ebb22358cc0ce4bc40c76e1c02df8d304fd0b27e9793c7cbcc02f23b4e3c1c89

General

Target

dhq.dll
Size

712KB
MD5

6e72b76795624c0cd578c24342453c7c
SHA1

7866fe84f3b53267bfe505bcec20467b05a6e074
SHA256

ebb22358cc0ce4bc40c76e1c02df8d304fd0b27e9793c7cbcc02f23b4e3c1c89
SHA512

279604b40b7d09d18de65ee7ec3c934879ad9d343d80114b1cec3a49d8740cab11b74bc57cea3ed4d2b93e0b98ab5fef8883592186e35234211acd7bc443ffd1

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

adobe1.exeadobe1.exe

pid process

1928 adobe1.exe
1324 adobe1.exe

pid	process
1928	adobe1.exe
1324	adobe1.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1324-70-0x0000000013140000-0x000000001338D000-memory.dmp	upx
behavioral1/memory/1324-74-0x0000000013140000-0x000000001338D000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

rundll32.exeadobe1.exe

pid process

1956 rundll32.exe
1928 adobe1.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

adobe1.exe

description pid process target process

PID 1928 set thread context of 1324 1928 adobe1.exe adobe1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1956	rundll32.exe
1928	adobe1.exe

description	pid	process	target process
PID 1928 set thread context of 1324	1928	adobe1.exe	adobe1.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.exeadobe1.exeadobe1.exe

description	pid	process	target process
PID 1640 wrote to memory of 1956	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1956	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1956	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1956	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1956	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1956	1640	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 1956	1640	rundll32.exe	rundll32.exe
PID 1956 wrote to memory of 1928	1956	rundll32.exe	adobe1.exe
PID 1956 wrote to memory of 1928	1956	rundll32.exe	adobe1.exe
PID 1956 wrote to memory of 1928	1956	rundll32.exe	adobe1.exe
PID 1956 wrote to memory of 1928	1956	rundll32.exe	adobe1.exe
PID 1956 wrote to memory of 2044	1956	rundll32.exe	AcroRd32.exe
PID 1956 wrote to memory of 2044	1956	rundll32.exe	AcroRd32.exe
PID 1956 wrote to memory of 2044	1956	rundll32.exe	AcroRd32.exe
PID 1956 wrote to memory of 2044	1956	rundll32.exe	AcroRd32.exe
PID 1928 wrote to memory of 1324	1928	adobe1.exe	adobe1.exe
PID 1928 wrote to memory of 1324	1928	adobe1.exe	adobe1.exe
PID 1928 wrote to memory of 1324	1928	adobe1.exe	adobe1.exe
PID 1928 wrote to memory of 1324	1928	adobe1.exe	adobe1.exe
PID 1928 wrote to memory of 1324	1928	adobe1.exe	adobe1.exe
PID 1928 wrote to memory of 1324	1928	adobe1.exe	adobe1.exe
PID 1324 wrote to memory of 580	1324	adobe1.exe	iexplore.exe
PID 1324 wrote to memory of 580	1324	adobe1.exe	iexplore.exe
PID 1324 wrote to memory of 580	1324	adobe1.exe	iexplore.exe
PID 1324 wrote to memory of 580	1324	adobe1.exe	iexplore.exe
PID 1324 wrote to memory of 580	1324	adobe1.exe	iexplore.exe
PID 1324 wrote to memory of 852	1324	adobe1.exe	iexplore.exe
PID 1324 wrote to memory of 852	1324	adobe1.exe	iexplore.exe
PID 1324 wrote to memory of 852	1324	adobe1.exe	iexplore.exe
PID 1324 wrote to memory of 852	1324	adobe1.exe	iexplore.exe
PID 1324 wrote to memory of 852	1324	adobe1.exe	iexplore.exe
PID 1324 wrote to memory of 1784	1324	adobe1.exe	iexplore.exe
PID 1324 wrote to memory of 1784	1324	adobe1.exe	iexplore.exe
PID 1324 wrote to memory of 1784	1324	adobe1.exe	iexplore.exe
PID 1324 wrote to memory of 1784	1324	adobe1.exe	iexplore.exe
PID 1324 wrote to memory of 1784	1324	adobe1.exe	iexplore.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dhq.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\dhq.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\adobe1.exe
    C:\Users\Admin\AppData\Local\Temp\\adobe1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\adobe1.exe
      C:\Users\Admin\AppData\Local\Temp\\adobe1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:580
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:852
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1784
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\reader.pdf"
    3⤵
    PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adobe1.exe

