Analysis Overview
SHA256
1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834
Threat Level: Likely malicious
The file 1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834 was found to be: Likely malicious.
Malicious Activity Summary
Modifies Shared Task Scheduler registry keys
Installs/modifies Browser Helper Object
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:51
Reported
2024-11-13 19:53
Platform
win7-20240903-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies Shared Task Scheduler registry keys
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\{EA72FA62-FC84-B73F-C850-52EA61E951D9} | C:\Windows\SysWOW64\rundll32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{851C940C-A62E-51D9-62FA-0C840B830B73} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{851C940C-A62E-51D9-62FA-0C840B830B73}\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\OSX.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\OSX.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\SysWOW64\INR.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\INR.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{851C940C-A62E-51D9-62FA-0C840B830B73}\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{851C940C-A62E-51D9-62FA-0C840B830B73}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA72FA62-FC84-B73F-C850-52EA61E951D9}\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA72FA62-FC84-B73F-C850-52EA61E951D9}\InprocServer32\ = "C:\\Windows\\SysWow64\\OSX.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{851C940C-A62E-51D9-62FA-0C840B830B73} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{851C940C-A62E-51D9-62FA-0C840B830B73}\InprocServer32\ = "C:\\Windows\\SysWow64\\INR.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA72FA62-FC84-B73F-C850-52EA61E951D9} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA72FA62-FC84-B73F-C850-52EA61E951D9}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA72FA62-FC84-B73F-C850-52EA61E951D9}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{851C940C-A62E-51D9-62FA-0C840B830B73}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1916 wrote to memory of 1996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1916 wrote to memory of 1996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834.dll,#1
Network
Files
memory/1996-0-0x00000000006B0000-0x000000000070C000-memory.dmp
memory/1996-1-0x0000000077680000-0x0000000077681000-memory.dmp
C:\Windows\SysWOW64\INR.dll
| MD5 | 02ed38b790361fc900eccfecaabdc632 |
| SHA1 | 33a29f34d59fec86d9ecacd9e86dfe8229a34683 |
| SHA256 | d2101c6d5769cadc72cf03430722caa4dff8e3e7e8507027a31f3104266a407b |
| SHA512 | ad9cddb043f52827ce7100298cfcf830c52ec703ffa062193efce522d8b0d37afe39d2da4804902235685b8470e57259eb2f99ee42790c7fe64bce3800ff1208 |
memory/1996-12-0x00000000006B0000-0x000000000070C000-memory.dmp
memory/1996-13-0x00000000006B0000-0x000000000070C000-memory.dmp
memory/1996-14-0x00000000006B0000-0x000000000070C000-memory.dmp
memory/1996-15-0x00000000006B0000-0x000000000070C000-memory.dmp
memory/1996-16-0x00000000006B0000-0x000000000070C000-memory.dmp
memory/1996-17-0x00000000006B0000-0x000000000070C000-memory.dmp
memory/1996-18-0x00000000006B0000-0x000000000070C000-memory.dmp
memory/1996-19-0x00000000006B0000-0x000000000070C000-memory.dmp
memory/1996-20-0x00000000006B0000-0x000000000070C000-memory.dmp
memory/1996-21-0x00000000006B0000-0x000000000070C000-memory.dmp
memory/1996-22-0x00000000006B0000-0x000000000070C000-memory.dmp
memory/1996-23-0x00000000006B0000-0x000000000070C000-memory.dmp
memory/1996-24-0x00000000006B0000-0x000000000070C000-memory.dmp
memory/1996-25-0x00000000006B0000-0x000000000070C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:51
Reported
2024-11-13 19:53
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
135s
Command Line
Signatures
Modifies Shared Task Scheduler registry keys
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{61C83EA5-72D9-3D84-4FA6-D83FA51C73E9} | C:\Windows\SysWOW64\rundll32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B62D84F-2D73-D83E-E940-83D94FB61D83} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B62D84F-2D73-D83E-E940-83D94FB61D83}\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\GJM.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GJM.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\SysWOW64\MPS.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MPS.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B62D84F-2D73-D83E-E940-83D94FB61D83}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61C83EA5-72D9-3D84-4FA6-D83FA51C73E9}\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61C83EA5-72D9-3D84-4FA6-D83FA51C73E9}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B62D84F-2D73-D83E-E940-83D94FB61D83}\InprocServer32\ = "C:\\Windows\\SysWow64\\GJM.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61C83EA5-72D9-3D84-4FA6-D83FA51C73E9} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61C83EA5-72D9-3D84-4FA6-D83FA51C73E9}\InprocServer32\ = "C:\\Windows\\SysWow64\\MPS.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61C83EA5-72D9-3D84-4FA6-D83FA51C73E9}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B62D84F-2D73-D83E-E940-83D94FB61D83} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B62D84F-2D73-D83E-E940-83D94FB61D83}\ | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0B62D84F-2D73-D83E-E940-83D94FB61D83}\InprocServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2660 wrote to memory of 440 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2660 wrote to memory of 440 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2660 wrote to memory of 440 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1291e42002f2573e1ffc21e13697e8a7b2173d2097be645369e52e949a7ae834.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/440-0-0x0000000077444000-0x0000000077445000-memory.dmp
C:\Windows\SysWOW64\GJM.dll
| MD5 | 02ed38b790361fc900eccfecaabdc632 |
| SHA1 | 33a29f34d59fec86d9ecacd9e86dfe8229a34683 |
| SHA256 | d2101c6d5769cadc72cf03430722caa4dff8e3e7e8507027a31f3104266a407b |
| SHA512 | ad9cddb043f52827ce7100298cfcf830c52ec703ffa062193efce522d8b0d37afe39d2da4804902235685b8470e57259eb2f99ee42790c7fe64bce3800ff1208 |
memory/440-11-0x0000000000400000-0x000000000045C000-memory.dmp
memory/440-12-0x0000000000400000-0x000000000045C000-memory.dmp
memory/440-13-0x0000000000400000-0x000000000045C000-memory.dmp
memory/440-14-0x0000000000400000-0x000000000045C000-memory.dmp
memory/440-15-0x0000000000400000-0x000000000045C000-memory.dmp
memory/440-16-0x0000000000400000-0x000000000045C000-memory.dmp
memory/440-17-0x0000000000400000-0x000000000045C000-memory.dmp
memory/440-18-0x0000000000400000-0x000000000045C000-memory.dmp
memory/440-19-0x0000000000400000-0x000000000045C000-memory.dmp
memory/440-20-0x0000000000400000-0x000000000045C000-memory.dmp
memory/440-21-0x0000000000400000-0x000000000045C000-memory.dmp
memory/440-22-0x0000000000400000-0x000000000045C000-memory.dmp
memory/440-23-0x0000000000400000-0x000000000045C000-memory.dmp
memory/440-24-0x0000000000400000-0x000000000045C000-memory.dmp