8e949e29263b03068494c7575186800b415eee20a12ebbbbf42d25f3d5f07c17

Analysis

max time kernel
151s
max time network
122s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 02:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8e949e29263b03068494c7575186800b415eee20a12ebbbbf42d25f3d5f07c17.dll
Size

220KB
MD5

6314ee24ce37b1b58a5cc56d2db97a82
SHA1

68cdcdce42415574c26fca8b85890107cd546623
SHA256

8e949e29263b03068494c7575186800b415eee20a12ebbbbf42d25f3d5f07c17
SHA512

c35871d10fbae39c8a68ffdfe0a2d95124220b935572347560c7bb2c14b6aebb85c82b57fdaaf260dc5bda1d20b097520ae68dc858682efd87d4189e34835156
SSDEEP

3072:992AyxWjzqTP74jLfJYlbPrLQE3Tv5LydpMjmhTAHQJHgu0ykMeYHzRyAl/JF:z2ZWjzeP7kGrVQjh8wJZ3hlzRyQxF

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\eeovuhtg\\mkgifkas.exe"	svchost.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
900	rundll32mgr.exe
592	epedhmcdkxuropwg.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mkgifkas.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mkgifkas.exe	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
1628	rundll32.exe
900	rundll32mgr.exe
900	rundll32mgr.exe
900	rundll32mgr.exe
900	rundll32mgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MkgIfkas = "C:\\Users\\Admin\\AppData\\Local\\eeovuhtg\\mkgifkas.exe"	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	900	rundll32mgr.exe
Token: SeDebugPrivilege	900	rundll32mgr.exe
Token: SeSecurityPrivilege	1032	svchost.exe
Token: SeSecurityPrivilege	780	svchost.exe
Token: SeDebugPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeSecurityPrivilege	592	epedhmcdkxuropwg.exe
Token: SeLoadDriverPrivilege	592	epedhmcdkxuropwg.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe
Token: SeBackupPrivilege	780	svchost.exe
Token: SeRestorePrivilege	780	svchost.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1628	1996	rundll32.exe	27
PID 1996 wrote to memory of 1628	1996	rundll32.exe	27
PID 1996 wrote to memory of 1628	1996	rundll32.exe	27
PID 1996 wrote to memory of 1628	1996	rundll32.exe	27
PID 1996 wrote to memory of 1628	1996	rundll32.exe	27
PID 1996 wrote to memory of 1628	1996	rundll32.exe	27
PID 1996 wrote to memory of 1628	1996	rundll32.exe	27
PID 1628 wrote to memory of 900	1628	rundll32.exe	28
PID 1628 wrote to memory of 900	1628	rundll32.exe	28
PID 1628 wrote to memory of 900	1628	rundll32.exe	28
PID 1628 wrote to memory of 900	1628	rundll32.exe	28
PID 900 wrote to memory of 1032	900	rundll32mgr.exe	29
PID 900 wrote to memory of 1032	900	rundll32mgr.exe	29
PID 900 wrote to memory of 1032	900	rundll32mgr.exe	29
PID 900 wrote to memory of 1032	900	rundll32mgr.exe	29
PID 900 wrote to memory of 1032	900	rundll32mgr.exe	29
PID 900 wrote to memory of 1032	900	rundll32mgr.exe	29
PID 900 wrote to memory of 1032	900	rundll32mgr.exe	29
PID 900 wrote to memory of 1032	900	rundll32mgr.exe	29
PID 900 wrote to memory of 1032	900	rundll32mgr.exe	29
PID 900 wrote to memory of 1032	900	rundll32mgr.exe	29
PID 900 wrote to memory of 780	900	rundll32mgr.exe	30
PID 900 wrote to memory of 780	900	rundll32mgr.exe	30
PID 900 wrote to memory of 780	900	rundll32mgr.exe	30
PID 900 wrote to memory of 780	900	rundll32mgr.exe	30
PID 900 wrote to memory of 780	900	rundll32mgr.exe	30
PID 900 wrote to memory of 780	900	rundll32mgr.exe	30
PID 900 wrote to memory of 780	900	rundll32mgr.exe	30
PID 900 wrote to memory of 780	900	rundll32mgr.exe	30
PID 900 wrote to memory of 780	900	rundll32mgr.exe	30
PID 900 wrote to memory of 780	900	rundll32mgr.exe	30
PID 900 wrote to memory of 592	900	rundll32mgr.exe	31
PID 900 wrote to memory of 592	900	rundll32mgr.exe	31
PID 900 wrote to memory of 592	900	rundll32mgr.exe	31
PID 900 wrote to memory of 592	900	rundll32mgr.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8e949e29263b03068494c7575186800b415eee20a12ebbbbf42d25f3d5f07c17.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8e949e29263b03068494c7575186800b415eee20a12ebbbbf42d25f3d5f07c17.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\rundll32mgr.exe
    C:\Windows\SysWOW64\rundll32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1032
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Checks BIOS information in registry
      Drops startup file
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:780
  - - C:\Users\Admin\AppData\Local\Temp\epedhmcdkxuropwg.exe
      "C:\Users\Admin\AppData\Local\Temp\epedhmcdkxuropwg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\epedhmcdkxuropwg.exe

Filesize
89KB

MD5
7a6cee0de2aad7a5f40d71b9d632c398

SHA1
f18b7dd8b5a652aa62f6b41aab49822fb6a02c46

SHA256
93b1dcf5146afe775640d930392805d96dc057844c6a0c89d0bb5fd2ca5d0dd3

SHA512
70facceddf8c8c8c4c081205ef6aa7b5dc583f29fa4dc5c2b3e10d0f82c94d13bf886fa07d1f14f771a74998e73c92a6c685c61cbc98a316fac4808c4634c8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\epedhmcdkxuropwg.exe

