Overview

overview

10

Static

static

185136e000...39.dll

windows7_x64

10

185136e000...39.dll

windows10-2004_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    17-04-2022 16:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    185136e00027380a18296643ebd7215ee9abe09c5226253b6cc37fe2faef2939.dll

  • Size

    884KB

  • MD5

    616512e689f5521ae81c623cdecc8a7d

  • SHA1

    5b1dd3be9bf23f930ada499f2d3a3ee18c42dc38

  • SHA256

    185136e00027380a18296643ebd7215ee9abe09c5226253b6cc37fe2faef2939

  • SHA512

    91999c6fe02316568a1ac4a69ae08b72558d2ee7c9bc286b7d06e7204785e2f21b939588001dc9a71f0039455b16b6d433bab020b73ebc9f3af2fb228125ed94

Score
8/10
evasionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\185136e00027380a18296643ebd7215ee9abe09c5226253b6cc37fe2faef2939.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2556
  • C:\Windows\system32\SystemPropertiesProtection.exe
    C:\Windows\system32\SystemPropertiesProtection.exe
    1⤵
      PID:3144
    • C:\Users\Admin\AppData\Local\GJ1zV\SystemPropertiesProtection.exe
      C:\Users\Admin\AppData\Local\GJ1zV\SystemPropertiesProtection.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3100
    • C:\Windows\system32\rdpshell.exe
      C:\Windows\system32\rdpshell.exe
      1⤵
        PID:4316
      • C:\Users\Admin\AppData\Local\HMK38N\rdpshell.exe
        C:\Users\Admin\AppData\Local\HMK38N\rdpshell.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3948
      • C:\Windows\system32\Narrator.exe
        C:\Windows\system32\Narrator.exe
        1⤵
          PID:4752
        • C:\Users\Admin\AppData\Local\ro7k9uE\Narrator.exe
          C:\Users\Admin\AppData\Local\ro7k9uE\Narrator.exe
          1⤵
          • Executes dropped EXE
          PID:3780
        • C:\Windows\system32\DevicePairingWizard.exe
          C:\Windows\system32\DevicePairingWizard.exe
          1⤵
            PID:3640
          • C:\Users\Admin\AppData\Local\xeBfuX\DevicePairingWizard.exe
            C:\Users\Admin\AppData\Local\xeBfuX\DevicePairingWizard.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:4832

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\GJ1zV\SYSDM.CPL
            Filesize

            885KB

            MD5

            4e1b97cd8ebd39084c94416efd3fdc53

            SHA1

            5b253cd3ed6a4baf907983e6c660942883767a37

            SHA256

            f7db1310b64878357284e49341d29e42be29151a30987fead64980f8b6e883eb

            SHA512

            8694183bfe10e2759a15ffe4b9fb64e59acbae848fa2903a0dc0144a66785596576cdaf43d39ffa55be3976027e1dfa744847a2e4b9c5f88fb9d72e1d39969d5

            Download Submit
          • C:\Users\Admin\AppData\Local\GJ1zV\SYSDM.CPL
            Filesize

            885KB

            MD5

            4e1b97cd8ebd39084c94416efd3fdc53

            SHA1

            5b253cd3ed6a4baf907983e6c660942883767a37

            SHA256

            f7db1310b64878357284e49341d29e42be29151a30987fead64980f8b6e883eb

            SHA512

            8694183bfe10e2759a15ffe4b9fb64e59acbae848fa2903a0dc0144a66785596576cdaf43d39ffa55be3976027e1dfa744847a2e4b9c5f88fb9d72e1d39969d5

            Download Submit
          • C:\Users\Admin\AppData\Local\GJ1zV\SystemPropertiesProtection.exe
            Filesize

            82KB

            MD5

            26640d2d4fa912fc9a354ef6cfe500ff

            SHA1

            a343fd82659ce2d8de3beb587088867cf2ab8857

            SHA256

            a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

            SHA512

            26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

            Download Submit
          • C:\Users\Admin\AppData\Local\HMK38N\WINSTA.dll
            Filesize

            891KB

            MD5

            1ba82ea823645feb0cd08d8d3b59a548

            SHA1

            3529f8d084d3c1e5866a2f9976c9f1dfc2e78baa

            SHA256

            65e84d95ac3ab757e2ca1df47375f36818c1e225e8c2f8687504888e8759c1ba

            SHA512

            6f1b68146ea6a59758dc7e16237e8d33568a952f2b53c42b3044c9445142ff5cded65c50e8cb03cc6af59e9610145508937ddc808a62f47003d0acd32f50a077

            Download Submit
          • C:\Users\Admin\AppData\Local\HMK38N\WINSTA.dll
            Filesize

