Malware Analysis Report

2024-12-07 13:02

Sample ID 241113-sqk1tsxpck
Target DLL Injector_51084141.exe
SHA256 61c2c4a5d7c14f77ee88871ded4cc7f1e49dae3e4ef209504c66fedf4d22de42
Tags
discovery
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

61c2c4a5d7c14f77ee88871ded4cc7f1e49dae3e4ef209504c66fedf4d22de42

Threat Level: Likely benign

The file DLL Injector_51084141.exe was found to be: Likely benign.

Malicious Activity Summary

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 15:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 15:19

Reported

2024-11-13 15:24

Platform

win7-20240903-en

Max time kernel

122s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Opera GXStable C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe

"C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dlsft.com udp
US 35.190.60.70:443 www.dlsft.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 dlsft.com udp
US 35.190.60.70:443 dlsft.com tcp
US 35.190.60.70:443 dlsft.com tcp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 filedm.com udp
US 104.21.60.113:443 filedm.com tcp
US 8.8.8.8:53 dpd.securestudies.com udp
FR 52.222.201.92:443 dpd.securestudies.com tcp
FR 52.222.201.92:443 dpd.securestudies.com tcp
FR 52.222.201.92:443 dpd.securestudies.com tcp
FR 52.222.201.92:443 dpd.securestudies.com tcp
US 8.8.8.8:53 post.securestudies.com udp
US 165.193.78.234:80 post.securestudies.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.157:80 crl.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\link.txt

MD5 3b226ac559aa75462620d15924c4b03e
SHA1 970ee2661dfe67df8c78312f381199b2abd2be7e
SHA256 2d08379362058d38979d3a0854a13c4250ddf691e453a04a12d1debaf395f58c
SHA512 4836a84c59b97f67bb408fbca6534307422fd1707aebfb9db9a0e5d7f114ccdbad3dabb5221adca7653c51b57336775c006319187aed10c25b7231cea97d3a3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 15:19

Reported

2024-11-13 15:22

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Opera GXStable C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe

"C:\Users\Admin\AppData\Local\Temp\DLL Injector_51084141.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dlsft.com udp
US 35.190.60.70:443 www.dlsft.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 70.60.190.35.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.67:80 o.pki.goog tcp
US 8.8.8.8:53 dlsft.com udp
US 35.190.60.70:443 dlsft.com tcp
US 35.190.60.70:443 dlsft.com tcp
US 8.8.8.8:53 filedm.com udp
US 172.67.195.231:443 filedm.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 231.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A