d865eb22b01c9efa2d3d48f2df807fbd89783cfc06e7377635415c97be1f021e

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app-0.89.2/app-0.89.2/svrcderll.exe
Size

2.2MB
MD5

6cf29dbf1fa710cccf6ba1c4c01f6b85
SHA1

a1debdb076c8c655e3d78c6ae82f1beba386a2ba
SHA256

f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b
SHA512

ebcc6599c33a80bb3e5c627a5f861fc9742d8558c4551544109288f80155885791a3f701af1aa7a4513cc5d121b77678a4cd46ca38a7bdd3cf7288e58e01f4f5
SSDEEP

24576:GmKWcYmmUMlLklbOEyeeQaSpRnO9xGboTOLFI78hqT3tiBco21c6D5mHK+iwu7:Gm/mmUiLklb6e+YMDGaAhIt5o2WqmFXM

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4364 created 4296	4364	svrcderll.exe	108

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	svrcderll.exe
File opened (read-only)	\??\X:	svrcderll.exe
File opened (read-only)	\??\Z:	svrcderll.exe
File opened (read-only)	\??\K:	svrcderll.exe
File opened (read-only)	\??\R:	svrcderll.exe
File opened (read-only)	\??\S:	svrcderll.exe
File opened (read-only)	\??\I:	svrcderll.exe
File opened (read-only)	\??\L:	svrcderll.exe
File opened (read-only)	\??\V:	svrcderll.exe
File opened (read-only)	\??\O:	svrcderll.exe
File opened (read-only)	\??\P:	svrcderll.exe
File opened (read-only)	\??\Q:	svrcderll.exe
File opened (read-only)	\??\T:	svrcderll.exe
File opened (read-only)	\??\U:	svrcderll.exe
File opened (read-only)	\??\B:	svrcderll.exe
File opened (read-only)	\??\M:	svrcderll.exe
File opened (read-only)	\??\N:	svrcderll.exe
File opened (read-only)	\??\J:	svrcderll.exe
File opened (read-only)	\??\Y:	svrcderll.exe
File opened (read-only)	\??\E:	svrcderll.exe
File opened (read-only)	\??\G:	svrcderll.exe
File opened (read-only)	\??\H:	svrcderll.exe

Deletes itself 1 IoCs

pid	Process
4696	svrcderll.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\aUILw8uLTkKX\svrcderll.exe	svrcderll.exe
File opened for modification	C:\Windows\aUILw8uLTkKX\svrcderll.exe	svrcderll.exe
File opened for modification	C:\Windows\aUILw8uLTkKX\app-0.89.2\svrcderll.exe	svrcderll.exe
File created	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe	svrcderll.exe
File opened for modification	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe	svrcderll.exe
File created	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\B494DF77ED66BD6F9E2EC9A.3b6	svrcderll.exe
File opened for modification	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\zlibwapi.dll	svrcderll.exe
File opened for modification	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\libcurl.dll	svrcderll.exe
File created	C:\Windows\aUILw8uLTkKX\app-0.89.2\svrcderll.exe	svrcderll.exe
File opened for modification	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\B494DF77ED66BD6F9E2EC9A.3b6	svrcderll.exe
File created	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\zlibwapi.dll	svrcderll.exe
File created	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\libcurl.dll	svrcderll.exe

Executes dropped EXE 9 IoCs

pid	Process
2860	svrcderll.exe
4624	svrcderll.exe
4604	svrcderll.exe
4696	svrcderll.exe
4364	svrcderll.exe
5016	svrcderll.exe
3836	svrcderll.exe
4732	svrcderll.exe
1996	svrcderll.exe

