d865eb22b01c9efa2d3d48f2df807fbd89783cfc06e7377635415c97be1f021e

Analysis

max time kernel
135s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app-0.89.2/app-0.89.2/svrcderll.exe
Size

2.2MB
MD5

6cf29dbf1fa710cccf6ba1c4c01f6b85
SHA1

a1debdb076c8c655e3d78c6ae82f1beba386a2ba
SHA256

f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b
SHA512

ebcc6599c33a80bb3e5c627a5f861fc9742d8558c4551544109288f80155885791a3f701af1aa7a4513cc5d121b77678a4cd46ca38a7bdd3cf7288e58e01f4f5
SSDEEP

24576:GmKWcYmmUMlLklbOEyeeQaSpRnO9xGboTOLFI78hqT3tiBco21c6D5mHK+iwu7:Gm/mmUiLklb6e+YMDGaAhIt5o2WqmFXM

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	svrcderll.exe
File opened (read-only)	\??\O:	svrcderll.exe
File opened (read-only)	\??\Q:	svrcderll.exe
File opened (read-only)	\??\J:	svrcderll.exe
File opened (read-only)	\??\K:	svrcderll.exe
File opened (read-only)	\??\N:	svrcderll.exe
File opened (read-only)	\??\V:	svrcderll.exe
File opened (read-only)	\??\W:	svrcderll.exe
File opened (read-only)	\??\B:	svrcderll.exe
File opened (read-only)	\??\I:	svrcderll.exe
File opened (read-only)	\??\L:	svrcderll.exe
File opened (read-only)	\??\M:	svrcderll.exe
File opened (read-only)	\??\P:	svrcderll.exe
File opened (read-only)	\??\R:	svrcderll.exe
File opened (read-only)	\??\T:	svrcderll.exe
File opened (read-only)	\??\Y:	svrcderll.exe
File opened (read-only)	\??\G:	svrcderll.exe
File opened (read-only)	\??\H:	svrcderll.exe
File opened (read-only)	\??\Z:	svrcderll.exe
File opened (read-only)	\??\X:	svrcderll.exe
File opened (read-only)	\??\E:	svrcderll.exe
File opened (read-only)	\??\U:	svrcderll.exe

Deletes itself 1 IoCs

pid	Process
1636	svrcderll.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\ZhJQZxErORYg\svrcderll.exe	svrcderll.exe
File opened for modification	C:\Windows\ZhJQZxErORYg\app-0.89.2\svrcderll.exe	svrcderll.exe
File created	C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\svrcderll.exe	svrcderll.exe
File opened for modification	C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\svrcderll.exe	svrcderll.exe
File opened for modification	C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\B494DF77ED66BD6F9E2EC9A.3b6	svrcderll.exe
File opened for modification	C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\libcurl.dll	svrcderll.exe
File opened for modification	C:\Windows\ZhJQZxErORYg\svrcderll.exe	svrcderll.exe
File created	C:\Windows\ZhJQZxErORYg\app-0.89.2\svrcderll.exe	svrcderll.exe
File created	C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\B494DF77ED66BD6F9E2EC9A.3b6	svrcderll.exe
File created	C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\zlibwapi.dll	svrcderll.exe
File opened for modification	C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\zlibwapi.dll	svrcderll.exe
File created	C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\libcurl.dll	svrcderll.exe

Executes dropped EXE 8 IoCs

pid	Process
2092	svrcderll.exe
1840	svrcderll.exe
1532	svrcderll.exe
1636	svrcderll.exe
1676	svrcderll.exe
936	svrcderll.exe
1364	svrcderll.exe
1140	svrcderll.exe

