Overview

overview

7

Static

static

3

e95ddbff41...02.dll

windows7-x64

7

e95ddbff41...02.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 04:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e95ddbff41d083bc9e5fca32e83b8a4c5f401f4293a29e37aa89e8388d712002.dll

  • Size

    788KB

  • MD5

    fc948b7872a54228a5c44841506ebadc

  • SHA1

    716bc656d0becb3b0b1c4c0c196b2440cbfb4167

  • SHA256

    e95ddbff41d083bc9e5fca32e83b8a4c5f401f4293a29e37aa89e8388d712002

  • SHA512

    975f81398da84bf15ea53de37835d37b3c092044635ca83b5a846c4d35aad405bbe1b541c2ff613661a001fb1b20b7d97f9c38235712fc2b00f460a2f2f8d189

  • SSDEEP

    6144:Pi05kH9OyU2uv5SRf/FWgFgtlgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:KrHGPv5SmptGDmUWuVZkxikdXcq

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e95ddbff41d083bc9e5fca32e83b8a4c5f401f4293a29e37aa89e8388d712002.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4164
  • C:\Windows\system32\TapiUnattend.exe
    C:\Windows\system32\TapiUnattend.exe
    1⤵
      PID:4424
    • C:\Windows\system32\sdchange.exe
      C:\Windows\system32\sdchange.exe
      1⤵
        PID:3520
      • C:\Windows\system32\LanguageComponentsInstallerComHandler.exe
        C:\Windows\system32\LanguageComponentsInstallerComHandler.exe
        1⤵
          PID:1292
        • C:\Windows\system32\consent.exe
          C:\Windows\system32\consent.exe
          1⤵
            PID:2688
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\weM.cmd
            1⤵
              PID:2124
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2480
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"
                2⤵
                  PID:4676
              • C:\Windows\system32\RdpSaUacHelper.exe
                C:\Windows\system32\RdpSaUacHelper.exe
                1⤵
                  PID:1692
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\pi7v.cmd
                  1⤵
                  • Drops file in System32 directory
                  PID:760
                • C:\Windows\System32\fodhelper.exe
                  "C:\Windows\System32\fodhelper.exe"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3204
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ZCHhtU.cmd
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2824
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Create /F /TN "Fdxhngjjnp" /SC minute /MO 60 /TR "C:\Windows\system32\7145\RdpSaUacHelper.exe" /RL highest
                      3⤵
                      • Creates scheduled task(s)
                      PID:1944

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\5Bq49F9.tmp
                  Filesize

                  792KB

                  MD5

                  78e8685fc1f7a12c25d57437f88449a7

                  SHA1

                  2e4150246760edc407854f95be98e9c54143fc84

                  SHA256

                  cca39fe8837d756c972b8dcd2bb09c05dbf3621ba13d4c077db46268151ee349

                  SHA512

                  bf8fa821ae00cedc6976d693b77b45985aff133dd962fec516f8f54555e3e74bbdffa09aad74d598f1529e532229938d2b3a3f8be206ce4ef8f8380094424067

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\I4AD5.tmp
                  Filesize

                  796KB

                  MD5

                  70509288156558c33d13b3223ead64fa

                  SHA1

                  393937f00943ffd22b933836644f470e9c97043a

                  SHA256

                  17596031f3f3ca0c1637e0857f1bf2da560b5f5ec813ed61d98f1efa40dae007

                  SHA512

                  3ecfe718b9fd08d7d90f2baaffae162dda14dd50b9c34779901d0887b3d57479aad23e166a93da4b3698b0edd03a46ce38b179a7dc7f1264f64edcf3b549a696

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\ZCHhtU.cmd
                  Filesize

                  135B

                  MD5

                  0c5f9e01343c3e9efc650b9727e67a68

                  SHA1

                  a126139945bd0a701b52700c947356d528f53b80

                  SHA256

                  8460f3edaddad41e9a1091e17c0a5904a52cfff99346844bfd6f36059bb660ed

                  SHA512

                  3a85609f026575bd1ef5c324bd9cde93b2bd9292289dcb0d12fb4136bdbad76741aaacf09482dcea76ea40dfeabb77c93f5e06f9c744e4fafb5a5a0814b15aa8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\pi7v.cmd
                  Filesize

                  198B

                  MD5

                  d3d5cbb919a746738a65345e1c7dce2b

                  SHA1

                  1e5b274a7afc4052853fa3bbc8745a9ac3f2fc7f

                  SHA256

                  698b0412fd19036bcf66b32a1bb2de57999f4526f606b5d3e59a6c03eb041c9c

                  SHA512

                  55d81efe46e2a67a64e223a9eb00289ea3b8950f83e0170485628709632edd3ea2500090b1f4856aff5a8235829293a6930c859424d998fd862a5e8d5737942b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\weM.cmd
                  Filesize

                  236B

                  MD5

                  0e22d9d5113d4f7766dc11a963658302

                  SHA1

                  2c79c6e8fe89b2109c6786c150b2cecfac27773b

                  SHA256

                  9059984bc0e12a5a0b16462c19e84f4e842a2a396425e649a2b755e0f09f62bf

                  SHA512

                  165c211f1333e5fb09e02055f1ca03dc1ec9211128161869ed971c2f7d7314b48d689cc79b21a5ac82d30f085cd2e27754eee3e7479b2d4276bf86760841b111

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\AMTXiDJ\consent.exe
                  Filesize

                  162KB

                  MD5

                  6646631ce4ad7128762352da81f3b030

                  SHA1

                  1095bd4b63360fc2968d75622aa745e5523428ab

                  SHA256

                  56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64

                  SHA512

                  1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pruztwesow.lnk
                  Filesize

                  912B

                  MD5

                  1f56ec47a5faefa447804b8f8d432e8e

                  SHA1

                  15bbe4f2bc940f0151ca6d6aa99773a371eb8875

                  SHA256

                  db4f5986051863a851d81b01bb7ffad05baa451ca2b7a4180463ec3680f8759e

                  SHA512

                  788e752d3149eec514a9ff384d95652cf033bd1cdd0b41fc68120ca6ab47eeaa5ab7f516f2927498e2f08c17e6b31b3ec25dec7dd9c90be7f3a46e62db84b6ba

                  Download Submit

                • memory/3508-25-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-20-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-41-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-24-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-18-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-6-0x00007FF8331DA000-0x00007FF8331DB000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3508-13-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-3-0x0000000003090000-0x0000000003091000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3508-44-0x00007FF834420000-0x00007FF834430000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3508-43-0x0000000002640000-0x0000000002647000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/3508-32-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-12-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-22-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-23-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-21-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-53-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-19-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-17-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-16-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-15-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-14-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-11-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-10-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-9-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-8-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/3508-7-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/4164-0-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/4164-5-0x0000000140000000-0x00000001400C5000-memory.dmp

                  Filesize

                  788KB

                  Download

                • memory/4164-2-0x000001B180CD0000-0x000001B180CD7000-memory.dmp

                  Filesize

                  28KB

                  Download