Analysis

  • max time kernel
    51s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 06:12

General

  • Target

    $R0.dll

  • Size

    128KB

  • MD5

    7ff63507a1ea33dc677c1f0a838fadf6

  • SHA1

    c35183495c7d90f22ad83970b4a86ca0c4b8b433

  • SHA256

    68dbf3a7828473663ca275c6eef36d91ae0e620baa7c1583d0bbc4f780dbe5c3

  • SHA512

    cdb8901c61e92894cf471fc305b0087f4849a71b8cb9f04eb6ddc6b53f90825532ceaaf57f6e5f98ff1f5a18ba20a0ecb6583a12e8777b5145704058582eb27d

  • SSDEEP

    1536:RGkDMJFeUvHjc5m9uY2nTP3f3ZOvzyaBnoifEhRfbBRJRZrPatTcu69OA7M6nFNR:gJ8p7JafiBRJRZrNMA7M6nFNend2

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Modifies registry class 39 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\$R0.dll
      2⤵
      • Drops file in Drivers directory
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe C:\PROGRA~2\3721\helper.dll,Rundll32
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\3721\3721\cns01.dat

    Filesize

    730B

    MD5

    af759437bb010b6312207e76a40a8878

    SHA1

    39db4bb04d290e80fc231ac9220ba71aac4b4751

    SHA256

    f94ca0f6a520ccfea930feb39e7b02c1c0b70ebd72ade0362a220965ea8eeb0f

    SHA512

    1eac5778935fc6728bdd1fb4d6c96265c75796eff31490246b80cd5b899e081797abd5fd7735c61756498006ac3007cc63805af8f6590b58582ad142c39ff2af

  • C:\PROGRA~2\3721\Helper.dll

    Filesize

    44KB

    MD5

    49ae58008fc003af6f952a82c33aa3dd

    SHA1

    330630c95b6be9b61398d5952be9ee1f45799606

    SHA256

    8036ad2d2f302fafdef719836277834dd4f39289c326439543a86ac899384873

    SHA512

    bc9f20a02903452ecfa63fe290bfa550b10ce548247bb2452c3eb23bbca48d82144ab2fad22e4da7349465a3e0be5230b9cc0e2028a3318d7ea2990bca7ae8c3

  • C:\Program Files (x86)\3721\autolive.dll

    Filesize

    128KB

    MD5

    7ff63507a1ea33dc677c1f0a838fadf6

    SHA1

    c35183495c7d90f22ad83970b4a86ca0c4b8b433

    SHA256

    68dbf3a7828473663ca275c6eef36d91ae0e620baa7c1583d0bbc4f780dbe5c3

    SHA512

    cdb8901c61e92894cf471fc305b0087f4849a71b8cb9f04eb6ddc6b53f90825532ceaaf57f6e5f98ff1f5a18ba20a0ecb6583a12e8777b5145704058582eb27d

  • memory/2232-19-0x0000000000710000-0x0000000000733000-memory.dmp

    Filesize

    140KB