Filesize
89KB

MD5
7a6cee0de2aad7a5f40d71b9d632c398

SHA1
f18b7dd8b5a652aa62f6b41aab49822fb6a02c46

SHA256
93b1dcf5146afe775640d930392805d96dc057844c6a0c89d0bb5fd2ca5d0dd3

SHA512
70facceddf8c8c8c4c081205ef6aa7b5dc583f29fa4dc5c2b3e10d0f82c94d13bf886fa07d1f14f771a74998e73c92a6c685c61cbc98a316fac4808c4634c8e3

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
89KB

MD5
7a6cee0de2aad7a5f40d71b9d632c398

SHA1
f18b7dd8b5a652aa62f6b41aab49822fb6a02c46

SHA256
93b1dcf5146afe775640d930392805d96dc057844c6a0c89d0bb5fd2ca5d0dd3

SHA512
70facceddf8c8c8c4c081205ef6aa7b5dc583f29fa4dc5c2b3e10d0f82c94d13bf886fa07d1f14f771a74998e73c92a6c685c61cbc98a316fac4808c4634c8e3

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe

Filesize
89KB

MD5
7a6cee0de2aad7a5f40d71b9d632c398

SHA1
f18b7dd8b5a652aa62f6b41aab49822fb6a02c46

SHA256
93b1dcf5146afe775640d930392805d96dc057844c6a0c89d0bb5fd2ca5d0dd3

SHA512
70facceddf8c8c8c4c081205ef6aa7b5dc583f29fa4dc5c2b3e10d0f82c94d13bf886fa07d1f14f771a74998e73c92a6c685c61cbc98a316fac4808c4634c8e3

Download Submit
\Users\Admin\AppData\Local\Temp\epedhmcdkxuropwg.exe

Filesize
89KB

MD5
7a6cee0de2aad7a5f40d71b9d632c398

SHA1
f18b7dd8b5a652aa62f6b41aab49822fb6a02c46

SHA256
93b1dcf5146afe775640d930392805d96dc057844c6a0c89d0bb5fd2ca5d0dd3

SHA512
70facceddf8c8c8c4c081205ef6aa7b5dc583f29fa4dc5c2b3e10d0f82c94d13bf886fa07d1f14f771a74998e73c92a6c685c61cbc98a316fac4808c4634c8e3

Download Submit
\Users\Admin\AppData\Local\Temp\epedhmcdkxuropwg.exe

Filesize
89KB

MD5
7a6cee0de2aad7a5f40d71b9d632c398

SHA1
f18b7dd8b5a652aa62f6b41aab49822fb6a02c46

SHA256
93b1dcf5146afe775640d930392805d96dc057844c6a0c89d0bb5fd2ca5d0dd3

SHA512
70facceddf8c8c8c4c081205ef6aa7b5dc583f29fa4dc5c2b3e10d0f82c94d13bf886fa07d1f14f771a74998e73c92a6c685c61cbc98a316fac4808c4634c8e3

Download Submit
\Users\Admin\AppData\Local\Temp\epedhmcdkxuropwg.exe

Filesize
89KB

MD5
7a6cee0de2aad7a5f40d71b9d632c398

SHA1
f18b7dd8b5a652aa62f6b41aab49822fb6a02c46

SHA256
93b1dcf5146afe775640d930392805d96dc057844c6a0c89d0bb5fd2ca5d0dd3

SHA512
70facceddf8c8c8c4c081205ef6aa7b5dc583f29fa4dc5c2b3e10d0f82c94d13bf886fa07d1f14f771a74998e73c92a6c685c61cbc98a316fac4808c4634c8e3

Download Submit
\Users\Admin\AppData\Local\Temp\epedhmcdkxuropwg.exe

Filesize
89KB

MD5
7a6cee0de2aad7a5f40d71b9d632c398

SHA1
f18b7dd8b5a652aa62f6b41aab49822fb6a02c46

SHA256
93b1dcf5146afe775640d930392805d96dc057844c6a0c89d0bb5fd2ca5d0dd3

SHA512
70facceddf8c8c8c4c081205ef6aa7b5dc583f29fa4dc5c2b3e10d0f82c94d13bf886fa07d1f14f771a74998e73c92a6c685c61cbc98a316fac4808c4634c8e3

Download Submit
\Windows\SysWOW64\rundll32mgr.exe

Filesize
89KB

MD5
7a6cee0de2aad7a5f40d71b9d632c398

SHA1
f18b7dd8b5a652aa62f6b41aab49822fb6a02c46

SHA256
93b1dcf5146afe775640d930392805d96dc057844c6a0c89d0bb5fd2ca5d0dd3

SHA512
70facceddf8c8c8c4c081205ef6aa7b5dc583f29fa4dc5c2b3e10d0f82c94d13bf886fa07d1f14f771a74998e73c92a6c685c61cbc98a316fac4808c4634c8e3

Download Submit
memory/592-90-0x0000000000400000-0x0000000000432228-memory.dmp

Filesize
200KB

Download
memory/780-72-0x0000000020010000-0x0000000020024000-memory.dmp

Filesize
80KB

Download
memory/780-76-0x0000000020010000-0x0000000020024000-memory.dmp

Filesize
80KB

Download
memory/900-80-0x0000000000400000-0x0000000000432228-memory.dmp

Filesize
200KB

Download
memory/900-82-0x0000000002690000-0x00000000026C3000-memory.dmp

Filesize
204KB

Download
memory/1032-66-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1032-63-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1628-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-55-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download