Loads dropped DLL 10 IoCs

pid	Process
2092	svrcderll.exe
1840	svrcderll.exe
1532	svrcderll.exe
1532	svrcderll.exe
1636	svrcderll.exe
1636	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1140	svrcderll.exe
1140	svrcderll.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svrcderll.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svrcderll.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2396	svrcderll.exe
2396	svrcderll.exe
2396	svrcderll.exe
2396	svrcderll.exe
2396	svrcderll.exe
2396	svrcderll.exe
2396	svrcderll.exe
2396	svrcderll.exe
2396	svrcderll.exe
2396	svrcderll.exe
1532	svrcderll.exe
1532	svrcderll.exe
1532	svrcderll.exe
1532	svrcderll.exe
1532	svrcderll.exe
1532	svrcderll.exe
1532	svrcderll.exe
1532	svrcderll.exe
1532	svrcderll.exe
1532	svrcderll.exe
1532	svrcderll.exe
1532	svrcderll.exe
1532	svrcderll.exe
1532	svrcderll.exe
1532	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe
1676	svrcderll.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2684	2760	cmd.exe	32
PID 2760 wrote to memory of 2684	2760	cmd.exe	32
PID 2760 wrote to memory of 2684	2760	cmd.exe	32
PID 2092 wrote to memory of 1840	2092	svrcderll.exe	34
PID 2092 wrote to memory of 1840	2092	svrcderll.exe	34
PID 2092 wrote to memory of 1840	2092	svrcderll.exe	34
PID 2092 wrote to memory of 1840	2092	svrcderll.exe	34
PID 1840 wrote to memory of 1532	1840	svrcderll.exe	35
PID 1840 wrote to memory of 1532	1840	svrcderll.exe	35
PID 1840 wrote to memory of 1532	1840	svrcderll.exe	35
PID 1840 wrote to memory of 1532	1840	svrcderll.exe	35
PID 2284 wrote to memory of 1636	2284	cmd.exe	37
PID 2284 wrote to memory of 1636	2284	cmd.exe	37
PID 2284 wrote to memory of 1636	2284	cmd.exe	37
PID 1532 wrote to memory of 1676	1532	svrcderll.exe	38
PID 1532 wrote to memory of 1676	1532	svrcderll.exe	38
PID 1532 wrote to memory of 1676	1532	svrcderll.exe	38
PID 2148 wrote to memory of 936	2148	taskeng.exe	40
PID 2148 wrote to memory of 936	2148	taskeng.exe	40
PID 2148 wrote to memory of 936	2148	taskeng.exe	40
PID 2148 wrote to memory of 936	2148	taskeng.exe	40
PID 936 wrote to memory of 1364	936	svrcderll.exe	41
PID 936 wrote to memory of 1364	936	svrcderll.exe	41
PID 936 wrote to memory of 1364	936	svrcderll.exe	41
PID 936 wrote to memory of 1364	936	svrcderll.exe	41
PID 1364 wrote to memory of 1140	1364	svrcderll.exe	42
PID 1364 wrote to memory of 1140	1364	svrcderll.exe	42
PID 1364 wrote to memory of 1140	1364	svrcderll.exe	42
PID 1364 wrote to memory of 1140	1364	svrcderll.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe
"C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe" 13820647f 2396 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
1⤵
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe
  "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe" 13820647f 2396 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
  2⤵
  - Drops file in Windows directory
  PID:2684

C:\Windows\ZhJQZxErORYg\svrcderll.exe
"C:\Windows\ZhJQZxErORYg\svrcderll.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\ZhJQZxErORYg\app-0.89.2\svrcderll.exe
  "C:\Windows\ZhJQZxErORYg\app-0.89.2\svrcderll.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\svrcderll.exe
    "C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\svrcderll.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\svrcderll.exe
      "C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\svrcderll.exe" "6f985ec46131bfedeee86f510"
      4⤵
      Enumerates connected drives
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1676

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\svrcderll.exe" e37180d57512f2324f8 2396 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\svrcderll.exe
  "C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\svrcderll.exe" e37180d57512f2324f8 2396 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1636

C:\Windows\system32\taskeng.exe
taskeng.exe {A487114D-9DF3-4A3A-89C8-1A37A845689F} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\ZhJQZxErORYg\svrcderll.exe
  C:\Windows\ZhJQZxErORYg\svrcderll.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\ZhJQZxErORYg\app-0.89.2\svrcderll.exe
    "C:\Windows\ZhJQZxErORYg\app-0.89.2\svrcderll.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\svrcderll.exe
      "C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\svrcderll.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\895D2F30F96A470C8A59827778B21DF5

Filesize
520B

MD5
3f10d2794b37fcb4be7442d58a55f01f

SHA1
e975924d9c3bb028491043f24942f3ea2be8f9c2

SHA256
7f5846cb140a09b70dec2ba520ab71e886763889c9d28ad695509bcd25270b1c

SHA512
23b6ef22664b5403f95400a43f84cd7e5e43dbd05b433d362513a3741cbb81554677dbf2cbcaf6c74914ec0680bbb21a7140cce5b38c778befb01327311f1010

Download Submit
C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\B494DF77ED66BD6F9E2EC9A.3b6

Filesize
12.3MB

MD5
8abd98831e34544fcbcd1a33f79b9617

SHA1
8b23bfa64eb0087983433cc3f85a5dd087bf4eca

SHA256
95c2cfee008c27a4a9c7b10e759c3dd25480c882eee6f4f8f20aa4ccfc534bc1

SHA512
2e26f26b636e10fa6d8c3a572ea76fc17e83572079b3906694fc53fa8d1ae3603e5fe314a7775d56607e8c2d14699b9d7e7817289563960a08c22f3d0ad04efe

Download Submit
C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\libcurl.dll

Filesize
556KB

MD5
6b2548cc404f3dd55634efa291fa98d0

SHA1
a076a60d99d70fd8aa7664a2534445a502febe27

SHA256
7ae384b8695d7a9c2b6640927cb6ac592229aef9ebeeb80b91d556777c6dfb5d

SHA512
14068e9e7d5f7e4494ffa75d369068234cdb050286d3356298e0387cf13d7681c0d68b57b6b299958c86ee3ae1dc3e54adc4c376e7b869d7d76fc2e91ed95009

Download Submit
C:\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\zlibwapi.dll

Filesize
324KB

MD5
b75a201484fe177e6460c08a1f2be3ca

SHA1
44eedc44deb82c77e82483dadd0575915b47a4b7

SHA256
fdd525739c5f4d55d3a65271c3389b34c79c236342ccedf31b34c539acea08d0

SHA512
f922f1c5fc876a2fcc1c14d8c1665d2172dbd5fbea53e964e0229f07da449fbea72c9509a532f37c48dd1faec2df4271561191bfb9aa62495104f5828c69b07f

Download Submit
C:\Windows\ZhJQZxErORYg\svrcderll.exe

Filesize
586KB

MD5
f6f6ff4e9b359bc005a25fadb3a0aa61

SHA1
831fe06ce2015e2d66467d04f2d46ec3e96524d3

SHA256
6eb2a5f8ba7b7e2438a9608b7a2d5eefa1f8b66aaf7060c208678e47c3565324

SHA512
db29271f28a3bff4bd3f4073b522c662f70865cc1067e0de2c11ef284d8d88fe9ca165485da6fe52372bf3db33764f195853b883d8fdab1b502e960b0915da14

Download Submit
\Windows\ZhJQZxErORYg\app-0.89.2\app-0.89.2\svrcderll.exe

Filesize
2.2MB

MD5
6cf29dbf1fa710cccf6ba1c4c01f6b85

SHA1
a1debdb076c8c655e3d78c6ae82f1beba386a2ba

SHA256
f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b

SHA512
ebcc6599c33a80bb3e5c627a5f861fc9742d8558c4551544109288f80155885791a3f701af1aa7a4513cc5d121b77678a4cd46ca38a7bdd3cf7288e58e01f4f5

Download Submit
memory/1140-84-0x0000000004520000-0x00000000051C9000-memory.dmp

Filesize
12.7MB

Download
memory/1140-82-0x0000000004520000-0x00000000051C9000-memory.dmp

Filesize
12.7MB

Download
memory/1532-51-0x0000000003260000-0x0000000003F09000-memory.dmp

Filesize
12.7MB

Download
memory/1532-49-0x0000000003260000-0x0000000003F09000-memory.dmp

Filesize
12.7MB

Download
memory/1636-60-0x00000000033B0000-0x0000000004059000-memory.dmp

Filesize
12.7MB

Download
memory/1636-58-0x00000000033B0000-0x0000000004059000-memory.dmp

Filesize
12.7MB

Download
memory/1676-70-0x0000000006660000-0x00000000068D3000-memory.dmp

Filesize
2.4MB

Download
memory/1676-71-0x0000000006660000-0x00000000068D3000-memory.dmp

Filesize
2.4MB

Download
memory/1676-73-0x0000000006660000-0x00000000068D3000-memory.dmp

Filesize
2.4MB

Download
memory/1676-63-0x0000000004660000-0x0000000005309000-memory.dmp

Filesize
12.7MB

Download
memory/1676-67-0x0000000004660000-0x0000000005309000-memory.dmp

Filesize
12.7MB

Download
memory/1676-65-0x0000000004660000-0x0000000005309000-memory.dmp

Filesize
12.7MB

Download
memory/2396-0-0x000000013F518000-0x000000013F519000-memory.dmp

Filesize
4KB

Download
memory/2396-3-0x000000013F430000-0x000000013F66C000-memory.dmp

Filesize
2.2MB

Download
memory/2396-4-0x0000000004590000-0x0000000005239000-memory.dmp

Filesize
12.7MB

Download
memory/2396-6-0x0000000004590000-0x0000000005239000-memory.dmp

Filesize
12.7MB

Download
memory/2396-2-0x0000000002040000-0x0000000002C8B000-memory.dmp

Filesize
12.3MB

Download
memory/2396-1-0x000000013F518000-0x000000013F519000-memory.dmp

Filesize
4KB

Download
memory/2684-11-0x000000013F430000-0x000000013F66C000-memory.dmp

Filesize
2.2MB

Download
memory/2684-13-0x00000000034F0000-0x0000000004199000-memory.dmp

Filesize
12.7MB

Download
memory/2684-15-0x00000000034F0000-0x0000000004199000-memory.dmp

Filesize
12.7MB

Download