Analysis

  • max time kernel
    876s
  • max time network
    867s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250207-en
  • resource tags

    arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/02/2025, 15:25

General

  • Target

    windows/loaders/dos.dll

  • Size

    39KB

  • MD5

    2c64fadc5893f9f730ef36ee2552702d

  • SHA1

    ed435f79cbca422fb016512a497e5cdad9b803b1

  • SHA256

    e40cf852b5219562b6e7b1ca998d23edb6bbef0e838ab33a75b1bd5136b908df

  • SHA512

    1cf545880fb0f0e31c044db2903d8e8a6f7224f518fca2f63bb5438f8455bd7ac1d483a03f37b9213c720daa228a61d82f7bbd21c8d7bf4f91fefa9a1946f323

  • SSDEEP

    768:r1viY6Uh3ggYOnUmGQ/oBw9z5XEchlnKCQ4:BKYVFggemZtz5XE1CQ

Score
3/10

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\windows\loaders\dos.dll,#1
    1⤵
      PID:5728
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjM4QTg2NTktMUU4RS00RjNGLUE0MTAtNTRFMzlFOUUzMDE2fSIgdXNlcmlkPSJ7OTkzMjYzOTAtMTYxNy00N0Q3LTlFRjQtQjVCOEZCQjQ0QTE1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NEQzNDEzNTMtRTRGNC00NTQxLTg3OEYtN0IwMkUzOTg5MEQyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NTAyNyIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI3NjIxMTgwMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1MTAyMjQ5MTEiLz48L2FwcD48L3JlcXVlc3Q-
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:5644
    • C:\Windows\SysWOW64\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4588" "1056" "1204" "1060" "0" "0" "0" "0" "0" "0" "0" "0"
      1⤵
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:1536
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjM4QTg2NTktMUU4RS00RjNGLUE0MTAtNTRFMzlFOUUzMDE2fSIgdXNlcmlkPSJ7OTkzMjYzOTAtMTYxNy00N0Q3LTlFRjQtQjVCOEZCQjQ0QTE1fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntCRkIxQTdCNy01RTM2LTRDNzAtODE0RC1FNzhBQkM0MEFERTR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczODk1NDU0OSI-PGV2ZW50IGV2ZW50dHlwZT0iMzIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjQiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1MzE5NDM4OTYiLz48L2FwcD48L3JlcXVlc3Q-
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:5840
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjM4QTg2NTktMUU4RS00RjNGLUE0MTAtNTRFMzlFOUUzMDE2fSIgdXNlcmlkPSJ7OTkzMjYzOTAtMTYxNy00N0Q3LTlFRjQtQjVCOEZCQjQ0QTE1fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins2RUIzQTA0Ny0zMzlCLTRDQjgtOTQ0OC0wRUNCQkMyMjkxODJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgY29ob3J0PSJycmZAMC40OCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9IntENTQ1NTQwOC0yQTMxLTQ4NjgtODE1My0zQjRDRDBDMzcxMDZ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuNjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxODQ0Njc0NDA3MzcwOTU1MTYwNiIgdXBkYXRlX2NvdW50PSIxIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MzA1NTYwMjc1MDIwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMiIgcj0iMiIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezZDQzI2QUE4LUU3OUQtNDAyQS1BOERELTM4OUVBRDM5NEIxNX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBjb2hvcnQ9InJyZkAwLjI4IiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7NDYxMTFDMUMtMDc4Mi00NkI2LUJEQkItQkU2OUVCRTk0MjI4fSIvPjwvYXBwPjwvcmVxdWVzdD4
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:6072
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=3816,i,812062913372518910,10869345044244848604,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:14
      1⤵
        PID:5368
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
        1⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:228
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4068,i,812062913372518910,10869345044244848604,262144 --variations-seed-version --mojo-platform-channel-handle=3968 /prefetch:14
        1⤵
          PID:2800
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4500,i,812062913372518910,10869345044244848604,262144 --variations-seed-version --mojo-platform-channel-handle=3792 /prefetch:14
          1⤵
            PID:4936
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5268,i,812062913372518910,10869345044244848604,262144 --variations-seed-version --mojo-platform-channel-handle=5156 /prefetch:14
            1⤵
              PID:5440
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5472,i,812062913372518910,10869345044244848604,262144 --variations-seed-version --mojo-platform-channel-handle=5144 /prefetch:14
              1⤵
                PID:4944
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4032,i,812062913372518910,10869345044244848604,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:14
                1⤵
                  PID:4524
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4816,i,812062913372518910,10869345044244848604,262144 --variations-seed-version --mojo-platform-channel-handle=2948 /prefetch:14
                  1⤵
                    PID:5780
                  • C:\Windows\system32\WerFault.exe
                    "C:\Windows\system32\WerFault.exe" -k -lc PDCRevocation PDCRevocation-20250209-1546.dmp
                    1⤵
                      PID:3556

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

                      Filesize

                      406KB

                      MD5

                      366583ac04036c021bceb086c89dcce9

                      SHA1

                      08d66877d6801b6ab8b0685e5d5431fc4cb216e3

                      SHA256

                      12c2cabff4bff7f08547d4c122b0873845dd133a377ff64162ddc31b7195cc41

                      SHA512

                      80a53cb9d50c68cc7330fdcf4e23bdf6a0130add072db1bd130de9d11ed0ca43bd7451127c2ccd9c72283f4378b2f5ae51282a9886cedeb493c88922e3065979

                    • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

                      Filesize

                      419KB

                      MD5

                      794f66b8363254116adc8d6579495f66

                      SHA1

                      9a6a148f9f9bb94d37575b9671c5cbc5cf8c3f19

                      SHA256

                      e8e970e9fcd5bfa2988a162e8da457b5aa2463406393ee04c967de8a2fd71fd4

                      SHA512

                      00134413e19d73c752706ae23efc861aa690613a8fa89cc80d6d819e7759cacf64c84b1b172949149d0df677e0f6d64d697527a554eb7f27c720d07f3ac48eab

                    • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

                      Filesize

                      381KB

                      MD5

                      d59d4ddb9125c0ff7f036be8a1856fc4

                      SHA1

                      85a8a5204e5e30a9bc04cb05b5a46e7869781992

                      SHA256

                      070bac0252d1e1d299d18f484d769d6f1f25d6ef63537e63fabad72f977ec6a1

                      SHA512

                      63c1b4f4d75d80ae04df2f388819c954eeab15b820043a9421030a12e2e57b3499d60c95fbb96357566c44850de208573ccc254aa0ac0302245d45287513efa3