2ba304ab84b5a924eb9a5c7e605082648a0cc6bd3c4906827446183e430aca05

General

Target

372b929ae9362bf357a3a8c5c968921f2c950094d928b2ed2cf94ea04bcfdbef.dll
Size

846KB
MD5

85003057fbddd3468478adc04a1b50cd
SHA1

acdd39a0d8068bfc4a16a0193c90eae85a5831fa
SHA256

372b929ae9362bf357a3a8c5c968921f2c950094d928b2ed2cf94ea04bcfdbef
SHA512

989f0738855e83b3ec9d97a7c9f93c0362285393cb1b7a266d6d1287bffad97c3a674c1738d1d0dc32c9751f68025da34f176a9bcc81c27b39fc1accdbbabb06

Score

8^/10

persistence upx

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

4 2000 rundll32.exe
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

flow	pid	process
4	2000	rundll32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\BGqsnKHv.dll	upx

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2000 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\LHxJEClUpdc.sys rundll32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

2000 rundll32.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

rundll32.exe

pid process

2000 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2000 rundll32.exe
Token: SeLoadDriverPrivilege 2000 rundll32.exe

pid	process
2000	rundll32.exe

description	ioc	process
File created	C:\Windows\LHxJEClUpdc.sys	rundll32.exe

pid	process
2000	rundll32.exe

pid	process
2000	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2000	rundll32.exe
Token: SeLoadDriverPrivilege	2000	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1852 wrote to memory of 2000	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 2000	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 2000	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 2000	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 2000	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 2000	1852	rundll32.exe	rundll32.exe
PID 1852 wrote to memory of 2000	1852	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\372b929ae9362bf357a3a8c5c968921f2c950094d928b2ed2cf94ea04bcfdbef.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\372b929ae9362bf357a3a8c5c968921f2c950094d928b2ed2cf94ea04bcfdbef.dll,#1
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\BGqsnKHv.dll
MD5
c637559fada3fe53e5a6f8dcc0a5bf4f

SHA1
265af8613fef8024190e6e49b1b24cf34060d86b

SHA256
9d7fc881646ba2db7023ed8f0857c1a82df0d81ebef839d20063a027fe4b9e7d

SHA512
fc0a32bb05b3b4ff96382d0c3d1857b1eb70c4e9030073c33579998f1fca40c8dcd6b2960c329c9845af5aa245566577198fa18e9c1985850038e84af1ac56ce

Download Submit
memory/2000-2-0x0000000000000000-mapping.dmp

Download
memory/2000-3-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/2000-5-0x0000000000100000-0x0000000000103000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing