d865eb22b01c9efa2d3d48f2df807fbd89783cfc06e7377635415c97be1f021e

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app-0.89.2/svrcderll.exe
Size

586KB
MD5

f6f6ff4e9b359bc005a25fadb3a0aa61
SHA1

831fe06ce2015e2d66467d04f2d46ec3e96524d3
SHA256

6eb2a5f8ba7b7e2438a9608b7a2d5eefa1f8b66aaf7060c208678e47c3565324
SHA512

db29271f28a3bff4bd3f4073b522c662f70865cc1067e0de2c11ef284d8d88fe9ca165485da6fe52372bf3db33764f195853b883d8fdab1b502e960b0915da14
SSDEEP

6144:xc2XFRJ3DNuzAOS9FOU6CNmKQEiispigdlDAlZVl49q7r+:7FvYzU9QU6CNmKsPtdsXl49qX+

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1648 created 4872	1648	svrcderll.exe	111

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	svrcderll.exe
File opened (read-only)	\??\V:	svrcderll.exe
File opened (read-only)	\??\E:	svrcderll.exe
File opened (read-only)	\??\H:	svrcderll.exe
File opened (read-only)	\??\L:	svrcderll.exe
File opened (read-only)	\??\O:	svrcderll.exe
File opened (read-only)	\??\P:	svrcderll.exe
File opened (read-only)	\??\S:	svrcderll.exe
File opened (read-only)	\??\T:	svrcderll.exe
File opened (read-only)	\??\Z:	svrcderll.exe
File opened (read-only)	\??\B:	svrcderll.exe
File opened (read-only)	\??\G:	svrcderll.exe
File opened (read-only)	\??\K:	svrcderll.exe
File opened (read-only)	\??\N:	svrcderll.exe
File opened (read-only)	\??\R:	svrcderll.exe
File opened (read-only)	\??\I:	svrcderll.exe
File opened (read-only)	\??\J:	svrcderll.exe
File opened (read-only)	\??\W:	svrcderll.exe
File opened (read-only)	\??\X:	svrcderll.exe
File opened (read-only)	\??\Y:	svrcderll.exe
File opened (read-only)	\??\M:	svrcderll.exe
File opened (read-only)	\??\U:	svrcderll.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pXuqFUIlyRpP\svrcderll.exe	svrcderll.exe
File opened for modification	C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\zlibwapi.dll	svrcderll.exe
File created	C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\libcurl.dll	svrcderll.exe
File opened for modification	C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\libcurl.dll	svrcderll.exe
File created	C:\Windows\pXuqFUIlyRpP\svrcderll.exe	svrcderll.exe
File created	C:\Windows\pXuqFUIlyRpP\app-0.89.2\svrcderll.exe	svrcderll.exe
File opened for modification	C:\Windows\pXuqFUIlyRpP\app-0.89.2\svrcderll.exe	svrcderll.exe
File created	C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\svrcderll.exe	svrcderll.exe
File opened for modification	C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\svrcderll.exe	svrcderll.exe
File created	C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\B494DF77ED66BD6F9E2EC9A.3b6	svrcderll.exe
File opened for modification	C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\B494DF77ED66BD6F9E2EC9A.3b6	svrcderll.exe
File created	C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\zlibwapi.dll	svrcderll.exe

Executes dropped EXE 9 IoCs

pid	Process
4460	svrcderll.exe
2748	svrcderll.exe
3692	svrcderll.exe
4300	svrcderll.exe
1648	svrcderll.exe
1368	svrcderll.exe
2096	svrcderll.exe
1064	svrcderll.exe
3868	svrcderll.exe

