8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990

Analysis

max time kernel
145s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe
Size

8KB
MD5

6f03c754931a34e29429bee1050cf1a0
SHA1

25552629c0a0b44988cd535587038798bd989511
SHA256

8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990
SHA512

c2d7b1a522710757abb069139411cffafd4ba4cdd562eedc644b447aab8dd82c8fc392a73fcd3ad2e62cf1b4e1e34a5a02f1f28c3f4f1a1291fd3ad7f320aa47
SSDEEP

96:D8EqkMWlhadkeA8OAZGU7sLo+xyT0WErn8HcL4iSAZVA8tkgmWxSeFHYLP5CY5oa:eWTHebOAUBxY0WLs4sZVV56LwOj8Y

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuditxwb\ImagePath = "\\??\\C:\\Windows\\Fonts\\wuditxwb.fon"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4768	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\wuditxwb.fon	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
544	8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe
544	8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4768	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 2464	544	8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe	82
PID 544 wrote to memory of 2464	544	8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe	82
PID 544 wrote to memory of 2464	544	8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe	82
PID 2464 wrote to memory of 4768	2464	cmd.exe	84
PID 2464 wrote to memory of 4768	2464	cmd.exe	84
PID 2464 wrote to memory of 4768	2464	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe
"C:\Users\Admin\AppData\Local\Temp\8dfe65f00d67f6568faa438adfe903a8be82b4a3992a0cf7d7e07a2502047990.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c rundll32 Runt.dll,RundllTest
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 Runt.dll,RundllTest
    3⤵
    - Sets service image path in registry
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: LoadsDriver
    PID:4768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Runt.dll

Filesize
7KB

MD5
8ce6c6f454393ea89e39cab77fe3fe01

SHA1
07d8e6cd407620624b62a7b5bca16950b855f4b7

SHA256
ccbf96e37a5736dd48ce093681425410259725c9c9619b5efc8571093aa3bedb

SHA512
ab1a92dbd81dcdea142d0d2e3a4fef7f17aa760ad32edc3a823918e13d29b079dd5eca45f63001f2ec1427d9358bae2884a94004539ce42da69bebc252d00caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runt.dll

Filesize
7KB

MD5
8ce6c6f454393ea89e39cab77fe3fe01

SHA1
07d8e6cd407620624b62a7b5bca16950b855f4b7

SHA256
ccbf96e37a5736dd48ce093681425410259725c9c9619b5efc8571093aa3bedb

SHA512
ab1a92dbd81dcdea142d0d2e3a4fef7f17aa760ad32edc3a823918e13d29b079dd5eca45f63001f2ec1427d9358bae2884a94004539ce42da69bebc252d00caa

Download Submit
memory/544-132-0x0000000013140000-0x0000000013143000-memory.dmp

Filesize
12KB

Download
memory/4768-137-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download