Loads dropped DLL 10 IoCs

pid	Process
4604	svrcderll.exe
4604	svrcderll.exe
4696	svrcderll.exe
4696	svrcderll.exe
4364	svrcderll.exe
4364	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
1996	svrcderll.exe
1996	svrcderll.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svrcderll.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svrcderll.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3268	svrcderll.exe
3268	svrcderll.exe
3268	svrcderll.exe
3268	svrcderll.exe
3268	svrcderll.exe
3268	svrcderll.exe
3268	svrcderll.exe
3268	svrcderll.exe
3268	svrcderll.exe
3268	svrcderll.exe
3268	svrcderll.exe
3268	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
4604	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe
5016	svrcderll.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 3992	116	cmd.exe	90
PID 116 wrote to memory of 3992	116	cmd.exe	90
PID 2860 wrote to memory of 4624	2860	svrcderll.exe	98
PID 2860 wrote to memory of 4624	2860	svrcderll.exe	98
PID 2860 wrote to memory of 4624	2860	svrcderll.exe	98
PID 4624 wrote to memory of 4604	4624	svrcderll.exe	99
PID 4624 wrote to memory of 4604	4624	svrcderll.exe	99
PID 1096 wrote to memory of 4696	1096	cmd.exe	103
PID 1096 wrote to memory of 4696	1096	cmd.exe	103
PID 4604 wrote to memory of 4364	4604	svrcderll.exe	105
PID 4604 wrote to memory of 4364	4604	svrcderll.exe	105
PID 4364 wrote to memory of 5016	4364	svrcderll.exe	109
PID 4364 wrote to memory of 5016	4364	svrcderll.exe	109
PID 3836 wrote to memory of 4732	3836	svrcderll.exe	112
PID 3836 wrote to memory of 4732	3836	svrcderll.exe	112
PID 3836 wrote to memory of 4732	3836	svrcderll.exe	112
PID 4732 wrote to memory of 1996	4732	svrcderll.exe	113
PID 4732 wrote to memory of 1996	4732	svrcderll.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe
"C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3268

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe" 13820647f 3268 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
1⤵
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe
  "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe" 13820647f 3268 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
  2⤵
  - Drops file in Windows directory
  PID:3992

C:\Windows\aUILw8uLTkKX\svrcderll.exe
"C:\Windows\aUILw8uLTkKX\svrcderll.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\aUILw8uLTkKX\app-0.89.2\svrcderll.exe
  "C:\Windows\aUILw8uLTkKX\app-0.89.2\svrcderll.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe
    "C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe
      "C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe" "b51a8a"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\system32\RelPost.exe
        
        C:\Windows\system32\RelPost.exe
        5⤵
        
        PID:4288
    - - C:\Windows\system32\msconfig.exe
        
        C:\Windows\system32\msconfig.exe
        5⤵
        
        PID:4296
      - C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe
        
        "C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe" 6f985ec46131bfedeee86f510 4364
        6⤵
        Enumerates connected drives
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5016

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe" e37180d57512f2324f8 3268 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe
  "C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe" e37180d57512f2324f8 3268 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4696

C:\Windows\aUILw8uLTkKX\svrcderll.exe
C:\Windows\aUILw8uLTkKX\svrcderll.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\aUILw8uLTkKX\app-0.89.2\svrcderll.exe
  "C:\Windows\aUILw8uLTkKX\app-0.89.2\svrcderll.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe
    "C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\895D2F30F96A470C8A59827778B21DF5

Filesize
520B

MD5
e90213455da78879079e04c21a8c3cb7

SHA1
efcc5bba6bf8940fd871b952d9d6c64938d339c5

SHA256
0600fd8cd858924ba2add5fe3777bb732189e755eb50039c9dae3148b3ce9f49

SHA512
69bfe21c2ea8aa96191b3a7261a33ab383e00468006a8b19beddaa4e0b8b7977841bac729cf4240e45e5d70ba4130b96d2af6100844a72b6570b075a935eadca

Download Submit
C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\B494DF77ED66BD6F9E2EC9A.3b6

Filesize
12.3MB

MD5
8abd98831e34544fcbcd1a33f79b9617

SHA1
8b23bfa64eb0087983433cc3f85a5dd087bf4eca

SHA256
95c2cfee008c27a4a9c7b10e759c3dd25480c882eee6f4f8f20aa4ccfc534bc1

SHA512
2e26f26b636e10fa6d8c3a572ea76fc17e83572079b3906694fc53fa8d1ae3603e5fe314a7775d56607e8c2d14699b9d7e7817289563960a08c22f3d0ad04efe

Download Submit
C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\libcurl.dll

Filesize
556KB

MD5
6b2548cc404f3dd55634efa291fa98d0

SHA1
a076a60d99d70fd8aa7664a2534445a502febe27

SHA256
7ae384b8695d7a9c2b6640927cb6ac592229aef9ebeeb80b91d556777c6dfb5d

SHA512
14068e9e7d5f7e4494ffa75d369068234cdb050286d3356298e0387cf13d7681c0d68b57b6b299958c86ee3ae1dc3e54adc4c376e7b869d7d76fc2e91ed95009

