8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990

General

Target

8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe
Size

8KB
MD5

6f03c754931a34e29429bee1050cf1a0
SHA1

25552629c0a0b44988cd535587038798bd989511
SHA256

8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990
SHA512

c2d7b1a522710757abb069139411cffafd4ba4cdd562eedc644b447aab8dd82c8fc392a73fcd3ad2e62cf1b4e1e34a5a02f1f28c3f4f1a1291fd3ad7f320aa47
SSDEEP

96:D8EqkMWlhadkeA8OAZGU7sLo+xyT0WErn8HcL4iSAZVA8tkgmWxSeFHYLP5CY5oa:eWTHebOAUBxY0WLs4sZVV56LwOj8Y

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuditxwb\ImagePath = "\\??\\C:\\Windows\\Fonts\\wuditxwb.fon"	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
1668	rundll32.exe
1668	rundll32.exe
1668	rundll32.exe
1668	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\wuditxwb.fon	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1960	8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1668	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1876	1960	8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe	28
PID 1960 wrote to memory of 1876	1960	8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe	28
PID 1960 wrote to memory of 1876	1960	8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe	28
PID 1960 wrote to memory of 1876	1960	8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe	28
PID 1876 wrote to memory of 1668	1876	cmd.exe	30
PID 1876 wrote to memory of 1668	1876	cmd.exe	30
PID 1876 wrote to memory of 1668	1876	cmd.exe	30
PID 1876 wrote to memory of 1668	1876	cmd.exe	30
PID 1876 wrote to memory of 1668	1876	cmd.exe	30
PID 1876 wrote to memory of 1668	1876	cmd.exe	30
PID 1876 wrote to memory of 1668	1876	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe
"C:\Users\Admin\AppData\Local\Temp\8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c rundll32 Runt.dll,RundllTest
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 Runt.dll,RundllTest
    3⤵
    - Sets service image path in registry
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: LoadsDriver
    PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Runt.dll

Filesize
7KB

MD5
8ce6c6f454393ea89e39cab77fe3fe01

SHA1
07d8e6cd407620624b62a7b5bca16950b855f4b7

SHA256
ccbf96e37a5736dd48ce093681425410259725c9c9619b5efc8571093aa3bedb

SHA512
ab1a92dbd81dcdea142d0d2e3a4fef7f17aa760ad32edc3a823918e13d29b079dd5eca45f63001f2ec1427d9358bae2884a94004539ce42da69bebc252d00caa

Download Submit
\Users\Admin\AppData\Local\Temp\Runt.dll

Filesize
7KB

MD5
8ce6c6f454393ea89e39cab77fe3fe01

SHA1
07d8e6cd407620624b62a7b5bca16950b855f4b7

SHA256
ccbf96e37a5736dd48ce093681425410259725c9c9619b5efc8571093aa3bedb

SHA512
ab1a92dbd81dcdea142d0d2e3a4fef7f17aa760ad32edc3a823918e13d29b079dd5eca45f63001f2ec1427d9358bae2884a94004539ce42da69bebc252d00caa

Download Submit
\Users\Admin\AppData\Local\Temp\Runt.dll

Filesize
7KB

MD5
8ce6c6f454393ea89e39cab77fe3fe01

SHA1
07d8e6cd407620624b62a7b5bca16950b855f4b7

SHA256
ccbf96e37a5736dd48ce093681425410259725c9c9619b5efc8571093aa3bedb

SHA512
ab1a92dbd81dcdea142d0d2e3a4fef7f17aa760ad32edc3a823918e13d29b079dd5eca45f63001f2ec1427d9358bae2884a94004539ce42da69bebc252d00caa

Download Submit
\Users\Admin\AppData\Local\Temp\Runt.dll

Filesize
7KB

MD5
8ce6c6f454393ea89e39cab77fe3fe01

SHA1
07d8e6cd407620624b62a7b5bca16950b855f4b7

SHA256
ccbf96e37a5736dd48ce093681425410259725c9c9619b5efc8571093aa3bedb

SHA512
ab1a92dbd81dcdea142d0d2e3a4fef7f17aa760ad32edc3a823918e13d29b079dd5eca45f63001f2ec1427d9358bae2884a94004539ce42da69bebc252d00caa

Download Submit
\Users\Admin\AppData\Local\Temp\Runt.dll

Filesize
7KB

MD5
8ce6c6f454393ea89e39cab77fe3fe01

SHA1
07d8e6cd407620624b62a7b5bca16950b855f4b7

SHA256
ccbf96e37a5736dd48ce093681425410259725c9c9619b5efc8571093aa3bedb

SHA512
ab1a92dbd81dcdea142d0d2e3a4fef7f17aa760ad32edc3a823918e13d29b079dd5eca45f63001f2ec1427d9358bae2884a94004539ce42da69bebc252d00caa

Download Submit
memory/1668-56-0x0000000000000000-mapping.dmp

Download
memory/1668-57-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1668-63-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/1876-55-0x0000000000000000-mapping.dmp

Download
memory/1960-54-0x0000000013140000-0x0000000013143000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing