51eae0cae9631c298edfd59acbe6b842944853662ad8dc0a32cf75ca35dd3f1e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51eae0cae9631c298edfd59acbe6b842944853662ad8dc0a32cf75ca35dd3f1e.dll
Size

34KB
MD5

33afde704785f95a5c617d84959d8f9c
SHA1

97927afdeffbcc5e076251d113d28b5a90c6afab
SHA256

51eae0cae9631c298edfd59acbe6b842944853662ad8dc0a32cf75ca35dd3f1e
SHA512

a52b1750b446b1f4641518c02df6ec23d052a39ae3093909973f85ae88d1cedb215e0d7565dbea780b55cf97feb5a56a68c7d42f905a34362a3e07c3b09b4602
SSDEEP

768:eiQQkZDTbBwI72tszyuwyrNJgYhyAM67Q5B6xqRv+N17kE7ukR:DQQkpXBwI72tszNwcMYsGqRa7ksuY

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
34	4488	rundll32.exe
36	4488	rundll32.exe
37	4488	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
424	rundll32.exe
424	rundll32.exe
4488	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\xxywUNGw.dll,#1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xxywUNGw.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\xxywUNGw.dll	rundll32.exe
File created	C:\Windows\SysWOW64\jkkLcyxy.dll	rundll32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ = "C:\\Windows\\SysWow64\\xxywUNGw.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ThreadingModel = "Both"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
424	rundll32.exe
424	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
424	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	424	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
424	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 424	1000	rundll32.exe	78
PID 1000 wrote to memory of 424	1000	rundll32.exe	78
PID 1000 wrote to memory of 424	1000	rundll32.exe	78
PID 424 wrote to memory of 616	424	rundll32.exe	6
PID 424 wrote to memory of 4488	424	rundll32.exe	93
PID 424 wrote to memory of 4488	424	rundll32.exe	93
PID 424 wrote to memory of 4488	424	rundll32.exe	93
PID 4488 wrote to memory of 1688	4488	rundll32.exe	94
PID 4488 wrote to memory of 1688	4488	rundll32.exe	94
PID 4488 wrote to memory of 1688	4488	rundll32.exe	94

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\51eae0cae9631c298edfd59acbe6b842944853662ad8dc0a32cf75ca35dd3f1e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\51eae0cae9631c298edfd59acbe6b842944853662ad8dc0a32cf75ca35dd3f1e.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:424
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\system32\xxywUNGw.dll,a
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Windows\system32\jkkLcyxy.dll",s
      4⤵
      PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\jkkLcyxy.dll

Filesize
42KB

MD5
2ac097740e9459ce6c4e852286b94d4d

SHA1
714719d81c64b37c65ef581b5610214552ddb5c3

SHA256
955a0ec3a56b2014a88b35372ec3fd92c848e65a1e11d15517ebd12e5f0cb3b3

SHA512
7f37fbf5f159e0cf0eaa8597d2be2ea2561b0da9b925e4efa0f5140f97f07ad8a2e3706d1a76d4ca1219298eaeccd269f9d941adbca4fd125754ff19faa15cc4

Download Submit
C:\Windows\SysWOW64\xxywUNGw.dll

Filesize
34KB

MD5
33afde704785f95a5c617d84959d8f9c

SHA1
97927afdeffbcc5e076251d113d28b5a90c6afab

SHA256
51eae0cae9631c298edfd59acbe6b842944853662ad8dc0a32cf75ca35dd3f1e

SHA512
a52b1750b446b1f4641518c02df6ec23d052a39ae3093909973f85ae88d1cedb215e0d7565dbea780b55cf97feb5a56a68c7d42f905a34362a3e07c3b09b4602

Download Submit
C:\Windows\SysWOW64\xxywUNGw.dll

Filesize
34KB

MD5
33afde704785f95a5c617d84959d8f9c

SHA1
97927afdeffbcc5e076251d113d28b5a90c6afab

SHA256
51eae0cae9631c298edfd59acbe6b842944853662ad8dc0a32cf75ca35dd3f1e

SHA512
a52b1750b446b1f4641518c02df6ec23d052a39ae3093909973f85ae88d1cedb215e0d7565dbea780b55cf97feb5a56a68c7d42f905a34362a3e07c3b09b4602

Download Submit
C:\Windows\SysWOW64\xxywUNGw.dll

Filesize
34KB

MD5
33afde704785f95a5c617d84959d8f9c

SHA1
97927afdeffbcc5e076251d113d28b5a90c6afab

SHA256
51eae0cae9631c298edfd59acbe6b842944853662ad8dc0a32cf75ca35dd3f1e

SHA512
a52b1750b446b1f4641518c02df6ec23d052a39ae3093909973f85ae88d1cedb215e0d7565dbea780b55cf97feb5a56a68c7d42f905a34362a3e07c3b09b4602

Download Submit
C:\Windows\SysWOW64\xxywUNGw.dll

Filesize
34KB

MD5
33afde704785f95a5c617d84959d8f9c

SHA1
97927afdeffbcc5e076251d113d28b5a90c6afab

SHA256
51eae0cae9631c298edfd59acbe6b842944853662ad8dc0a32cf75ca35dd3f1e

SHA512
a52b1750b446b1f4641518c02df6ec23d052a39ae3093909973f85ae88d1cedb215e0d7565dbea780b55cf97feb5a56a68c7d42f905a34362a3e07c3b09b4602

Download Submit
memory/424-136-0x0000000000F90000-0x0000000000F95000-memory.dmp

Filesize
20KB

Download
memory/424-137-0x0000000002940000-0x0000000002954000-memory.dmp

Filesize
80KB

Download
memory/424-139-0x0000000002930000-0x00000000029BD000-memory.dmp

Filesize
564KB

Download
memory/424-141-0x0000000002930000-0x00000000029BD000-memory.dmp

Filesize
564KB

Download
memory/424-140-0x0000000002930000-0x00000000029BD000-memory.dmp

Filesize
564KB

Download
memory/424-138-0x0000000002930000-0x00000000029BD000-memory.dmp

Filesize
564KB

Download
memory/424-135-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4488-145-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4488-146-0x0000000000EC0000-0x0000000000EC5000-memory.dmp

Filesize
20KB

Download