MD5
fa0469c74632450ff280cda736e3b589

SHA1
2a125739fc91b38f69c021d8c1e9f66f15da7c1b

SHA256
9c85331956b4018e4bccaa097b452c1cc368183d8f2a34e55e251a616a1f2cb9

SHA512
291256e19f7ef82e57c4223ae8777aeaf39767dba3adf3c6b39c57b2f6c6d4d292d7ace2d53a8536d9d5973088a5156c41e663f38dc9a2b7b384bbf45184b3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe1.exe

MD5
fa0469c74632450ff280cda736e3b589

SHA1
2a125739fc91b38f69c021d8c1e9f66f15da7c1b

SHA256
9c85331956b4018e4bccaa097b452c1cc368183d8f2a34e55e251a616a1f2cb9

SHA512
291256e19f7ef82e57c4223ae8777aeaf39767dba3adf3c6b39c57b2f6c6d4d292d7ace2d53a8536d9d5973088a5156c41e663f38dc9a2b7b384bbf45184b3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe1.exe

MD5
fa0469c74632450ff280cda736e3b589

SHA1
2a125739fc91b38f69c021d8c1e9f66f15da7c1b

SHA256
9c85331956b4018e4bccaa097b452c1cc368183d8f2a34e55e251a616a1f2cb9

SHA512
291256e19f7ef82e57c4223ae8777aeaf39767dba3adf3c6b39c57b2f6c6d4d292d7ace2d53a8536d9d5973088a5156c41e663f38dc9a2b7b384bbf45184b3e9

Download Submit
\Users\Admin\AppData\Local\Temp\adobe1.exe

MD5
fa0469c74632450ff280cda736e3b589

SHA1
2a125739fc91b38f69c021d8c1e9f66f15da7c1b

SHA256
9c85331956b4018e4bccaa097b452c1cc368183d8f2a34e55e251a616a1f2cb9

SHA512
291256e19f7ef82e57c4223ae8777aeaf39767dba3adf3c6b39c57b2f6c6d4d292d7ace2d53a8536d9d5973088a5156c41e663f38dc9a2b7b384bbf45184b3e9

Download Submit
\Users\Admin\AppData\Local\Temp\adobe1.exe

MD5
fa0469c74632450ff280cda736e3b589

SHA1
2a125739fc91b38f69c021d8c1e9f66f15da7c1b

SHA256
9c85331956b4018e4bccaa097b452c1cc368183d8f2a34e55e251a616a1f2cb9

SHA512
291256e19f7ef82e57c4223ae8777aeaf39767dba3adf3c6b39c57b2f6c6d4d292d7ace2d53a8536d9d5973088a5156c41e663f38dc9a2b7b384bbf45184b3e9

Download Submit
memory/1324-74-0x0000000013140000-0x000000001338D000-memory.dmp

Filesize
2.3MB

Download
memory/1324-71-0x000000001338B560-mapping.dmp

Download
memory/1324-70-0x0000000013140000-0x000000001338D000-memory.dmp

Filesize
2.3MB

Download
memory/1928-63-0x0000000000000000-mapping.dmp

Download
memory/1928-65-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1956-60-0x0000000000000000-mapping.dmp

Download
memory/1956-61-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/2044-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing