10ecb5242bcd516a33c3fcbfd6f7c9b6237e4e9786e0e0c3923475621eb1e833

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10ecb5242bcd516a33c3fcbfd6f7c9b6237e4e9786e0e0c3923475621eb1e833.dll
Size

884KB
MD5

8127fafd69a7f4a1d9822e0a12d378a4
SHA1

a29bf5dd2b66d78e5561c9a994617b1c1ea38103
SHA256

10ecb5242bcd516a33c3fcbfd6f7c9b6237e4e9786e0e0c3923475621eb1e833
SHA512

5791c73c9f367e52d541bd05b58e4c930603173f3813724e29fcd26d0a94a2feb8749cc519c25cc43d0ee91b6ebe3d30f19ebb84e4289b35a132af912173c8a3

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

ApplySettingsTemplateCatalog.exeprintfilterpipelinesvc.exeiexpress.exe

pid process

3668 ApplySettingsTemplateCatalog.exe
3480 printfilterpipelinesvc.exe
3304 iexpress.exe
Loads dropped DLL 4 IoCs

Processes:

ApplySettingsTemplateCatalog.exeprintfilterpipelinesvc.exeiexpress.exe

pid process

3668 ApplySettingsTemplateCatalog.exe
3480 printfilterpipelinesvc.exe
3480 printfilterpipelinesvc.exe
3304 iexpress.exe

pid	process
3668	ApplySettingsTemplateCatalog.exe
3480	printfilterpipelinesvc.exe
3304	iexpress.exe

pid	process
3668	ApplySettingsTemplateCatalog.exe
3480	printfilterpipelinesvc.exe
3480	printfilterpipelinesvc.exe
3304	iexpress.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mozskmmhgssfnvj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\eh4de2G4\\printfilterpipelinesvc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeApplySettingsTemplateCatalog.exeprintfilterpipelinesvc.exeiexpress.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	printfilterpipelinesvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4896	rundll32.exe
4896	rundll32.exe
4896	rundll32.exe
4896	rundll32.exe
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628
2628

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2628

pid	process
2628

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2628 wrote to memory of 472	2628	ApplySettingsTemplateCatalog.exe
PID 2628 wrote to memory of 472	2628	ApplySettingsTemplateCatalog.exe
PID 2628 wrote to memory of 3668	2628	ApplySettingsTemplateCatalog.exe
PID 2628 wrote to memory of 3668	2628	ApplySettingsTemplateCatalog.exe
PID 2628 wrote to memory of 5004	2628	printfilterpipelinesvc.exe
PID 2628 wrote to memory of 5004	2628	printfilterpipelinesvc.exe
PID 2628 wrote to memory of 3480	2628	printfilterpipelinesvc.exe
PID 2628 wrote to memory of 3480	2628	printfilterpipelinesvc.exe
PID 2628 wrote to memory of 2184	2628	iexpress.exe
PID 2628 wrote to memory of 2184	2628	iexpress.exe
PID 2628 wrote to memory of 3304	2628	iexpress.exe
PID 2628 wrote to memory of 3304	2628	iexpress.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10ecb5242bcd516a33c3fcbfd6f7c9b6237e4e9786e0e0c3923475621eb1e833.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:472

C:\Users\Admin\AppData\Local\i9a6xiE4M\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\i9a6xiE4M\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3668

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
1⤵
PID:5004

C:\Users\Admin\AppData\Local\4DYUNZ\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\4DYUNZ\printfilterpipelinesvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3480

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:2184

C:\Users\Admin\AppData\Local\p0vQK5qnl\iexpress.exe
C:\Users\Admin\AppData\Local\p0vQK5qnl\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4DYUNZ\XmlLite.dll
Filesize
885KB

MD5
0345ea5469c22284c5d35c3933cbc754

SHA1
13a67622ab793ad8d14d5238a34cf5900fe16455

SHA256
eb1e43ba040a992236ce142e2c60bd0a7108f7133ac78febddd6590d62fb8589

SHA512
2f64bc9de65bad5122ebaa59673df189aefcfaf22a318e4ea0c7cbcfdedfe35ebe4ee1b559fedcadf5be7dd72a4b3afbfc0d9450fe8726b70b709ca1ea0894d3

Download Submit
C:\Users\Admin\AppData\Local\4DYUNZ\XmlLite.dll
Filesize
885KB

MD5
0345ea5469c22284c5d35c3933cbc754

SHA1
13a67622ab793ad8d14d5238a34cf5900fe16455

SHA256
eb1e43ba040a992236ce142e2c60bd0a7108f7133ac78febddd6590d62fb8589

SHA512
2f64bc9de65bad5122ebaa59673df189aefcfaf22a318e4ea0c7cbcfdedfe35ebe4ee1b559fedcadf5be7dd72a4b3afbfc0d9450fe8726b70b709ca1ea0894d3

Download Submit
C:\Users\Admin\AppData\Local\4DYUNZ\XmlLite.dll
Filesize
885KB

MD5
0345ea5469c22284c5d35c3933cbc754

SHA1
13a67622ab793ad8d14d5238a34cf5900fe16455

SHA256
eb1e43ba040a992236ce142e2c60bd0a7108f7133ac78febddd6590d62fb8589

SHA512
2f64bc9de65bad5122ebaa59673df189aefcfaf22a318e4ea0c7cbcfdedfe35ebe4ee1b559fedcadf5be7dd72a4b3afbfc0d9450fe8726b70b709ca1ea0894d3

Download Submit
C:\Users\Admin\AppData\Local\4DYUNZ\printfilterpipelinesvc.exe
Filesize
813KB

MD5
331a40eabaa5870e316b401bd81c4861

SHA1
ddff65771ca30142172c0d91d5bfff4eb1b12b73

SHA256
105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88

SHA512
29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

Download Submit
C:\Users\Admin\AppData\Local\i9a6xiE4M\ACTIVEDS.dll
Filesize
886KB

MD5
f7604c9d98165f465f5597e93dfac4aa

SHA1
4de40dc9b152109664cc2d0e8e7ba3e96dfbc809

SHA256
c980249791a36e6eacda872b8b97fcb8517667f498ca78982e9520d06d0cb0fd

SHA512
b78c1cc76ecdbaae8d7b1323077c51b779905865b66b5500d491df8cb49413da55f6e9d389d8a071c085bce6b854b61f66fd6baf5f73f43ed075ffc001057b76

Download Submit
C:\Users\Admin\AppData\Local\i9a6xiE4M\ACTIVEDS.dll
Filesize
886KB

MD5
f7604c9d98165f465f5597e93dfac4aa

SHA1
4de40dc9b152109664cc2d0e8e7ba3e96dfbc809

SHA256
c980249791a36e6eacda872b8b97fcb8517667f498ca78982e9520d06d0cb0fd

SHA512
b78c1cc76ecdbaae8d7b1323077c51b779905865b66b5500d491df8cb49413da55f6e9d389d8a071c085bce6b854b61f66fd6baf5f73f43ed075ffc001057b76

Download Submit
C:\Users\Admin\AppData\Local\i9a6xiE4M\ApplySettingsTemplateCatalog.exe
Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
C:\Users\Admin\AppData\Local\p0vQK5qnl\VERSION.dll
Filesize
886KB

MD5
0c044474b257f1e78690a9fef356e820

SHA1
5f16080d98834a87660e02263c285a5abff83722

SHA256
625a2ec10456e33c95796d0a41cd8089d5cee11ee58f10b6006ca9aa1aa2cbdc

SHA512
e20b0d0a6d2707d4434129036aea6f6ca94fb9c490183b3eb341f2c80a743021e13a3a946994df7e66f069051a95e47581a1a85e52abd8aa4213fd2fb2e255b8

Download Submit
C:\Users\Admin\AppData\Local\p0vQK5qnl\VERSION.dll
Filesize
886KB

MD5
0c044474b257f1e78690a9fef356e820

SHA1
5f16080d98834a87660e02263c285a5abff83722

SHA256
625a2ec10456e33c95796d0a41cd8089d5cee11ee58f10b6006ca9aa1aa2cbdc

SHA512
e20b0d0a6d2707d4434129036aea6f6ca94fb9c490183b3eb341f2c80a743021e13a3a946994df7e66f069051a95e47581a1a85e52abd8aa4213fd2fb2e255b8

Download Submit
C:\Users\Admin\AppData\Local\p0vQK5qnl\iexpress.exe
Filesize
166KB

MD5
17b93a43e25d821d01af40ba6babcc8c

SHA1
97c978d78056d995f751dfef1388d7cce4cc404a

SHA256
d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

SHA512
6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

Download Submit
memory/2628-136-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2628-135-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2628-142-0x00007FFB28A30000-0x00007FFB28A40000-memory.dmp

Filesize
64KB

Download
memory/2628-131-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2628-138-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2628-140-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2628-139-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2628-133-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2628-137-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2628-130-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2628-141-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2628-134-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2628-132-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3304-152-0x0000000000000000-mapping.dmp

Download
memory/3480-147-0x0000000000000000-mapping.dmp

Download
memory/3668-143-0x0000000000000000-mapping.dmp

Download