Analysis

  • max time kernel
    139s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/06/2024, 01:21 UTC

General

  • Target

    beefa8b66319f9f9e918e9b59f2abd98d5edd82d714f17072894e572ec003e98.exe

  • Size

    76KB

  • MD5

    2533de08d221342961e8f5382fd0357a

  • SHA1

    dabe6e7b5866e9742c08786352817156e80fe7f6

  • SHA256

    beefa8b66319f9f9e918e9b59f2abd98d5edd82d714f17072894e572ec003e98

  • SHA512

    83124312a2102fd3359a5ff46015a488b845cf533909101d82dc16139378da949479d8490ce27524150c73c896c4b5ce2277fcc115883d20b540dc1708357562

  • SSDEEP

    768:Z1zRSL+BoBxN9tpdC7EezJ0d8hPUtrFRtFtg3NojiwvuccA4iiKahtAZchhD6EWr:l3oBdk7ESuqhParNMKnFfiroZchxfSF

Score
8/10

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Creates a Windows Service
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\beefa8b66319f9f9e918e9b59f2abd98d5edd82d714f17072894e572ec003e98.exe
    "C:\Users\Admin\AppData\Local\Temp\beefa8b66319f9f9e918e9b59f2abd98d5edd82d714f17072894e572ec003e98.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:560
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\beefa8b66319f9f9e918e9b59f2abd98d5edd82d714f17072894e572ec003e98.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 1
        3⤵
        • Runs ping.exe
        PID:1536
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "SRDSLZ"
    1⤵
      PID:3380
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "SRDSLZ"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Windows\SysWOW64\SRDSLZ.exe
        C:\Windows\system32\SRDSLZ.exe "c:\program files (x86)\240599000.dll",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4772

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
    • 119.91.152.151:8986
      SRDSLZ.exe
      260 B
      5
    • 119.91.152.151:8986
      SRDSLZ.exe
      260 B
      5
    • 119.91.152.151:8986
      SRDSLZ.exe
      260 B
      5
    • 119.91.152.151:8986
      SRDSLZ.exe
      260 B
      5
    • 119.91.152.151:8986
      SRDSLZ.exe
      208 B
      4
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      330 B
      5

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      8.8.8.8.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\240599000.dll

      Filesize

      33KB

      MD5

      cfe61ee50c917c587a08fd4ac5b61849

      SHA1

      770e76f7cdeea081f7cca0a0ebea7f8231186398

      SHA256

      54077b9108eb2d7c4a539e553fe2071b44698cdb39da6ef59c64025cf1111906

      SHA512

      686aa2a6ddcda9640b1159dd56344601189f1fa78e72866d12902811a3ac67bb6f324d7588ebf6b2b79f6bfe9d92015298c1b0bc8858234027301bf2a0b67ddc

    • C:\Windows\SysWOW64\SRDSLZ.exe

      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.