Loads dropped DLL 10 IoCs

pid	Process
3692	svrcderll.exe
3692	svrcderll.exe
4300	svrcderll.exe
4300	svrcderll.exe
1648	svrcderll.exe
1648	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
3868	svrcderll.exe
3868	svrcderll.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svrcderll.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svrcderll.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svrcderll.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4672	svrcderll.exe
4672	svrcderll.exe
4672	svrcderll.exe
4672	svrcderll.exe
4672	svrcderll.exe
4672	svrcderll.exe
4672	svrcderll.exe
4672	svrcderll.exe
4672	svrcderll.exe
4672	svrcderll.exe
4672	svrcderll.exe
4672	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
3692	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe
1368	svrcderll.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 4672	2536	svrcderll.exe	83
PID 2536 wrote to memory of 4672	2536	svrcderll.exe	83
PID 3268 wrote to memory of 4232	3268	cmd.exe	93
PID 3268 wrote to memory of 4232	3268	cmd.exe	93
PID 4460 wrote to memory of 2748	4460	svrcderll.exe	101
PID 4460 wrote to memory of 2748	4460	svrcderll.exe	101
PID 4460 wrote to memory of 2748	4460	svrcderll.exe	101
PID 2748 wrote to memory of 3692	2748	svrcderll.exe	102
PID 2748 wrote to memory of 3692	2748	svrcderll.exe	102
PID 4128 wrote to memory of 4300	4128	cmd.exe	106
PID 4128 wrote to memory of 4300	4128	cmd.exe	106
PID 3692 wrote to memory of 1648	3692	svrcderll.exe	108
PID 3692 wrote to memory of 1648	3692	svrcderll.exe	108
PID 1648 wrote to memory of 1368	1648	svrcderll.exe	112
PID 1648 wrote to memory of 1368	1648	svrcderll.exe	112
PID 2096 wrote to memory of 1064	2096	svrcderll.exe	116
PID 2096 wrote to memory of 1064	2096	svrcderll.exe	116
PID 2096 wrote to memory of 1064	2096	svrcderll.exe	116
PID 1064 wrote to memory of 3868	1064	svrcderll.exe	117
PID 1064 wrote to memory of 3868	1064	svrcderll.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\app-0.89.2\svrcderll.exe
"C:\Users\Admin\AppData\Local\Temp\app-0.89.2\svrcderll.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe
  "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4672

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe" 13820647f 4672 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
1⤵
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe
  "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\svrcderll.exe" 13820647f 4672 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
  2⤵
  - Drops file in Windows directory
  PID:4232

C:\Windows\pXuqFUIlyRpP\svrcderll.exe
"C:\Windows\pXuqFUIlyRpP\svrcderll.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\pXuqFUIlyRpP\app-0.89.2\svrcderll.exe
  "C:\Windows\pXuqFUIlyRpP\app-0.89.2\svrcderll.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\svrcderll.exe
    "C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\svrcderll.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\svrcderll.exe
      "C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\svrcderll.exe" "b51a8a"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Windows\system32\newdev.exe
        
        C:\Windows\system32\newdev.exe
        5⤵
        
        PID:2156
    - - C:\Windows\system32\WinSAT.exe
        
        C:\Windows\system32\WinSAT.exe
        5⤵
        
        PID:4872
      - C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\svrcderll.exe
        
        "C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\svrcderll.exe" 6f985ec46131bfedeee86f510 1648
        6⤵
        Enumerates connected drives
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1368

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\svrcderll.exe" e37180d57512f2324f8 4672 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
1⤵
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\svrcderll.exe
  "C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\svrcderll.exe" e37180d57512f2324f8 4672 "C:\Users\Admin\AppData\Local\Temp\app-0.89.2\app-0.89.2\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4300

C:\Windows\pXuqFUIlyRpP\svrcderll.exe
C:\Windows\pXuqFUIlyRpP\svrcderll.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\pXuqFUIlyRpP\app-0.89.2\svrcderll.exe
  "C:\Windows\pXuqFUIlyRpP\app-0.89.2\svrcderll.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\svrcderll.exe
    "C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\svrcderll.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\895D2F30F96A470C8A59827778B21DF5

Filesize
520B

MD5
0531cb240b76b170552d4626263bf22b

SHA1
ecc171de96b7634dd29da8f594a13c9de5f38c79

SHA256
7d9766ee40a041e4f59534436619f30a653184c21072a68fd8ad430296f05870

SHA512
9ebae89321e162a5e9edbcb432ec2d2e93ade2830d7abf41325caf35637eff849d934638886cc3a8c1df1a92a71780f7864fb5b964cd35666e571b44f9985941

Download Submit
C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\B494DF77ED66BD6F9E2EC9A.3b6

Filesize
12.3MB

MD5
8abd98831e34544fcbcd1a33f79b9617

SHA1
8b23bfa64eb0087983433cc3f85a5dd087bf4eca

SHA256
95c2cfee008c27a4a9c7b10e759c3dd25480c882eee6f4f8f20aa4ccfc534bc1

SHA512
2e26f26b636e10fa6d8c3a572ea76fc17e83572079b3906694fc53fa8d1ae3603e5fe314a7775d56607e8c2d14699b9d7e7817289563960a08c22f3d0ad04efe

Download Submit
C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\libcurl.dll

Filesize
556KB

MD5
6b2548cc404f3dd55634efa291fa98d0

SHA1
a076a60d99d70fd8aa7664a2534445a502febe27

SHA256
7ae384b8695d7a9c2b6640927cb6ac592229aef9ebeeb80b91d556777c6dfb5d

SHA512
14068e9e7d5f7e4494ffa75d369068234cdb050286d3356298e0387cf13d7681c0d68b57b6b299958c86ee3ae1dc3e54adc4c376e7b869d7d76fc2e91ed95009

Download Submit
C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\svrcderll.exe

Filesize
2.2MB

MD5
6cf29dbf1fa710cccf6ba1c4c01f6b85

SHA1
a1debdb076c8c655e3d78c6ae82f1beba386a2ba

SHA256
f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b

SHA512
ebcc6599c33a80bb3e5c627a5f861fc9742d8558c4551544109288f80155885791a3f701af1aa7a4513cc5d121b77678a4cd46ca38a7bdd3cf7288e58e01f4f5

Download Submit
C:\Windows\pXuqFUIlyRpP\app-0.89.2\app-0.89.2\zlibwapi.dll

Filesize
324KB

MD5
b75a201484fe177e6460c08a1f2be3ca

SHA1
44eedc44deb82c77e82483dadd0575915b47a4b7

SHA256
fdd525739c5f4d55d3a65271c3389b34c79c236342ccedf31b34c539acea08d0

SHA512
f922f1c5fc876a2fcc1c14d8c1665d2172dbd5fbea53e964e0229f07da449fbea72c9509a532f37c48dd1faec2df4271561191bfb9aa62495104f5828c69b07f

Download Submit
C:\Windows\pXuqFUIlyRpP\svrcderll.exe

Filesize
586KB

MD5
f6f6ff4e9b359bc005a25fadb3a0aa61

SHA1
831fe06ce2015e2d66467d04f2d46ec3e96524d3

SHA256
6eb2a5f8ba7b7e2438a9608b7a2d5eefa1f8b66aaf7060c208678e47c3565324

SHA512
db29271f28a3bff4bd3f4073b522c662f70865cc1067e0de2c11ef284d8d88fe9ca165485da6fe52372bf3db33764f195853b883d8fdab1b502e960b0915da14

Download Submit
memory/1368-81-0x000001D31F540000-0x000001D31F7B3000-memory.dmp

Filesize
2.4MB

Download
memory/1368-79-0x000001D31F540000-0x000001D31F7B3000-memory.dmp

Filesize
2.4MB

Download
memory/1368-78-0x000001D31F540000-0x000001D31F7B3000-memory.dmp

Filesize
2.4MB

Download
memory/1368-75-0x000001D31DF80000-0x000001D31EC29000-memory.dmp

Filesize
12.7MB

Download
memory/1368-73-0x000001D31DF80000-0x000001D31EC29000-memory.dmp

Filesize
12.7MB

Download
memory/1368-72-0x000001D31DF80000-0x000001D31EC29000-memory.dmp

Filesize
12.7MB

Download
memory/1648-64-0x000001D13F190000-0x000001D13FE39000-memory.dmp

Filesize
12.7MB

Download
memory/1648-62-0x000001D13F190000-0x000001D13FE39000-memory.dmp

Filesize
12.7MB

Download
memory/3692-48-0x0000027746590000-0x0000027747239000-memory.dmp

Filesize
12.7MB

Download
memory/3692-50-0x0000027746590000-0x0000027747239000-memory.dmp

Filesize
12.7MB

Download
memory/3868-90-0x0000024CDD560000-0x0000024CDE209000-memory.dmp

Filesize
12.7MB

Download
memory/3868-92-0x0000024CDD560000-0x0000024CDE209000-memory.dmp

Filesize
12.7MB

Download
memory/4232-14-0x0000026316D00000-0x00000263179A9000-memory.dmp

Filesize
12.7MB

Download
memory/4232-12-0x00007FF65D710000-0x00007FF65D94C000-memory.dmp

Filesize
2.2MB

Download
memory/4232-17-0x0000026316D00000-0x00000263179A9000-memory.dmp

Filesize
12.7MB

Download
memory/4232-11-0x00007FF65D710000-0x00007FF65D94C000-memory.dmp

Filesize
2.2MB

Download
memory/4300-57-0x0000026181900000-0x00000261825A9000-memory.dmp

Filesize
12.7MB

Download
memory/4300-59-0x0000026181900000-0x00000261825A9000-memory.dmp

Filesize
12.7MB

Download
memory/4672-0-0x00007FF65D7F8000-0x00007FF65D7F9000-memory.dmp

Filesize
4KB

Download
memory/4672-3-0x00007FF65D710000-0x00007FF65D94C000-memory.dmp

Filesize
2.2MB

Download
memory/4672-2-0x000001AA71080000-0x000001AA71CCB000-memory.dmp

Filesize
12.3MB

Download
memory/4672-1-0x00007FF65D7F8000-0x00007FF65D7F9000-memory.dmp

Filesize
4KB

Download
memory/4672-4-0x000001AA735D0000-0x000001AA74279000-memory.dmp

Filesize
12.7MB

Download
memory/4672-6-0x000001AA735D0000-0x000001AA74279000-memory.dmp

Filesize
12.7MB

Download