58b0985b45d713c9a03c2ef9595270129a529d7568918bd86a7f05942941b317

Analysis

max time kernel
194s
max time network
256s
platform
windows10-1703_x64
resource
win10-20240404-es
resource tags

arch:x64arch:x86image:win10-20240404-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
03/10/2024, 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sqlite.dll
Size

5.3MB
MD5

b073f1111619c4a7539a0110d2387ff1
SHA1

50058b937602e4b14c7e36e7e36c498cd45b10f7
SHA256

b105a20ec8cf2aa1868689019cbf76bab597c1ed88082b8481c08090526be633
SHA512

23917a90b58faef995f2f5f73e140b8a540fb58f49c88a42d95b94f603b61e7921c8bb6df6170fadb81d33963632b04644f5d48c941fd69914a54db3e3811d83
SSDEEP

98304:Q12tW5t8QTrNQrDxJSB695pyYbdwYdP+e7WaTnGSAp9sPrP/nHXOk2:e2Ij8QTrNQrDOEDp+Yd7yaTRPj2X

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	rundll32.exe

Blocklisted process makes network request 13 IoCs

flow	pid	Process
1	3620	rundll32.exe
4	3620	rundll32.exe
4	3620	rundll32.exe
4	3620	rundll32.exe
4	3620	rundll32.exe
4	3620	rundll32.exe
4	3620	rundll32.exe
4	3620	rundll32.exe
4	3620	rundll32.exe
7	3620	rundll32.exe
1	3620	rundll32.exe
4	3620	rundll32.exe
4	3620	rundll32.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api64.ipify.org
4	api64.ipify.org
6	ipinfo.io
7	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	rundll32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3620	rundll32.exe
3620	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3620	2780	rundll32.exe	73
PID 2780 wrote to memory of 3620	2780	rundll32.exe	73
PID 2780 wrote to memory of 3620	2780	rundll32.exe	73

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite.dll,#1
  2⤵
  - Modifies firewall policy service
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3620

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3620-0-0x0000000073066000-0x0000000073322000-memory.dmp

Filesize
2.7MB

Download
memory/3620-1-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/3620-2-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/3620-3-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/3620-8-0x0000000072ED0000-0x0000000073865000-memory.dmp

Filesize
9.6MB

Download
memory/3620-7-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/3620-6-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/3620-5-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3620-4-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/3620-18-0x0000000073066000-0x0000000073322000-memory.dmp

Filesize
2.7MB

Download
memory/3620-19-0x0000000072ED0000-0x0000000073865000-memory.dmp

Filesize
9.6MB

Download