f57dc67ec5cb3f8eb9893b1dd5d05b90fd6f1620dc7d24a0aa7f5df23e184491

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f57dc67ec5cb3f8eb9893b1dd5d05b90fd6f1620dc7d24a0aa7f5df23e184491.dll
Size

268KB
MD5

66522c0bf39a253ac3f0d13c56feee7d
SHA1

bc56b1fad8c3f41a3531ace2eeb63c5b8a19ce1f
SHA256

f57dc67ec5cb3f8eb9893b1dd5d05b90fd6f1620dc7d24a0aa7f5df23e184491
SHA512

0316eafc4ef5e3b5f713b239ddef7f8624fe0f15c372678899cf4cef0029b01bea3eca5ed8df908aab63580e069068fc49952d7563056ec608505dda0b1fcac1
SSDEEP

6144:5VwHIZIW+Y0K6TzQYr1oSR4l4Nia4o8xN:QHZW+Y0K64N4Aa+

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vhayakoh = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\f57dc67ec5cb3f8eb9893b1dd5d05b90fd6f1620dc7d24a0aa7f5df23e184491.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1284	rundll32.exe
1284	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1284	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 1284	372	rundll32.exe	84
PID 372 wrote to memory of 1284	372	rundll32.exe	84
PID 372 wrote to memory of 1284	372	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f57dc67ec5cb3f8eb9893b1dd5d05b90fd6f1620dc7d24a0aa7f5df23e184491.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f57dc67ec5cb3f8eb9893b1dd5d05b90fd6f1620dc7d24a0aa7f5df23e184491.dll,#1
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1284-136-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/1284-139-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

Filesize
1024KB

Download
memory/1284-140-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

Filesize
1024KB

Download