d865eb22b01c9efa2d3d48f2df807fbd89783cfc06e7377635415c97be1f021e

Analysis

max time kernel
134s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app-0.89.2/svrcderll.exe
Size

586KB
MD5

f6f6ff4e9b359bc005a25fadb3a0aa61
SHA1

831fe06ce2015e2d66467d04f2d46ec3e96524d3
SHA256

6eb2a5f8ba7b7e2438a9608b7a2d5eefa1f8b66aaf7060c208678e47c3565324
SHA512

db29271f28a3bff4bd3f4073b522c662f70865cc1067e0de2c11ef284d8d88fe9ca165485da6fe52372bf3db33764f195853b883d8fdab1b502e960b0915da14
SSDEEP

6144:xc2XFRJ3DNuzAOS9FOU6CNmKQEiispigdlDAlZVl49q7r+:7FvYzU9QU6CNmKsPtdsXl49qX+

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	svrcderll.exe
File opened (read-only)	\??\E:	svrcderll.exe
File opened (read-only)	\??\J:	svrcderll.exe
File opened (read-only)	\??\M:	svrcderll.exe
File opened (read-only)	\??\O:	svrcderll.exe
File opened (read-only)	\??\Q:	svrcderll.exe
File opened (read-only)	\??\R:	svrcderll.exe
File opened (read-only)	\??\T:	svrcderll.exe
File opened (read-only)	\??\W:	svrcderll.exe
File opened (read-only)	\??\X:	svrcderll.exe
File opened (read-only)	\??\Y:	svrcderll.exe
File opened (read-only)	\??\B:	svrcderll.exe
File opened (read-only)	\??\H:	svrcderll.exe
File opened (read-only)	\??\G:	svrcderll.exe
File opened (read-only)	\??\K:	svrcderll.exe
File opened (read-only)	\??\L:	svrcderll.exe
File opened (read-only)	\??\N:	svrcderll.exe
File opened (read-only)	\??\P:	svrcderll.exe
File opened (read-only)	\??\S:	svrcderll.exe
File opened (read-only)	\??\Z:	svrcderll.exe
File opened (read-only)	\??\I:	svrcderll.exe
File opened (read-only)	\??\U:	svrcderll.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\aUILw8uLTkKX\svrcderll.exe	svrcderll.exe
File created	C:\Windows\aUILw8uLTkKX\app-0.89.2\svrcderll.exe	svrcderll.exe
File opened for modification	C:\Windows\aUILw8uLTkKX\app-0.89.2\svrcderll.exe	svrcderll.exe
File created	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe	svrcderll.exe
File opened for modification	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe	svrcderll.exe
File opened for modification	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\B494DF77ED66BD6F9E2EC9A.3b6	svrcderll.exe
File created	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\zlibwapi.dll	svrcderll.exe
File created	C:\Windows\aUILw8uLTkKX\svrcderll.exe	svrcderll.exe
File opened for modification	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\zlibwapi.dll	svrcderll.exe
File created	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\libcurl.dll	svrcderll.exe
File opened for modification	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\libcurl.dll	svrcderll.exe
File created	C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\B494DF77ED66BD6F9E2EC9A.3b6	svrcderll.exe

Executes dropped EXE 8 IoCs

pid	Process
1636	svrcderll.exe
1996	svrcderll.exe
3052	svrcderll.exe
2956	svrcderll.exe
1988	svrcderll.exe
2064	svrcderll.exe
620	svrcderll.exe
1372	svrcderll.exe

