304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe
Size

60KB
MD5

22b6b1eb07f7be76bac65fb6d2cb6c40
SHA1

ead15328c1780be5feda82616787a02258267ec9
SHA256

304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c
SHA512

97139a0151356896f293eb9c9d7533d7c0242b5029fbc023e6eee7bb99a01723b1de7598afff39f20d28bc53be39d7ac89d4ce8f9f2f0b544ca2287c34044db1
SSDEEP

1536:XFU0F9iVZS1b+SgPrzesqGUOasxywcE0/dgY4A++mrDZJk1:VFdRiTqGkskwt01gK++4k1

Score

8^/10

persistence upx

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
31	4408	rundll32.exe
45	4408	rundll32.exe
49	4408	rundll32.exe
57	4408	rundll32.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2428-132-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2428-133-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2428-136-0x0000000010000000-0x0000000010019000-memory.dmp	upx
behavioral2/memory/2428-135-0x0000000010000000-0x0000000010019000-memory.dmp	upx
behavioral2/memory/2428-137-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2428-139-0x0000000010000000-0x0000000010019000-memory.dmp	upx
behavioral2/memory/4408-150-0x0000000010000000-0x0000000010019000-memory.dmp	upx
behavioral2/memory/4408-153-0x0000000010000000-0x0000000010019000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
2428	304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe
4408	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\qoMffGvw.dll,#1"	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\qoMffGvw.dll	304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe
File created	C:\Windows\SysWOW64\qoMffGvw.dll	304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe
File created	C:\Windows\SysWOW64\rqRhIyVM.dll	rundll32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ = "C:\\Windows\\SysWow64\\qoMffGvw.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ThreadingModel = "Both"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2428	304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe
2428	304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe
4408	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2428	304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 604	2428	304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe	3
PID 2428 wrote to memory of 4408	2428	304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe	91
PID 2428 wrote to memory of 4408	2428	304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe	91
PID 2428 wrote to memory of 4408	2428	304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe	91
PID 2428 wrote to memory of 3524	2428	304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe	92
PID 2428 wrote to memory of 3524	2428	304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe	92
PID 2428 wrote to memory of 3524	2428	304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe	92
PID 4408 wrote to memory of 1492	4408	rundll32.exe	98
PID 4408 wrote to memory of 1492	4408	rundll32.exe	98
PID 4408 wrote to memory of 1492	4408	rundll32.exe	98

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604

C:\Users\Admin\AppData\Local\Temp\304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe
"C:\Users\Admin\AppData\Local\Temp\304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\qoMffGvw.dll,a
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\system32\rqRhIyVM.dll",s
    3⤵
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvUkLEtR.bat "C:\Users\Admin\AppData\Local\Temp\304826154b41df5bfcf7caf8a34fcfe6ec8ae4db95ebc20d7a0941f0b17f0e4c.exe"
  2⤵
  PID:3524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wvUkLEtR.bat

Filesize
71B

MD5
c5d7307c02e1301668df7a70d129dc88

SHA1
b35e17a3aa95da866e3a9a763ed3dc3a4b69e542

SHA256
912a9d5a944ed66fa327989f53640afa96f1e2661f88810b854a09c1f7d50624

SHA512
e772a9277788d2fc683ad37034449248d4b174ea6061418224e657c7db287e37af999b5eb35cc1d2d342c799a8c07613edccacd0a999bbde7253226749d79eb2

Download Submit
C:\Windows\SysWOW64\qoMffGvw.dll

Filesize
39KB

MD5
02e7b8e72df82cbbf9d2b71504734054

SHA1
0e206fd68a873d62854275d39785161b441a4522

SHA256
3d78a99a4106b8851dc242f332d42ffb593c21b15f74bbfdaeaedbd8b496fc40

SHA512
2832c6b3bd9b8ced6325332b058da52d82a5f4f9a0e8979177214481d1d75bdc5a995b361aff6870b0832a4c3f94555f9d1ab7cbe01ecde8987d3b83c2202535

Download Submit
C:\Windows\SysWOW64\qoMffGvw.dll

Filesize
39KB

MD5
02e7b8e72df82cbbf9d2b71504734054

SHA1
0e206fd68a873d62854275d39785161b441a4522

SHA256
3d78a99a4106b8851dc242f332d42ffb593c21b15f74bbfdaeaedbd8b496fc40

SHA512
2832c6b3bd9b8ced6325332b058da52d82a5f4f9a0e8979177214481d1d75bdc5a995b361aff6870b0832a4c3f94555f9d1ab7cbe01ecde8987d3b83c2202535

Download Submit
C:\Windows\SysWOW64\qoMffGvw.dll

Filesize
39KB

MD5
02e7b8e72df82cbbf9d2b71504734054

SHA1
0e206fd68a873d62854275d39785161b441a4522

SHA256
3d78a99a4106b8851dc242f332d42ffb593c21b15f74bbfdaeaedbd8b496fc40

SHA512
2832c6b3bd9b8ced6325332b058da52d82a5f4f9a0e8979177214481d1d75bdc5a995b361aff6870b0832a4c3f94555f9d1ab7cbe01ecde8987d3b83c2202535

Download Submit
C:\Windows\SysWOW64\rqRhIyVM.dll

Filesize
41KB

MD5
621120126cf49e99005181a1fca3c181

SHA1
71ccd0a7e1f70e1734d37cb060ab1a07e8371542

SHA256
2a0b9f5e9572dda20b3000960abb57d97ee7d4c5718a70bc3856f645956244f6

SHA512
c5c9b8592a9975858aaf17d16f5263fcf90fc84d8f2fe1b42cf76b38aeb9ad5a750bc97b618664a991cba7a1efc3bda18bff688b7cdf0fe9561ba7bd3a526197

Download Submit
memory/2428-138-0x0000000002010000-0x000000000201D000-memory.dmp

Filesize
52KB

Download
memory/2428-137-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2428-140-0x0000000002A30000-0x0000000002A37000-memory.dmp

Filesize
28KB

Download
memory/2428-141-0x0000000002010000-0x000000000201D000-memory.dmp

Filesize
52KB

Download
memory/2428-142-0x0000000002A30000-0x0000000002A37000-memory.dmp

Filesize
28KB

Download
memory/2428-133-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2428-136-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2428-139-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2428-132-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2428-135-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4408-150-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4408-151-0x0000000000860000-0x0000000000867000-memory.dmp

Filesize
28KB

Download
memory/4408-152-0x0000000000860000-0x0000000000867000-memory.dmp

Filesize
28KB

Download
memory/4408-153-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download