Analysis
-
max time kernel
62s -
max time network
67s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
13/06/2024, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
reWASD.dll
Resource
win11-20240508-en
Behavioral task
behavioral2
Sample
reWASDCommon.dll
Resource
win11-20240611-en
General
-
Target
reWASD.dll
-
Size
41.1MB
-
MD5
afae1e9402f69755b5983e702ca3d629
-
SHA1
ee1f88cdecd4e9afef0bba754b2a41e5f57289e2
-
SHA256
85793ef13e02a404bca367c9e16d856752d8d78f19d8348308fb38873f38b181
-
SHA512
eb59f02101781dfcb584a0a9635bdc00bdf64a707438d9e090b0328ad19c1086c28f3f1af52a8abefd9c4fe09f05524b5a2d1cb82536dc796e785d08cf934258
-
SSDEEP
393216:fVOb8IDUF1XGZ7463hACbGVWb8Q5yFl54v7463hQ:fY7DUFtY75hAwGQ75yFry75hQ
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3992010596" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31112590" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133627238567417426" chrome.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2200 chrome.exe 2200 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 2200 chrome.exe 2200 chrome.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeShutdownPrivilege 2200 chrome.exe Token: SeCreatePagefilePrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeCreatePagefilePrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeCreatePagefilePrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeCreatePagefilePrivilege 2200 chrome.exe Token: SeShutdownPrivilege 2200 chrome.exe Token: SeCreatePagefilePrivilege 2200 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4260 wrote to memory of 2504 4260 rundll32.exe 78 PID 4260 wrote to memory of 2504 4260 rundll32.exe 78 PID 4260 wrote to memory of 2504 4260 rundll32.exe 78 PID 2200 wrote to memory of 3564 2200 chrome.exe 86 PID 2200 wrote to memory of 3564 2200 chrome.exe 86 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 2980 2200 chrome.exe 87 PID 2200 wrote to memory of 3452 2200 chrome.exe 88 PID 2200 wrote to memory of 3452 2200 chrome.exe 88 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89 PID 2200 wrote to memory of 2176 2200 chrome.exe 89
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\reWASD.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\reWASD.dll,#12⤵PID:2504
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\DismountWatch.gif1⤵
- Modifies Internet Explorer settings
PID:2708
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ShowCheckpoint.gif1⤵
- Modifies Internet Explorer settings
PID:4896
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\Desktop\SwitchNew.shtml1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffac455ab58,0x7ffac455ab68,0x7ffac455ab782⤵PID:3564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1808,i,14075787580984055030,14742460085785415548,131072 /prefetch:22⤵PID:2980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1808,i,14075787580984055030,14742460085785415548,131072 /prefetch:82⤵PID:3452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1808,i,14075787580984055030,14742460085785415548,131072 /prefetch:82⤵PID:2176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1808,i,14075787580984055030,14742460085785415548,131072 /prefetch:12⤵PID:5104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1808,i,14075787580984055030,14742460085785415548,131072 /prefetch:12⤵PID:4836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 --field-trial-handle=1808,i,14075787580984055030,14742460085785415548,131072 /prefetch:82⤵PID:2892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4364 --field-trial-handle=1808,i,14075787580984055030,14742460085785415548,131072 /prefetch:82⤵PID:3232
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:1124
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
810B
MD5376b1723d890a70a6503d3413b1fc866
SHA1e764b5e9a35feb7c32510d751cdf6b92835c62e8
SHA256fcff8ae375c330fbb23897dfa5c81f13f9f0bdf4d21aed36c5d296ac34826bb7
SHA512e96f98dc296766a1b9fb0fb44bad2eab66974113cbd241b40f5692cb6e3c6f04a53ac358bfe0f0fd130e819eacdb73eb4ec8a3db202063ce02da8a67a5bc7d4c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD57814b82fde06f1d6017ad9d4d579a4e6
SHA1f6242bbf32f6236a6b58689a0cc45b382c17d9a8
SHA2563f8f296567efd5b04627230b389941f0620ce39652441b50290bd5cb9517c58c
SHA512c607bae82fcdab138bb0b2520e8530261d494d855bf58aaa6d752de7ad770352b2ef3f6f46340b37634c0486e9a5fe572fa38815d561bc486f3f9986061816e5
-
Filesize
129KB
MD54c0376183b622fe57ca9da25361e446e
SHA1ca530329460fcf82af5cf481937fe41abdb8f2f1
SHA256faea72577ae416f64ddb350108cdc2027a6b08985534fd6512c1508a06cb6b6f
SHA512eb1f999f0fbfe81c1d085bd837c4b6d81fe71af770b0523116be730d0a920a5473ab820af8939ee3142386f42aa3dbc4c9e4f131efc91c47c4c0c5f9da8406f6
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58