Download Submit
C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe

Filesize
2.2MB

MD5
6cf29dbf1fa710cccf6ba1c4c01f6b85

SHA1
a1debdb076c8c655e3d78c6ae82f1beba386a2ba

SHA256
f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b

SHA512
ebcc6599c33a80bb3e5c627a5f861fc9742d8558c4551544109288f80155885791a3f701af1aa7a4513cc5d121b77678a4cd46ca38a7bdd3cf7288e58e01f4f5

Download Submit
C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\zlibwapi.dll

Filesize
324KB

MD5
b75a201484fe177e6460c08a1f2be3ca

SHA1
44eedc44deb82c77e82483dadd0575915b47a4b7

SHA256
fdd525739c5f4d55d3a65271c3389b34c79c236342ccedf31b34c539acea08d0

SHA512
f922f1c5fc876a2fcc1c14d8c1665d2172dbd5fbea53e964e0229f07da449fbea72c9509a532f37c48dd1faec2df4271561191bfb9aa62495104f5828c69b07f

Download Submit
C:\Windows\aUILw8uLTkKX\svrcderll.exe

Filesize
586KB

MD5
f6f6ff4e9b359bc005a25fadb3a0aa61

SHA1
831fe06ce2015e2d66467d04f2d46ec3e96524d3

SHA256
6eb2a5f8ba7b7e2438a9608b7a2d5eefa1f8b66aaf7060c208678e47c3565324

SHA512
db29271f28a3bff4bd3f4073b522c662f70865cc1067e0de2c11ef284d8d88fe9ca165485da6fe52372bf3db33764f195853b883d8fdab1b502e960b0915da14

Download Submit
memory/1996-92-0x000001458DEE0000-0x000001458EB89000-memory.dmp

Filesize
12.7MB

Download
memory/1996-90-0x000001458DEE0000-0x000001458EB89000-memory.dmp

Filesize
12.7MB

Download
memory/3268-0-0x00007FF6616D8000-0x00007FF6616D9000-memory.dmp

Filesize
4KB

Download
memory/3268-6-0x000001F6C7400000-0x000001F6C80A9000-memory.dmp

Filesize
12.7MB

Download
memory/3268-4-0x000001F6C7400000-0x000001F6C80A9000-memory.dmp

Filesize
12.7MB

Download
memory/3268-3-0x00007FF6615F0000-0x00007FF66182C000-memory.dmp

Filesize
2.2MB

Download
memory/3268-2-0x000001F6C4EB0000-0x000001F6C5AFB000-memory.dmp

Filesize
12.3MB

Download
memory/3268-1-0x00007FF6616D8000-0x00007FF6616D9000-memory.dmp

Filesize
4KB

Download
memory/3992-13-0x000002222F200000-0x000002222FEA9000-memory.dmp

Filesize
12.7MB

Download
memory/3992-16-0x000002222F200000-0x000002222FEA9000-memory.dmp

Filesize
12.7MB

Download
memory/3992-11-0x00007FF6615F0000-0x00007FF66182C000-memory.dmp

Filesize
2.2MB

Download
memory/4364-62-0x0000021CFE510000-0x0000021CFF1B9000-memory.dmp

Filesize
12.7MB

Download
memory/4364-63-0x0000021CFE510000-0x0000021CFF1B9000-memory.dmp

Filesize
12.7MB

Download
memory/4604-49-0x000001AD7C2B0000-0x000001AD7CF59000-memory.dmp

Filesize
12.7MB

Download
memory/4604-47-0x000001AD7C2B0000-0x000001AD7CF59000-memory.dmp

Filesize
12.7MB

Download
memory/4696-56-0x00000237A6A60000-0x00000237A7709000-memory.dmp

Filesize
12.7MB

Download
memory/4696-58-0x00000237A6A60000-0x00000237A7709000-memory.dmp

Filesize
12.7MB

Download
memory/5016-70-0x0000025F60AB0000-0x0000025F61759000-memory.dmp

Filesize
12.7MB

Download
memory/5016-77-0x0000025F620B0000-0x0000025F62323000-memory.dmp

Filesize
2.4MB

Download
memory/5016-78-0x0000025F620B0000-0x0000025F62323000-memory.dmp

Filesize
2.4MB

Download
memory/5016-80-0x0000025F620B0000-0x0000025F62323000-memory.dmp

Filesize
2.4MB

Download
memory/5016-74-0x0000025F60AB0000-0x0000025F61759000-memory.dmp

Filesize
12.7MB

Download
memory/5016-72-0x0000025F60AB0000-0x0000025F61759000-memory.dmp

Filesize
12.7MB

Download