	eventvwr.exe	38
PID 2320 wrote to memory of 2716	2320	eventvwr.exe	38
PID 2716 wrote to memory of 2844	2716	cmd.exe	40
PID 2716 wrote to memory of 2844	2716	cmd.exe	40
PID 2716 wrote to memory of 2844	2716	cmd.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cac511a98c5457c476d2f5fe61e35b54e2711a1fedddfbd6a231d5aafdb3b084.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:2548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\zmpneoQ.cmd
1⤵
PID:2644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{eb3fdd8c-c4d0-a1e3-7171-c34cc90f52e3}"
1⤵
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{eb3fdd8c-c4d0-a1e3-7171-c34cc90f52e3}"
  2⤵
  PID:2484

C:\Windows\system32\rrinstaller.exe
C:\Windows\system32\rrinstaller.exe
1⤵
PID:2552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\pIocufo.cmd
1⤵
- Drops file in System32 directory
PID:2992

C:\Windows\System32\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Ijl3Ag.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /F /TN "Kbysivkqsduf" /SC minute /MO 60 /TR "C:\Windows\system32\4276\rrinstaller.exe" /RL highest
    3⤵
    - Creates scheduled task(s)
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ijl3Ag.cmd

Filesize
134B

MD5
d25370d4c95fc442d9dfdbfbffd889ce

SHA1
69203d13cf0215ea2bec0f664b0ffe73a1d4acf1

SHA256
b1932be9fba2a7fcee1371acda02082f895e5bcd810296bf46c71b3a9b505738

SHA512
280f94c6566fa4e6aad1ac1413cfa60c0cdd6e7435c116527d40998540462cafd4f26f68ae455bd3f87aea5d024145d53086c669103eb8486ab5494236287fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1F64.tmp

Filesize
732KB

MD5
ad8b499c6ae113dba029331909ee2ccb

SHA1
a4eb72ac69c7828588fca51a426934791f69cb9d

SHA256
e44db2728760ff04d885af3309434d8f1638fe7904b1bd5f7a89d33470a4c508

SHA512
76d5d298ff0aa2792da3304e1a3b68c0f00c8f139ece8660e3d45beda34c88d66a56d5c2233d25f959ccadbefdfb6dd15b174db72b6e71e46abdc62593367fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\k1E5A.tmp

Filesize
752KB

MD5
1f7dd071391630b770005ced51751621

SHA1
9f24be025938a87669387f7859415494f4922dda

SHA256
7efb4df8028255566586d78b1958734e0e6b90513bcb8ac982036b668a50c1da

SHA512
60ad4e68e5eddeabcf5548fea0c04d34cc25a75ff655731ab41f1d8250c6e8577eacbe5e683d0a29f2aa2256c67a6bbdb9a2c0bd0ec7aaa3544c94f46dfae6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pIocufo.cmd

Filesize
195B

MD5
f7ef82965fdf6c44e8e07f82d4807703

SHA1
2dd5e9856a6b3dbc4389cd892bcce813eb6641e2

SHA256
3267d79bd377a2122694448b19daed3fd308e53e29b4f3a7730d12b1bdb0bc73

SHA512
1fcfe07a7ec79ab56e3beb4338767c9b4af862c6dbe22d6677af4d369f8cdc0354337c62518301992e063261876334142d4f4c4d17327b4a0bfc9bad5ccad220

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmpneoQ.cmd

Filesize
234B

MD5
31b07fa655e187c2345c7a504f64983c

SHA1
fe90332364567e68afc80388df80c7a9b8621380

SHA256
997edc7d688e41c37ece1bb2e08cfd0cf21d0d187e3fa63ae2b8b51a3b5b9141

SHA512
d91af18bed05e0249cf9e4a159675d593b6dbe16ce5b56bfa9148af279b83b7714e0a9061fd0c4e98dfe41f4909ae8c4bd35f8c93d21dd50533ee6586a5b32f1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ydmmtcuy.lnk

Filesize
890B

MD5
c241dfd4dae4b5b0a37ba09358bf8225

SHA1
f6af69f991abf98822e5bea6fc0379771d6350e6

SHA256
20f2b16b24315d42aa5d07080372e8c52517e0fdf236d845ac8b66ba8e3cf725

SHA512
32549ec2e213109420e5299930ce04a2e9f52ad965e026262e0f11afa24833a0b476825698b682903e521421558f555d887798f5a149b62171f9ea3ba9c61195

Download Submit
C:\Users\Admin\AppData\Roaming\dDm9oEi\FXSCOVER.exe

Filesize
261KB

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
memory/1196-18-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-14-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-22-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-20-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-32-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-36-0x0000000077BA1000-0x0000000077BA2000-memory.dmp

Filesize
4KB

Download
memory/1196-33-0x0000000002550000-0x0000000002557000-memory.dmp

Filesize
28KB

Download
memory/1196-25-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-24-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-23-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-19-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-39-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-41-0x0000000077D00000-0x0000000077D02000-memory.dmp

Filesize
8KB

Download
memory/1196-93-0x0000000077996000-0x0000000077997000-memory.dmp

Filesize
4KB

Download
memory/1196-17-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-16-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-15-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-21-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-12-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-11-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-10-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-9-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-44-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-45-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-48-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-13-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-8-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-7-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/1196-3-0x0000000077996000-0x0000000077997000-memory.dmp

Filesize
4KB

Download
memory/1196-4-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/2176-6-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/2176-1-0x0000000140000000-0x00000001400B5000-memory.dmp

Filesize
724KB

Download
memory/2176-0-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download