018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81

Analysis

max time kernel
96s
max time network
55s
platform
windows10_x64
resource
win10-en-20211208
submitted
28-01-2022 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81.dll
Size

74KB
MD5

ab17f2b17c57b731cb930243589ab0cf
SHA1

5a5fafbc3fec8d36fd57b075ebf34119ba3bff04
SHA256

018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81
SHA512

62aac7869c47f89a545eadb2a150181771e1accfe454673d81e3899447e907aae030beea31cfc66820f665fa5060190a6c8823dd6356fbe34af99eae7e4067ce

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\ImagePath	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\ImagePath	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\ImagePath	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\ImagePath	rundll32.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	rundll32.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-369956170-74428499-1628131376-1000\desktop.ini	rundll32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mip_core.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-environment-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\oregres.dll	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll	rundll32.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdarem.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotdaddin.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrw_xl.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll	rundll32.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCuiL.exe	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vcruntime140.dll	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	rundll32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\libeay32.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DLL	rundll32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jpeg.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dcpr.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	rundll32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\eventlog_provider.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\npdeployJava1.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-file-l2-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2ssv.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuin53_64.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\instrument.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\REFEDIT.DLL	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe
2440	rundll32.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
2352	Process not Found
2888	Process not Found
2980	Process not Found
2244	Process not Found
4032	Process not Found
60	Process not Found
1524	Process not Found
2904	Process not Found
2872	Process not Found
2064	Process not Found
4832	Process not Found
3560	Process not Found
3612	Process not Found
3484	Process not Found
3252	Process not Found
2896	Process not Found
2924	Process not Found
2952	Process not Found
3752	Process not Found
3732	Process not Found
2420	Process not Found
2372	Process not Found
3456	Process not Found
3748	Process not Found
3756	Process not Found
3796	Process not Found
3264	Process not Found
3680	Process not Found
3332	Process not Found
3520	Process not Found
3384	Process not Found
3444	Process not Found
3516	Process not Found
3532	Process not Found
3340	Process not Found
3348	Process not Found
3860	Process not Found
3872	Process not Found
3876	Process not Found
3260	Process not Found
5924	Process not Found
3716	Process not Found
3920	Process not Found
3220	Process not Found
3108	Process not Found
3236	Process not Found
952	Process not Found
660	Process not Found
632	Process not Found
656	Process not Found
708	Process not Found
420	Process not Found
1048	Process not Found
2356	Process not Found
2284	Process not Found
352	Process not Found
1244	Process not Found
1420	Process not Found
1480	Process not Found
5932	Process not Found
1396	Process not Found
1376	Process not Found
1276	Process not Found
6140	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5956	sihost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2440	2372	rundll32.exe	68
PID 2372 wrote to memory of 2440	2372	rundll32.exe	68
PID 2372 wrote to memory of 2440	2372	rundll32.exe	68

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81.dll,#1
  2⤵
  - Modifies security service
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2440

\??\c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:5976

\??\c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:5956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads