0286969cdb7ce42abbe23b2d73e74e0eba8a0bc0876ed6a843b74674b14d7569

Analysis

max time kernel
146s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0286969cdb7ce42abbe23b2d73e74e0eba8a0bc0876ed6a843b74674b14d7569.exe
Size

48KB
MD5

02c461db71de6795e142e56087f33386
SHA1

b9fc0c50ea9b90296a9b1e185d3538175e9243b0
SHA256

0286969cdb7ce42abbe23b2d73e74e0eba8a0bc0876ed6a843b74674b14d7569
SHA512

db6bf12bc40bd51066e396665c88f0dd469db67f109ad65fa722a9c5b4beebe3baeadac904ceb0702a786d4df5a6dd5b7cd1e15e0869379b227df8262a612a5c
SSDEEP

768:aeyatZjFvcjklzqC+Vo3VIjrFKqQqltSH5fnjruU1OBuwcjwT1z:aFatZZvcg9q/oF6KYtyRZcUq

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4324	rundll32.exe
4180	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fqazepi = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\m6Cokmb.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4324	rundll32.exe
4324	rundll32.exe
4324	rundll32.exe
4324	rundll32.exe
4324	rundll32.exe
4324	rundll32.exe
4324	rundll32.exe
4324	rundll32.exe
4324	rundll32.exe
4324	rundll32.exe
4324	rundll32.exe
4324	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 4324	3628	0286969cdb7ce42abbe23b2d73e74e0eba8a0bc0876ed6a843b74674b14d7569.exe	80
PID 3628 wrote to memory of 4324	3628	0286969cdb7ce42abbe23b2d73e74e0eba8a0bc0876ed6a843b74674b14d7569.exe	80
PID 3628 wrote to memory of 4324	3628	0286969cdb7ce42abbe23b2d73e74e0eba8a0bc0876ed6a843b74674b14d7569.exe	80
PID 4324 wrote to memory of 4180	4324	rundll32.exe	82
PID 4324 wrote to memory of 4180	4324	rundll32.exe	82
PID 4324 wrote to memory of 4180	4324	rundll32.exe	82

C:\Users\Admin\AppData\Local\Temp\0286969cdb7ce42abbe23b2d73e74e0eba8a0bc0876ed6a843b74674b14d7569.exe
"C:\Users\Admin\AppData\Local\Temp\0286969cdb7ce42abbe23b2d73e74e0eba8a0bc0876ed6a843b74674b14d7569.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\m6Cokmb.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\m6Cokmb.dll",iep
    3⤵
    - Loads dropped DLL
    PID:4180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\m6Cokmb.dll

Filesize
48KB

MD5
bf012da98d5202c0addcab5876337913

SHA1
6ae8c6fdcd608e540bab96f676fca3bd8153ffcc

SHA256
571814b139d7bbf86d14feaf0b684c5140a685597cddb0a6d73aa0cf6ef42bf6

SHA512
0c35f2a6f3bb036590520b8f31001a2ee041dde15f0ba8988cf7bdce411291929e6c009c6d287ab8d2420ddc84e0f641e3f79bc3c21e71d28027acd78f790454

Download Submit
C:\Users\Admin\AppData\Local\m6Cokmb.dll

Filesize
48KB

MD5
bf012da98d5202c0addcab5876337913

SHA1
6ae8c6fdcd608e540bab96f676fca3bd8153ffcc

SHA256
571814b139d7bbf86d14feaf0b684c5140a685597cddb0a6d73aa0cf6ef42bf6

SHA512
0c35f2a6f3bb036590520b8f31001a2ee041dde15f0ba8988cf7bdce411291929e6c009c6d287ab8d2420ddc84e0f641e3f79bc3c21e71d28027acd78f790454

Download Submit
C:\Users\Admin\AppData\Local\m6Cokmb.dll

Filesize
48KB

MD5
bf012da98d5202c0addcab5876337913

SHA1
6ae8c6fdcd608e540bab96f676fca3bd8153ffcc

SHA256
571814b139d7bbf86d14feaf0b684c5140a685597cddb0a6d73aa0cf6ef42bf6

SHA512
0c35f2a6f3bb036590520b8f31001a2ee041dde15f0ba8988cf7bdce411291929e6c009c6d287ab8d2420ddc84e0f641e3f79bc3c21e71d28027acd78f790454

Download Submit
memory/3628-135-0x0000000010001000-0x000000001000A000-memory.dmp

Filesize
36KB

Download
memory/3628-136-0x00000000021F1000-0x00000000021FF000-memory.dmp

Filesize
56KB

Download
memory/3628-132-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/3628-134-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/3628-133-0x0000000010001000-0x000000001000A000-memory.dmp

Filesize
36KB

Download
memory/4180-144-0x0000000000000000-mapping.dmp

Download
memory/4180-149-0x0000000002961000-0x000000000296F000-memory.dmp

Filesize
56KB

Download
memory/4324-137-0x0000000000000000-mapping.dmp

Download
memory/4324-140-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/4324-141-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/4324-143-0x0000000002521000-0x000000000252F000-memory.dmp

Filesize
56KB

Download