Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 14:39
Static task
static1
Behavioral task
behavioral1
Sample
3e54cac3e2dae3c86908ddc0674b051bf90c1928.dll
Resource
win7-20240903-en
General
-
Target
3e54cac3e2dae3c86908ddc0674b051bf90c1928.dll
-
Size
6.4MB
-
MD5
ce0dee6210659c6396ab4c1fa578cf5e
-
SHA1
3e54cac3e2dae3c86908ddc0674b051bf90c1928
-
SHA256
ef1994abb84e0746c9451910c7c81cc2f2f8e7b10a1459f7f022bb4b25ed4248
-
SHA512
a7ead70f9f4783c017292ea6f7f2973b1b21b640135a9654f7bd6fc5b909f6d03373b80e61aee486b55312e81a3acec934768dcab737e6c088606fa6fce8ed73
-
SSDEEP
196608:LY4/1mssttTWe3aWdYr1h8pkCfYHjP2z4:DMZXaWda1SplfqrB
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 18 1072 rundll32.exe 21 1072 rundll32.exe 23 1072 rundll32.exe 25 1072 rundll32.exe 27 1072 rundll32.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe 1072 rundll32.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 1280 wrote to memory of 1072 1280 rundll32.exe 83 PID 1280 wrote to memory of 1072 1280 rundll32.exe 83 PID 1280 wrote to memory of 1072 1280 rundll32.exe 83 PID 1072 wrote to memory of 3676 1072 rundll32.exe 88 PID 1072 wrote to memory of 3676 1072 rundll32.exe 88 PID 1072 wrote to memory of 3676 1072 rundll32.exe 88 PID 1072 wrote to memory of 3320 1072 rundll32.exe 90 PID 1072 wrote to memory of 3320 1072 rundll32.exe 90 PID 1072 wrote to memory of 3320 1072 rundll32.exe 90 PID 1072 wrote to memory of 1176 1072 rundll32.exe 92 PID 1072 wrote to memory of 1176 1072 rundll32.exe 92 PID 1072 wrote to memory of 1176 1072 rundll32.exe 92 PID 1072 wrote to memory of 2164 1072 rundll32.exe 94 PID 1072 wrote to memory of 2164 1072 rundll32.exe 94 PID 1072 wrote to memory of 2164 1072 rundll32.exe 94 PID 1072 wrote to memory of 2940 1072 rundll32.exe 98 PID 1072 wrote to memory of 2940 1072 rundll32.exe 98 PID 1072 wrote to memory of 2940 1072 rundll32.exe 98 PID 1072 wrote to memory of 2468 1072 rundll32.exe 100 PID 1072 wrote to memory of 2468 1072 rundll32.exe 100 PID 1072 wrote to memory of 2468 1072 rundll32.exe 100 PID 1072 wrote to memory of 1608 1072 rundll32.exe 102 PID 1072 wrote to memory of 1608 1072 rundll32.exe 102 PID 1072 wrote to memory of 1608 1072 rundll32.exe 102 PID 1072 wrote to memory of 636 1072 rundll32.exe 104 PID 1072 wrote to memory of 636 1072 rundll32.exe 104 PID 1072 wrote to memory of 636 1072 rundll32.exe 104 PID 1072 wrote to memory of 4020 1072 rundll32.exe 106 PID 1072 wrote to memory of 4020 1072 rundll32.exe 106 PID 1072 wrote to memory of 4020 1072 rundll32.exe 106 PID 1072 wrote to memory of 2808 1072 rundll32.exe 108 PID 1072 wrote to memory of 2808 1072 rundll32.exe 108 PID 1072 wrote to memory of 2808 1072 rundll32.exe 108 PID 1072 wrote to memory of 4828 1072 rundll32.exe 110 PID 1072 wrote to memory of 4828 1072 rundll32.exe 110 PID 1072 wrote to memory of 4828 1072 rundll32.exe 110 PID 1072 wrote to memory of 4620 1072 rundll32.exe 112 PID 1072 wrote to memory of 4620 1072 rundll32.exe 112 PID 1072 wrote to memory of 4620 1072 rundll32.exe 112 PID 1072 wrote to memory of 1764 1072 rundll32.exe 114 PID 1072 wrote to memory of 1764 1072 rundll32.exe 114 PID 1072 wrote to memory of 1764 1072 rundll32.exe 114 PID 1072 wrote to memory of 1844 1072 rundll32.exe 116 PID 1072 wrote to memory of 1844 1072 rundll32.exe 116 PID 1072 wrote to memory of 1844 1072 rundll32.exe 116 PID 1072 wrote to memory of 3704 1072 rundll32.exe 118 PID 1072 wrote to memory of 3704 1072 rundll32.exe 118 PID 1072 wrote to memory of 3704 1072 rundll32.exe 118 PID 1072 wrote to memory of 3744 1072 rundll32.exe 120 PID 1072 wrote to memory of 3744 1072 rundll32.exe 120 PID 1072 wrote to memory of 3744 1072 rundll32.exe 120 PID 1072 wrote to memory of 4776 1072 rundll32.exe 122 PID 1072 wrote to memory of 4776 1072 rundll32.exe 122 PID 1072 wrote to memory of 4776 1072 rundll32.exe 122 PID 1072 wrote to memory of 2812 1072 rundll32.exe 124 PID 1072 wrote to memory of 2812 1072 rundll32.exe 124 PID 1072 wrote to memory of 2812 1072 rundll32.exe 124
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e54cac3e2dae3c86908ddc0674b051bf90c1928.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3e54cac3e2dae3c86908ddc0674b051bf90c1928.dll,#12⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "sXNOjKszOtgVmkz"3⤵
- System Location Discovery: System Language Discovery
PID:3676
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "sXNOjKszOtgVmkz"3⤵
- System Location Discovery: System Language Discovery
PID:3320
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "sXNOjKszOtgVmkz2"3⤵
- System Location Discovery: System Language Discovery
PID:1176
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "sXNOjKszOtgVmkz2"3⤵
- System Location Discovery: System Language Discovery
PID:2164
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "OXxjczkOUapoBk"3⤵
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "OXxjczkOUapoBk"3⤵
- System Location Discovery: System Language Discovery
PID:2468
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ovjHFLiaoDXiq"3⤵
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ovjHFLiaoDXiq"3⤵
- System Location Discovery: System Language Discovery
PID:636
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ovjHFLiaoDXiq2"3⤵
- System Location Discovery: System Language Discovery
PID:4020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ovjHFLiaoDXiq2"3⤵
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FUIGMuWdVnvJxtmtc"3⤵
- System Location Discovery: System Language Discovery
PID:4828
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FUIGMuWdVnvJxtmtc"3⤵
- System Location Discovery: System Language Discovery
PID:4620
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "FUIGMuWdVnvJxtmtc2"3⤵
- System Location Discovery: System Language Discovery
PID:1764
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "FUIGMuWdVnvJxtmtc2"3⤵
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "OZKyURMXoOCzijVxvcH"3⤵
- System Location Discovery: System Language Discovery
PID:3704
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "OZKyURMXoOCzijVxvcH"3⤵
- System Location Discovery: System Language Discovery
PID:3744
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "OZKyURMXoOCzijVxvcH2"3⤵
- System Location Discovery: System Language Discovery
PID:4776
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "OZKyURMXoOCzijVxvcH2"3⤵
- System Location Discovery: System Language Discovery
PID:2812
-
-