Loads dropped DLL 10 IoCs

pid	Process
1636	svrcderll.exe
1996	svrcderll.exe
3052	svrcderll.exe
3052	svrcderll.exe
2956	svrcderll.exe
2956	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1372	svrcderll.exe
1372	svrcderll.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svrcderll.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svrcderll.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2216	svrcderll.exe
2216	svrcderll.exe
2216	svrcderll.exe
2216	svrcderll.exe
2216	svrcderll.exe
2216	svrcderll.exe
2216	svrcderll.exe
2216	svrcderll.exe
2216	svrcderll.exe
2216	svrcderll.exe
3052	svrcderll.exe
3052	svrcderll.exe
3052	svrcderll.exe
3052	svrcderll.exe
3052	svrcderll.exe
3052	svrcderll.exe
3052	svrcderll.exe
3052	svrcderll.exe
3052	svrcderll.exe
3052	svrcderll.exe
3052	svrcderll.exe
3052	svrcderll.exe
3052	svrcderll.exe
3052	svrcderll.exe
3052	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe
1988	svrcderll.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2216	1940	svrcderll.exe	30
PID 1940 wrote to memory of 2216	1940	svrcderll.exe	30
PID 1940 wrote to memory of 2216	1940	svrcderll.exe	30
PID 1940 wrote to memory of 2216	1940	svrcderll.exe	30
PID 2736 wrote to memory of 2068	2736	cmd.exe	32
PID 2736 wrote to memory of 2068	2736	cmd.exe	32
PID 2736 wrote to memory of 2068	2736	cmd.exe	32
PID 1636 wrote to memory of 1996	1636	svrcderll.exe	34
PID 1636 wrote to memory of 1996	1636	svrcderll.exe	34
PID 1636 wrote to memory of 1996	1636	svrcderll.exe	34
PID 1636 wrote to memory of 1996	1636	svrcderll.exe	34
PID 1996 wrote to memory of 3052	1996	svrcderll.exe	35
PID 1996 wrote to memory of 3052	1996	svrcderll.exe	35
PID 1996 wrote to memory of 3052	1996	svrcderll.exe	35
PID 1996 wrote to memory of 3052	1996	svrcderll.exe	35
PID 2928 wrote to memory of 2956	2928	cmd.exe	37
PID 2928 wrote to memory of 2956	2928	cmd.exe	37
PID 2928 wrote to memory of 2956	2928	cmd.exe	37
PID 3052 wrote to memory of 1988	3052	svrcderll.exe	38
PID 3052 wrote to memory of 1988	3052	svrcderll.exe	38
PID 3052 wrote to memory of 1988	3052	svrcderll.exe	38
PID 1160 wrote to memory of 2064	1160	taskeng.exe	41
PID 1160 wrote to memory of 2064	1160	taskeng.exe	41
PID 1160 wrote to memory of 2064	1160	taskeng.exe	41
PID 1160 wrote to memory of 2064	1160	taskeng.exe	41
PID 2064 wrote to memory of 620	2064	svrcderll.exe	42
PID 2064 wrote to memory of 620	2064	svrcderll.exe	42
PID 2064 wrote to memory of 620	2064	svrcderll.exe	42
PID 2064 wrote to memory of 620	2064	svrcderll.exe	42
PID 620 wrote to memory of 1372	620	svrcderll.exe	43
PID 620 wrote to memory of 1372	620	svrcderll.exe	43
PID 620 wrote to memory of 1372	620	svrcderll.exe	43
PID 620 wrote to memory of 1372	620	svrcderll.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\app-0.89.2\svrcderll.exe
"C:\Users\Admin\AppData\Local\Temp\app-0.89.2\svrcderll.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe
  "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2216

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe" 13820647f 2216 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe
  "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe" 13820647f 2216 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
  2⤵
  - Drops file in Windows directory
  PID:2068

C:\Windows\aUILw8uLTkKX\svrcderll.exe
"C:\Windows\aUILw8uLTkKX\svrcderll.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\aUILw8uLTkKX\app-0.89.2\svrcderll.exe
  "C:\Windows\aUILw8uLTkKX\app-0.89.2\svrcderll.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe
    "C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe
      "C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe" "6f985ec46131bfedeee86f510"
      4⤵
      Enumerates connected drives
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1988

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe" e37180d57512f2324f8 2216 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
1⤵
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe
  "C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe" e37180d57512f2324f8 2216 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2956

C:\Windows\system32\taskeng.exe
taskeng.exe {F7E32DFF-54AC-4D25-AB41-D1DA2A4934C0} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\aUILw8uLTkKX\svrcderll.exe
  C:\Windows\aUILw8uLTkKX\svrcderll.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\aUILw8uLTkKX\app-0.89.2\svrcderll.exe
    "C:\Windows\aUILw8uLTkKX\app-0.89.2\svrcderll.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe
      "C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\895D2F30F96A470C8A59827778B21DF5

Filesize
520B

MD5
e90213455da78879079e04c21a8c3cb7

SHA1
efcc5bba6bf8940fd871b952d9d6c64938d339c5

SHA256
0600fd8cd858924ba2add5fe3777bb732189e755eb50039c9dae3148b3ce9f49

SHA512
69bfe21c2ea8aa96191b3a7261a33ab383e00468006a8b19beddaa4e0b8b7977841bac729cf4240e45e5d70ba4130b96d2af6100844a72b6570b075a935eadca

Download Submit
C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\B494DF77ED66BD6F9E2EC9A.3b6

Filesize
12.3MB

MD5
8abd98831e34544fcbcd1a33f79b9617

SHA1
8b23bfa64eb0087983433cc3f85a5dd087bf4eca

SHA256
95c2cfee008c27a4a9c7b10e759c3dd25480c882eee6f4f8f20aa4ccfc534bc1

SHA512
2e26f26b636e10fa6d8c3a572ea76fc17e83572079b3906694fc53fa8d1ae3603e5fe314a7775d56607e8c2d14699b9d7e7817289563960a08c22f3d0ad04efe

Download Submit
C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\libcurl.dll

Filesize
556KB

MD5
6b2548cc404f3dd55634efa291fa98d0

SHA1
a076a60d99d70fd8aa7664a2534445a502febe27

SHA256
7ae384b8695d7a9c2b6640927cb6ac592229aef9ebeeb80b91d556777c6dfb5d

SHA512
14068e9e7d5f7e4494ffa75d369068234cdb050286d3356298e0387cf13d7681c0d68b57b6b299958c86ee3ae1dc3e54adc4c376e7b869d7d76fc2e91ed95009

Download Submit
C:\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\zlibwapi.dll

Filesize
324KB

MD5
b75a201484fe177e6460c08a1f2be3ca

SHA1
44eedc44deb82c77e82483dadd0575915b47a4b7

SHA256
fdd525739c5f4d55d3a65271c3389b34c79c236342ccedf31b34c539acea08d0

SHA512
f922f1c5fc876a2fcc1c14d8c1665d2172dbd5fbea53e964e0229f07da449fbea72c9509a532f37c48dd1faec2df4271561191bfb9aa62495104f5828c69b07f

Download Submit
C:\Windows\aUILw8uLTkKX\svrcderll.exe

Filesize
586KB

MD5
f6f6ff4e9b359bc005a25fadb3a0aa61

SHA1
831fe06ce2015e2d66467d04f2d46ec3e96524d3

SHA256
6eb2a5f8ba7b7e2438a9608b7a2d5eefa1f8b66aaf7060c208678e47c3565324

SHA512
db29271f28a3bff4bd3f4073b522c662f70865cc1067e0de2c11ef284d8d88fe9ca165485da6fe52372bf3db33764f195853b883d8fdab1b502e960b0915da14

Download Submit
\Windows\aUILw8uLTkKX\app-0.89.2\app-0.89.2\svrcderll.exe

Filesize
2.2MB

MD5
6cf29dbf1fa710cccf6ba1c4c01f6b85

SHA1
a1debdb076c8c655e3d78c6ae82f1beba386a2ba

SHA256
f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b

SHA512
ebcc6599c33a80bb3e5c627a5f861fc9742d8558c4551544109288f80155885791a3f701af1aa7a4513cc5d121b77678a4cd46ca38a7bdd3cf7288e58e01f4f5

Download Submit
memory/1372-84-0x00000000044E0000-0x0000000005189000-memory.dmp

Filesize
12.7MB

Download
memory/1372-82-0x00000000044E0000-0x0000000005189000-memory.dmp

Filesize
12.7MB

Download
memory/1988-73-0x00000000063F0000-0x0000000006663000-memory.dmp

Filesize
2.4MB

Download
memory/1988-63-0x0000000004510000-0x00000000051B9000-memory.dmp

Filesize
12.7MB

Download
memory/1988-67-0x0000000004510000-0x00000000051B9000-memory.dmp

Filesize
12.7MB

Download
memory/1988-65-0x0000000004510000-0x00000000051B9000-memory.dmp

Filesize
12.7MB

Download
memory/1988-70-0x00000000063F0000-0x0000000006663000-memory.dmp

Filesize
2.4MB

Download
memory/1988-71-0x00000000063F0000-0x0000000006663000-memory.dmp

Filesize
2.4MB

Download
memory/2068-11-0x000000013F6D0000-0x000000013F90C000-memory.dmp

Filesize
2.2MB

Download
memory/2068-15-0x0000000003510000-0x00000000041B9000-memory.dmp

Filesize
12.7MB

Download
memory/2068-13-0x0000000003510000-0x00000000041B9000-memory.dmp

Filesize
12.7MB

Download
memory/2216-0-0x000000013F7B8000-0x000000013F7B9000-memory.dmp

Filesize
4KB

Download
memory/2216-6-0x0000000004570000-0x0000000005219000-memory.dmp

Filesize
12.7MB

Download
memory/2216-4-0x0000000004570000-0x0000000005219000-memory.dmp

Filesize
12.7MB

Download
memory/2216-3-0x000000013F6D0000-0x000000013F90C000-memory.dmp

Filesize
2.2MB

Download
memory/2216-2-0x0000000002020000-0x0000000002C6B000-memory.dmp

Filesize
12.3MB

Download
memory/2216-1-0x000000013F7B8000-0x000000013F7B9000-memory.dmp

Filesize
4KB

Download
memory/2956-58-0x00000000032A0000-0x0000000003F49000-memory.dmp

Filesize
12.7MB

Download
memory/2956-60-0x00000000032A0000-0x0000000003F49000-memory.dmp

Filesize
12.7MB

Download
memory/3052-49-0x0000000003380000-0x0000000004029000-memory.dmp

Filesize
12.7MB

Download
memory/3052-51-0x0000000003380000-0x0000000004029000-memory.dmp

Filesize
12.7MB

Download