58b0985b45d713c9a03c2ef9595270129a529d7568918bd86a7f05942941b317

General

Target

sqlite.dll
Size

5.3MB
MD5

b073f1111619c4a7539a0110d2387ff1
SHA1

50058b937602e4b14c7e36e7e36c498cd45b10f7
SHA256

b105a20ec8cf2aa1868689019cbf76bab597c1ed88082b8481c08090526be633
SHA512

23917a90b58faef995f2f5f73e140b8a540fb58f49c88a42d95b94f603b61e7921c8bb6df6170fadb81d33963632b04644f5d48c941fd69914a54db3e3811d83
SSDEEP

98304:Q12tW5t8QTrNQrDxJSB695pyYbdwYdP+e7WaTnGSAp9sPrP/nHXOk2:e2Ij8QTrNQrDOEDp+Yd7yaTRPj2X

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	rundll32.exe

Blocklisted process makes network request 7 IoCs

flow	pid	Process
2	1284	rundll32.exe
5	1284	rundll32.exe
6	1284	rundll32.exe
8	1284	rundll32.exe
9	1284	rundll32.exe
11	1284	rundll32.exe
13	1284	rundll32.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io
12	api.myip.com
13	api.myip.com
4	api64.ipify.org
5	api64.ipify.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	rundll32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1284	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 1284	1168	rundll32.exe	30
PID 1168 wrote to memory of 1284	1168	rundll32.exe	30
PID 1168 wrote to memory of 1284	1168	rundll32.exe	30
PID 1168 wrote to memory of 1284	1168	rundll32.exe	30
PID 1168 wrote to memory of 1284	1168	rundll32.exe	30
PID 1168 wrote to memory of 1284	1168	rundll32.exe	30
PID 1168 wrote to memory of 1284	1168	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite.dll,#1
  2⤵
  - Modifies firewall policy service
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1284-0-0x0000000073966000-0x0000000073C22000-memory.dmp

Filesize
2.7MB

Download
memory/1284-3-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1284-1-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1284-33-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1284-32-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1284-30-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1284-28-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1284-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1284-23-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1284-20-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1284-18-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1284-15-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1284-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1284-11-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1284-10-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1284-8-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1284-6-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1284-5-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1284-38-0x00000000737D0000-0x0000000074165000-memory.dmp

Filesize
9.6MB

Download
memory/1284-34-0x00000000737D0000-0x0000000074165000-memory.dmp

Filesize
9.6MB

Download
memory/1284-45-0x0000000073966000-0x0000000073C22000-memory.dmp

Filesize
2.7MB

Download
memory/1284-46-0x00000000737D0000-0x0000000074165000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads