597967017af5b99604f5b8135ba5da3929d447937ef96d6d08750c71b1ad8b57

Analysis

max time kernel
137s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DiceBot.5.0.4.zip
Size

5.4MB
MD5

db9cf9e9e0bc3db99cdf31faef819634
SHA1

99a4cfa8bd2b6a2076959c66c07eb07fb9e56c2f
SHA256

597967017af5b99604f5b8135ba5da3929d447937ef96d6d08750c71b1ad8b57
SHA512

a27a627e97a35a7e6c3bee08ff943cb9574451c924685e8bcd7a935711dcf46d36b82f5ddb24089fedc651c76e5df35d5e2cfc70dc458225a63c2ef09e5f4dd1
SSDEEP

98304:WjXkWcnP6jp841ih8aElTJvggVd+t3Dh/CH/58+OGp9OBP+UNfZCvmN3:WjmSjpB9aqgFt3DhQ/58+OGOlNfYw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2580	DiceBot 5.0.4.exe
1504	DiceBot 5.0.4.exe

Loads dropped DLL 14 IoCs

pid	Process
2084	7zFM.exe
2532	Process not Found
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe
2084	7zFM.exe
2376	Process not Found
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe
2504	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.text	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\shell\edit\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.text\ = "text_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\shell\edit	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\text_auto_file\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2084	7zFM.exe
2832	rundll32.exe
3024	rundll32.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	2084	7zFM.exe
Token: 35	2084	7zFM.exe
Token: SeSecurityPrivilege	2084	7zFM.exe
Token: SeSecurityPrivilege	2084	7zFM.exe
Token: SeSecurityPrivilege	2084	7zFM.exe
Token: SeSecurityPrivilege	2084	7zFM.exe
Token: SeSecurityPrivilege	2084	7zFM.exe
Token: SeSecurityPrivilege	2084	7zFM.exe
Token: SeSecurityPrivilege	2084	7zFM.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2108	AcroRd32.exe
2108	AcroRd32.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2580	2084	7zFM.exe	31
PID 2084 wrote to memory of 2580	2084	7zFM.exe	31
PID 2084 wrote to memory of 2580	2084	7zFM.exe	31
PID 2580 wrote to memory of 2616	2580	DiceBot 5.0.4.exe	33
PID 2580 wrote to memory of 2616	2580	DiceBot 5.0.4.exe	33
PID 2580 wrote to memory of 2616	2580	DiceBot 5.0.4.exe	33
PID 2084 wrote to memory of 1840	2084	7zFM.exe	34
PID 2084 wrote to memory of 1840	2084	7zFM.exe	34
PID 2084 wrote to memory of 1840	2084	7zFM.exe	34
PID 1840 wrote to memory of 2096	1840	rundll32.exe	35
PID 1840 wrote to memory of 2096	1840	rundll32.exe	35
PID 1840 wrote to memory of 2096	1840	rundll32.exe	35
PID 2084 wrote to memory of 1280	2084	7zFM.exe	37
PID 2084 wrote to memory of 1280	2084	7zFM.exe	37
PID 2084 wrote to memory of 1280	2084	7zFM.exe	37
PID 2084 wrote to memory of 2832	2084	7zFM.exe	39
PID 2084 wrote to memory of 2832	2084	7zFM.exe	39
PID 2084 wrote to memory of 2832	2084	7zFM.exe	39
PID 2832 wrote to memory of 2108	2832	rundll32.exe	40
PID 2832 wrote to memory of 2108	2832	rundll32.exe	40
PID 2832 wrote to memory of 2108	2832	rundll32.exe	40
PID 2832 wrote to memory of 2108	2832	rundll32.exe	40
PID 2084 wrote to memory of 3024	2084	7zFM.exe	41
PID 2084 wrote to memory of 3024	2084	7zFM.exe	41
PID 2084 wrote to memory of 3024	2084	7zFM.exe	41
PID 3024 wrote to memory of 1028	3024	rundll32.exe	42
PID 3024 wrote to memory of 1028	3024	rundll32.exe	42
PID 3024 wrote to memory of 1028	3024	rundll32.exe	42
PID 2084 wrote to memory of 1504	2084	7zFM.exe	43
PID 2084 wrote to memory of 1504	2084	7zFM.exe	43
PID 2084 wrote to memory of 1504	2084	7zFM.exe	43
PID 1504 wrote to memory of 2504	1504	DiceBot 5.0.4.exe	45
PID 1504 wrote to memory of 2504	1504	DiceBot 5.0.4.exe	45
PID 1504 wrote to memory of 2504	1504	DiceBot 5.0.4.exe	45

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\DiceBot.5.0.4.zip"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\7zO42841157\DiceBot 5.0.4.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO42841157\DiceBot 5.0.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2580 -s 520
    3⤵
    - Loads dropped DLL
    PID:2616
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zO42860CF7\.text
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO42860CF7\.text
    3⤵
    PID:2096
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO428E30C7\.text
  2⤵
  PID:1280
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zO428FF858\CERTIFICATE
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zO428FF858\CERTIFICATE"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2108
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zO42818998\1
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO42818998\1
    3⤵
    PID:1028
- C:\Users\Admin\AppData\Local\Temp\7zO428F34D8\DiceBot 5.0.4.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO428F34D8\DiceBot 5.0.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1504 -s 516
    3⤵
    - Loads dropped DLL
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO42818998\1

Filesize
3KB

MD5
3530344101f9b3a0a8a492d9b37ab548

SHA1
521619788a8bff7053ccdab59f6e40ffed8f3f7b

SHA256
82ef68b9f4816f92c07def7285747a1de95b973efd9a7fbfeda91653cf6581b5

SHA512
166016774f4e1bf30a7573ac7bd8ce029c4411fd3688ed3663de73de52a044a431a540629fab1e81483f197fc6972d22790b269d7775cccc7297426b2f05ddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO42860CF7\.text

Filesize
3KB

MD5
e8793e1fbb604906af686bb191cafa17

SHA1
f564db05b1929463ee349d49690216c04328a88a

SHA256
c05266a0b7e863466b31106d835adf88e832ad2b5afe228483d514a36871da2a

SHA512
ba8034b2a1095ae4846b0a9a0ce2954758fc116c71c311ac3809acb4fd8a5bae2a2e269ae85d588b4e15b82c83bfd1ae3b9f219ee8a77e3bc133d8eb889269af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO428FF858\CERTIFICATE

Filesize
8KB

MD5
690d1458b0ae2d2b1afa718706010cb0

SHA1
dc7443af07847953f99bd4006da3d27402155e2a

SHA256
bdb36d7876a8a2a5723eff81099107cd675bf024fc278184ecc34d30914d3d66

SHA512
233b4da9c6c4d36810c9574495f3cb6b739c061c8c179bd80056d655af0a424d0dedfb087835aeefa482c5d4cd36fb607ff391511671fb80649ce11cd265c1a0

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
56f23f646baf0a2367dc10b92952fcab

SHA1
c43ea52c89a9ff59da08f4fed19d7b9c876cebe6

SHA256
df6d097458f651642f6b8e097f1cadca2bcfcef850ec82ed49f4c8c3bfbce64c

SHA512
e20519dbbe7a471b1454cf38e992a8c94fc3aef9733054493a485c4b094008132e2f441636b7f865eaeeecf7dae446d64ee711e08304bcdd1df9cdeed4ada64b

Download Submit
\Users\Admin\AppData\Local\Temp\7zO42841157\DiceBot 5.0.4.exe

Filesize
178KB

MD5
109ffbefe8cccafc6db7276baa45be0f

SHA1
df7300d951756013db8b820ce4b4044559fe83d1

SHA256
647de53b1d9e75ec2ff48838924ddd00799d05c0d61af111a842a59621a90f7c

SHA512
13af9f6925cb22bb2b4c644e6737d37e508c1a53677942619c415265e4a9b699769df7406d6409dad5198c428bf66c54cf33490a2b98450546b73a68422793d5

Download Submit
memory/1504-59-0x000000013F990000-0x000000013F9BE000-memory.dmp

Filesize
184KB

Download
memory/2580-9-0x000000013FE60000-0x000000013FE8E000-memory.dmp

Filesize
184KB

Download