            891KB

            MD5

            1ba82ea823645feb0cd08d8d3b59a548

            SHA1

            3529f8d084d3c1e5866a2f9976c9f1dfc2e78baa

            SHA256

            65e84d95ac3ab757e2ca1df47375f36818c1e225e8c2f8687504888e8759c1ba

            SHA512

            6f1b68146ea6a59758dc7e16237e8d33568a952f2b53c42b3044c9445142ff5cded65c50e8cb03cc6af59e9610145508937ddc808a62f47003d0acd32f50a077

            Download Submit
          • C:\Users\Admin\AppData\Local\HMK38N\rdpshell.exe
            Filesize

            468KB

            MD5

            428066713f225bb8431340fa670671d4

            SHA1

            47f6878ff33317c3fc09c494df729a463bda174c

            SHA256

            da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

            SHA512

            292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

            Download Submit
          • C:\Users\Admin\AppData\Local\ro7k9uE\Narrator.exe
            Filesize

            521KB

            MD5

            d92defaa4d346278480d2780325d8d18

            SHA1

            6494d55b2e5064ffe8add579edfcd13c3e69fffe

            SHA256

            69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

            SHA512

            b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

            Download Submit
          • C:\Users\Admin\AppData\Local\xeBfuX\DevicePairingWizard.exe
            Filesize

            93KB

            MD5

            d0e40a5a0c7dad2d6e5040d7fbc37533

            SHA1

            b0eabbd37a97a1abcd90bd56394f5c45585699eb

            SHA256

            2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

            SHA512

            1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

            Download Submit
          • C:\Users\Admin\AppData\Local\xeBfuX\MFC42u.dll
            Filesize

            912KB

            MD5

            1543260ead8b43b6e4421c5ddc6fdb23

            SHA1

            ea55490903fe4f487bec6b388f7c8948e6aeff59

            SHA256

            941921f183ea3f136393a23928ce2a34429bcc8cf857b9a200bf747fb2b668cc

            SHA512

            31c38c3dee47a1be90311ec12b2c2b2b99b64f275ee0b31af19e56554af017a3659ec00ef772f0bda57f640788722c638ea61e42dd9c9d8b993ea84fdd1529f1

            Download Submit
          • C:\Users\Admin\AppData\Local\xeBfuX\MFC42u.dll
            Filesize

            912KB

            MD5

            1543260ead8b43b6e4421c5ddc6fdb23

            SHA1

            ea55490903fe4f487bec6b388f7c8948e6aeff59

            SHA256

            941921f183ea3f136393a23928ce2a34429bcc8cf857b9a200bf747fb2b668cc

            SHA512

            31c38c3dee47a1be90311ec12b2c2b2b99b64f275ee0b31af19e56554af017a3659ec00ef772f0bda57f640788722c638ea61e42dd9c9d8b993ea84fdd1529f1

            Download Submit
          • memory/2668-136-0x0000000140000000-0x00000001400E1000-memory.dmp
            Filesize

            900KB

            Download
          • memory/2668-135-0x0000000140000000-0x00000001400E1000-memory.dmp
            Filesize

            900KB

            Download
          • memory/2668-142-0x00007FF9D5210000-0x00007FF9D5220000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2668-130-0x0000000140000000-0x00000001400E1000-memory.dmp
            Filesize

            900KB

            Download
          • memory/2668-140-0x0000000140000000-0x00000001400E1000-memory.dmp
            Filesize

            900KB

            Download
          • memory/2668-139-0x0000000140000000-0x00000001400E1000-memory.dmp
            Filesize

            900KB

            Download
          • memory/2668-138-0x0000000140000000-0x00000001400E1000-memory.dmp
            Filesize

            900KB

            Download
          • memory/2668-132-0x0000000140000000-0x00000001400E1000-memory.dmp
            Filesize

            900KB

            Download
          • memory/2668-137-0x0000000140000000-0x00000001400E1000-memory.dmp
            Filesize

            900KB

            Download
          • memory/2668-131-0x0000000140000000-0x00000001400E1000-memory.dmp
            Filesize

            900KB

            Download
          • memory/2668-141-0x0000000140000000-0x00000001400E1000-memory.dmp
            Filesize

            900KB

            Download
          • memory/2668-134-0x0000000140000000-0x00000001400E1000-memory.dmp
            Filesize

            900KB

            Download
          • memory/2668-133-0x0000000140000000-0x00000001400E1000-memory.dmp
            Filesize

            900KB

            Download
          • memory/3100-143-0x0000000000000000-mapping.dmp
            Download
          • memory/3948-147-0x0000000000000000-mapping.dmp
            Download
          • memory/4832-152-0x0000000000000000-mapping.dmp
            Download