5d24aa6e0c58f55f3c46731508bb13dd6b3f27afb356f1046bbc5f5440c25c79

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 12:51 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d24aa6e0c58f55f3c46731508bb13dd6b3f27afb356f1046bbc5f5440c25c79.dll
Size

236KB
MD5

05c96b781a402c89f6ad4aec20f8fa20
SHA1

12cdc2ab2401afd8f459d30bb2cc1200ba108ade
SHA256

5d24aa6e0c58f55f3c46731508bb13dd6b3f27afb356f1046bbc5f5440c25c79
SHA512

d34b07eff2a5d8c26becfa446fba479fcdcc1f0ed96ab7648ff6873b4ba90d5e8021d6db1988a8acee7c3997221f8d4112f496fdb104853d70d5c2955c000ad5
SSDEEP

3072:SeqmgHwlaazN9U3J+P0wFp+bLrt2wkkIo:+Qj9U3jwO3rt5D

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\livbnde = "{d6515584-5ed9-a32e-6fea-5ed9dd0cb1bf}"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4324	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yvioaqr.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\yvioaqr.dll	rundll32.exe
File created	C:\Windows\SysWOW64\gdqwiyz.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\gdqwiyz.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d6515584-5ed9-a32e-6fea-5ed9dd0cb1bf}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d6515584-5ed9-a32e-6fea-5ed9dd0cb1bf}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d6515584-5ed9-a32e-6fea-5ed9dd0cb1bf}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d6515584-5ed9-a32e-6fea-5ed9dd0cb1bf}\InprocServer32\ = "C:\\Windows\\SysWow64\\gdqwiyz.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d6515584-5ed9-a32e-6fea-5ed9dd0cb1bf}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4324	rundll32.exe
4324	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4324	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4324	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4324	1476	rundll32.exe	79
PID 1476 wrote to memory of 4324	1476	rundll32.exe	79
PID 1476 wrote to memory of 4324	1476	rundll32.exe	79

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d24aa6e0c58f55f3c46731508bb13dd6b3f27afb356f1046bbc5f5440c25c79.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d24aa6e0c58f55f3c46731508bb13dd6b3f27afb356f1046bbc5f5440c25c79.dll,#1
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4324

Network

No results found

72.21.91.29:80

46 B
40 B
1
1
172.67.158.132:80

46 B
40 B
1
1
20.189.173.10:443

322 B
7
8.253.208.113:80

322 B
7
8.253.208.113:80

322 B
7
209.197.3.8:80

322 B
7
204.79.197.200:443

40 B
1
40.126.31.71:443

40 B
1

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\yvioaqr.dll

Filesize
478KB

MD5
e99416267b61f52fa5ab994019efd359

SHA1
86d31eae707db7fe51d2556394fcf0e8e9f6b0fd

SHA256
768c286674371564b5e6095edb56e0a4231f341be895da69cfccca5160029774

SHA512
0a1c7579a9c787c2c1bef35f0660e72e74b42824e14ebea63b87ed25ddaf107e3746567bb431cab41a2f6719fad2c22d96e0715a1fe085d75805d7d66f7f05ae

Download Submit
memory/4324-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4324-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download