Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/11/2024, 02:40

General

  • Target

    a.dll

  • Size

    16KB

  • MD5

    d7a5aa9937568b1e34ad845c67d59024

  • SHA1

    f56692fce5147afd558df4b9be45490155f9dae5

  • SHA256

    41794b5b46fb063d7e934eef590f059fa8e6875aff628adcf85b8449f7d3b027

  • SHA512

    5313ec50eceaf024bda3dd0e1893de660b3dd3b9c21251293122e155d2578bd943f33e6766606f28583c1e44433aa2da38bfe650ebae192eea7e2f40dfa4810f

  • SSDEEP

    192:C7KSdtf/wB7vzXDe3mt+D69mdzfYluDDDDDDDDDDDDDDDDDDD+yMsuyK32BQ2fAi:CeUnwB7XV1ddD2BJfA

Malware Config

Signatures

  • Modifies Windows Defender notification settings 3 TTPs 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\a.dll,#1
      2⤵
      • Modifies Windows Defender notification settings
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $ENV:TEMP
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2392
      • C:\Windows\SysWOW64\cscript.exe
        cscript.exe C:\Users\Admin\AppData\Local\Temp\anbEC63.tmp.vbs //B //Nologo //T:5
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1904
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\gpmsc_externalDBMSleanup.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2676
          • C:\Windows\SysWOW64\SecEdit.exe
            secedit /import /db C:\Users\Admin\AppData\Local\Temp\secuserpol5765.db /cfg C:\Users\Admin\AppData\Local\Temp\secuserpol5765.cfg
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2980
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 1
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2796
      • C:\Users\Admin\AppData\Local\Temp\eliF26D.tmp
        C:\Users\Admin\AppData\Local\Temp\eliF26D.tmp C:\Users\Admin\AppData\Local\Temp\lxrF26C.tmp
        3⤵
        • Executes dropped EXE
        PID:2664
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /Q /C "timeout 1 && del /Q /F a"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\SysWOW64\timeout.exe
          timeout 1
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2592

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\anbEC63.tmp.vbs

          Filesize

          386B

          MD5

          0a1c237316e11ec81b1df21773710c40

          SHA1

          3eb16f259114b6a4f5ef5b7f3721dc6dcb06f7bc

          SHA256

          1cf290b40445860679be3bed68c03a0e555c7a3fa91aba8c216a34cc345a4dbe

          SHA512

          57004762360c0f74f5d797b7e5d7a56e8ae9090bff9121baa49912717cf919d136508ecf71ca1702549e85e20a4ba15769ef87b8a838e00e8e2542fdb25d9b2d

        • C:\Users\Admin\AppData\Local\Temp\eliF26D.tmp

          Filesize

          6KB

          MD5

          ac61560a8f57ad2dfd91e63aa3dc60f1

          SHA1

          7e797ddb74ae5fb43190d799334555430f302704

          SHA256

          188f350da1f06a9a10ad9da6120aed854a8108977241d6b9a445a09fdd7f7cda

          SHA512

          bc7bcc661c64e4f0f27c5bf07c0e5ea450e99b602bca17846ec6536675c16632a50c84aba679cfa933bd488994e90dfda7dc28d9254b0eeb3e05efd18767e755

        • C:\Users\Admin\AppData\Local\Temp\gpmsc_externalDBMSleanup.bat

          Filesize

          475B

          MD5

          c5148520a262094d3cf9155a4f6c6b51

          SHA1

          dcd5cb466c4b625d4dd49d3ff89b766c539b6dee

          SHA256

          ae674f232bf01c2fc7d1fdd88bdf3136261bb8b9733d7d2047981909a6913f9f

          SHA512

          aa34638a57240691ef93ff5d3bc593cfd8995868b94c52b862ff8820059837c4fb2c90b602894a6a0fc6c7cf9876fa8f10dbf5f15400f2f522546747da089924

        • \Users\Admin\AppData\Local\Temp\EBC6.tmp

          Filesize

          58KB

          MD5

          1525bb483c55784d134e3bd3dc447b54

          SHA1

          2decac84434ceda70ac31c6285b2b234a911a999

          SHA256

          14f60bf6d8700c82b426a6f724ee51c97b342a9a85dacd4ab7422a8c4961a099

          SHA512

          d0db58a59c69f52ec3924120d3833e7a8ced70488513b89c3e7854568edbc447f405e7e3af425f4c3024275b29ef0eb13b836a0922328dcdeb1a0100d3c115ed

        • memory/1248-26-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

        • memory/1248-22-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

        • memory/2664-25-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB