Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 14:39
Static task
static1
Behavioral task
behavioral1
Sample
3e54cac3e2dae3c86908ddc0674b051bf90c1928.dll
Resource
win7-20240903-en
General
-
Target
3e54cac3e2dae3c86908ddc0674b051bf90c1928.dll
-
Size
6.4MB
-
MD5
ce0dee6210659c6396ab4c1fa578cf5e
-
SHA1
3e54cac3e2dae3c86908ddc0674b051bf90c1928
-
SHA256
ef1994abb84e0746c9451910c7c81cc2f2f8e7b10a1459f7f022bb4b25ed4248
-
SHA512
a7ead70f9f4783c017292ea6f7f2973b1b21b640135a9654f7bd6fc5b909f6d03373b80e61aee486b55312e81a3acec934768dcab737e6c088606fa6fce8ed73
-
SSDEEP
196608:LY4/1mssttTWe3aWdYr1h8pkCfYHjP2z4:DMZXaWda1SplfqrB
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 1340 rundll32.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1340 rundll32.exe 1340 rundll32.exe 1340 rundll32.exe 1340 rundll32.exe 1340 rundll32.exe 1340 rundll32.exe 1340 rundll32.exe 1340 rundll32.exe 1340 rundll32.exe 1340 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2656 wrote to memory of 1340 2656 rundll32.exe 31 PID 2656 wrote to memory of 1340 2656 rundll32.exe 31 PID 2656 wrote to memory of 1340 2656 rundll32.exe 31 PID 2656 wrote to memory of 1340 2656 rundll32.exe 31 PID 2656 wrote to memory of 1340 2656 rundll32.exe 31 PID 2656 wrote to memory of 1340 2656 rundll32.exe 31 PID 2656 wrote to memory of 1340 2656 rundll32.exe 31 PID 1340 wrote to memory of 2788 1340 rundll32.exe 32 PID 1340 wrote to memory of 2788 1340 rundll32.exe 32 PID 1340 wrote to memory of 2788 1340 rundll32.exe 32 PID 1340 wrote to memory of 2788 1340 rundll32.exe 32 PID 1340 wrote to memory of 2716 1340 rundll32.exe 34 PID 1340 wrote to memory of 2716 1340 rundll32.exe 34 PID 1340 wrote to memory of 2716 1340 rundll32.exe 34 PID 1340 wrote to memory of 2716 1340 rundll32.exe 34 PID 1340 wrote to memory of 2696 1340 rundll32.exe 36 PID 1340 wrote to memory of 2696 1340 rundll32.exe 36 PID 1340 wrote to memory of 2696 1340 rundll32.exe 36 PID 1340 wrote to memory of 2696 1340 rundll32.exe 36 PID 1340 wrote to memory of 2796 1340 rundll32.exe 38 PID 1340 wrote to memory of 2796 1340 rundll32.exe 38 PID 1340 wrote to memory of 2796 1340 rundll32.exe 38 PID 1340 wrote to memory of 2796 1340 rundll32.exe 38 PID 1340 wrote to memory of 2600 1340 rundll32.exe 40 PID 1340 wrote to memory of 2600 1340 rundll32.exe 40 PID 1340 wrote to memory of 2600 1340 rundll32.exe 40 PID 1340 wrote to memory of 2600 1340 rundll32.exe 40 PID 1340 wrote to memory of 2820 1340 rundll32.exe 42 PID 1340 wrote to memory of 2820 1340 rundll32.exe 42 PID 1340 wrote to memory of 2820 1340 rundll32.exe 42 PID 1340 wrote to memory of 2820 1340 rundll32.exe 42 PID 1340 wrote to memory of 2728 1340 rundll32.exe 44 PID 1340 wrote to memory of 2728 1340 rundll32.exe 44 PID 1340 wrote to memory of 2728 1340 rundll32.exe 44 PID 1340 wrote to memory of 2728 1340 rundll32.exe 44 PID 1340 wrote to memory of 2832 1340 rundll32.exe 46 PID 1340 wrote to memory of 2832 1340 rundll32.exe 46 PID 1340 wrote to memory of 2832 1340 rundll32.exe 46 PID 1340 wrote to memory of 2832 1340 rundll32.exe 46 PID 1340 wrote to memory of 2576 1340 rundll32.exe 48 PID 1340 wrote to memory of 2576 1340 rundll32.exe 48 PID 1340 wrote to memory of 2576 1340 rundll32.exe 48 PID 1340 wrote to memory of 2576 1340 rundll32.exe 48 PID 1340 wrote to memory of 2640 1340 rundll32.exe 50 PID 1340 wrote to memory of 2640 1340 rundll32.exe 50 PID 1340 wrote to memory of 2640 1340 rundll32.exe 50 PID 1340 wrote to memory of 2640 1340 rundll32.exe 50 PID 1340 wrote to memory of 2184 1340 rundll32.exe 52 PID 1340 wrote to memory of 2184 1340 rundll32.exe 52 PID 1340 wrote to memory of 2184 1340 rundll32.exe 52 PID 1340 wrote to memory of 2184 1340 rundll32.exe 52 PID 1340 wrote to memory of 3052 1340 rundll32.exe 54 PID 1340 wrote to memory of 3052 1340 rundll32.exe 54 PID 1340 wrote to memory of 3052 1340 rundll32.exe 54 PID 1340 wrote to memory of 3052 1340 rundll32.exe 54 PID 1340 wrote to memory of 1992 1340 rundll32.exe 56 PID 1340 wrote to memory of 1992 1340 rundll32.exe 56 PID 1340 wrote to memory of 1992 1340 rundll32.exe 56 PID 1340 wrote to memory of 1992 1340 rundll32.exe 56 PID 1340 wrote to memory of 2892 1340 rundll32.exe 58 PID 1340 wrote to memory of 2892 1340 rundll32.exe 58 PID 1340 wrote to memory of 2892 1340 rundll32.exe 58 PID 1340 wrote to memory of 2892 1340 rundll32.exe 58 PID 1340 wrote to memory of 2944 1340 rundll32.exe 60
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e54cac3e2dae3c86908ddc0674b051bf90c1928.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e54cac3e2dae3c86908ddc0674b051bf90c1928.dll,#12⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "sXNOjKszOtgVmkz"3⤵
- System Location Discovery: System Language Discovery
PID:2788
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "sXNOjKszOtgVmkz"3⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "sXNOjKszOtgVmkz2"3⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "sXNOjKszOtgVmkz2"3⤵
- System Location Discovery: System Language Discovery
PID:2796
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "OXxjczkOUapoBk"3⤵
- System Location Discovery: System Language Discovery
PID:2600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "OXxjczkOUapoBk"3⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ovjHFLiaoDXiq"3⤵
- System Location Discovery: System Language Discovery
PID:2728
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ovjHFLiaoDXiq"3⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ovjHFLiaoDXiq2"3⤵
- System Location Discovery: System Language Discovery
PID:2576
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ovjHFLiaoDXiq2"3⤵
- System Location Discovery: System Language Discovery
PID:2640
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FUIGMuWdVnvJxtmtc"3⤵
- System Location Discovery: System Language Discovery
PID:2184
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FUIGMuWdVnvJxtmtc"3⤵
- System Location Discovery: System Language Discovery
PID:3052
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FUIGMuWdVnvJxtmtc2"3⤵
- System Location Discovery: System Language Discovery
PID:1992
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FUIGMuWdVnvJxtmtc2"3⤵
- System Location Discovery: System Language Discovery
PID:2892
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "OZKyURMXoOCzijVxvcH"3⤵
- System Location Discovery: System Language Discovery
PID:2944
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "OZKyURMXoOCzijVxvcH"3⤵
- System Location Discovery: System Language Discovery
PID:2872
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "OZKyURMXoOCzijVxvcH2"3⤵
- System Location Discovery: System Language Discovery
PID:1420
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "OZKyURMXoOCzijVxvcH2"3⤵
- System Location Discovery: System Language Discovery
PID:800
-
-