ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79

Analysis

max time kernel
165s
max time network
190s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe
Size

79KB
MD5

32c2e619a7600227ceab5048118d51c2
SHA1

5c4c76855f9c8eda78a6e0009ee090f94d7721ac
SHA256

ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79
SHA512

76c1a7e852ac0bfa24c7c03cb29ecb546856cb2687b0584fda925344761e03d8d50110dfaecfa19848cf01f886b5cafa062eff615bb4ec584c0e2d541bf4e87a
SSDEEP

1536:DOC8kXwuCz+3gSKkygWB5BsbH7nPLn0mp57ruxcYQmoMTCH:D78/u1QNkygegbHbPLXp5+xcYQ/MWH

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 8 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1364 rundll32.exe
1364 rundll32.exe
1364 rundll32.exe
1364 rundll32.exe
1644 rundll32.exe
1644 rundll32.exe
1644 rundll32.exe
1644 rundll32.exe

pid	process
1364	rundll32.exe
1364	rundll32.exe
1364	rundll32.exe
1364	rundll32.exe
1644	rundll32.exe
1644	rundll32.exe
1644	rundll32.exe
1644	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fyaloducexuc = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\utic1026.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rundll32.exe

pid process

1364 rundll32.exe
1364 rundll32.exe
1364 rundll32.exe
1364 rundll32.exe
1364 rundll32.exe
1364 rundll32.exe

pid	process
1364	rundll32.exe
1364	rundll32.exe
1364	rundll32.exe
1364	rundll32.exe
1364	rundll32.exe
1364	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exerundll32.exe

description	pid	process	target process
PID 1520 wrote to memory of 1364	1520	ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe	rundll32.exe
PID 1520 wrote to memory of 1364	1520	ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe	rundll32.exe
PID 1520 wrote to memory of 1364	1520	ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe	rundll32.exe
PID 1520 wrote to memory of 1364	1520	ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe	rundll32.exe
PID 1520 wrote to memory of 1364	1520	ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe	rundll32.exe
PID 1520 wrote to memory of 1364	1520	ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe	rundll32.exe
PID 1520 wrote to memory of 1364	1520	ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe	rundll32.exe
PID 1364 wrote to memory of 1644	1364	rundll32.exe	rundll32.exe
PID 1364 wrote to memory of 1644	1364	rundll32.exe	rundll32.exe
PID 1364 wrote to memory of 1644	1364	rundll32.exe	rundll32.exe
PID 1364 wrote to memory of 1644	1364	rundll32.exe	rundll32.exe
PID 1364 wrote to memory of 1644	1364	rundll32.exe	rundll32.exe
PID 1364 wrote to memory of 1644	1364	rundll32.exe	rundll32.exe
PID 1364 wrote to memory of 1644	1364	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe
"C:\Users\Admin\AppData\Local\Temp\ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\utic1026.dll",Startup
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\utic1026.dll",iep
3⤵
- Loads dropped DLL
PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\utic1026.dll

Filesize
79KB

MD5
ae05b964a6fb73ea395bcd935efb6463

SHA1
4d1577ef4232a8898c33bdcc16e3d4ff13656563

SHA256
c9a161c6ce536c69acc26021547eb3a630063b9159c988eee5ac530342c577fa

SHA512
1fbef436abdcaf73dbd5343b59d29eb17dc5b219d58165bcd936a74efa0022b9eab0aa8681f6dbef6f4cee2012466961a6a633080c27a5124de5f5c618655529

Download Submit
\Users\Admin\AppData\Local\utic1026.dll

Filesize
79KB

MD5
ae05b964a6fb73ea395bcd935efb6463

SHA1
4d1577ef4232a8898c33bdcc16e3d4ff13656563

SHA256
c9a161c6ce536c69acc26021547eb3a630063b9159c988eee5ac530342c577fa

SHA512
1fbef436abdcaf73dbd5343b59d29eb17dc5b219d58165bcd936a74efa0022b9eab0aa8681f6dbef6f4cee2012466961a6a633080c27a5124de5f5c618655529

Download Submit
\Users\Admin\AppData\Local\utic1026.dll

Filesize
79KB

MD5
ae05b964a6fb73ea395bcd935efb6463

SHA1
4d1577ef4232a8898c33bdcc16e3d4ff13656563

SHA256
c9a161c6ce536c69acc26021547eb3a630063b9159c988eee5ac530342c577fa

SHA512
1fbef436abdcaf73dbd5343b59d29eb17dc5b219d58165bcd936a74efa0022b9eab0aa8681f6dbef6f4cee2012466961a6a633080c27a5124de5f5c618655529

Download Submit
\Users\Admin\AppData\Local\utic1026.dll

Filesize
79KB

MD5
ae05b964a6fb73ea395bcd935efb6463

SHA1
4d1577ef4232a8898c33bdcc16e3d4ff13656563

SHA256
c9a161c6ce536c69acc26021547eb3a630063b9159c988eee5ac530342c577fa

SHA512
1fbef436abdcaf73dbd5343b59d29eb17dc5b219d58165bcd936a74efa0022b9eab0aa8681f6dbef6f4cee2012466961a6a633080c27a5124de5f5c618655529

Download Submit
\Users\Admin\AppData\Local\utic1026.dll

Filesize
79KB

MD5
ae05b964a6fb73ea395bcd935efb6463

SHA1
4d1577ef4232a8898c33bdcc16e3d4ff13656563

SHA256
c9a161c6ce536c69acc26021547eb3a630063b9159c988eee5ac530342c577fa

SHA512
1fbef436abdcaf73dbd5343b59d29eb17dc5b219d58165bcd936a74efa0022b9eab0aa8681f6dbef6f4cee2012466961a6a633080c27a5124de5f5c618655529

Download Submit
\Users\Admin\AppData\Local\utic1026.dll

Filesize
79KB

MD5
ae05b964a6fb73ea395bcd935efb6463

SHA1
4d1577ef4232a8898c33bdcc16e3d4ff13656563

SHA256
c9a161c6ce536c69acc26021547eb3a630063b9159c988eee5ac530342c577fa

SHA512
1fbef436abdcaf73dbd5343b59d29eb17dc5b219d58165bcd936a74efa0022b9eab0aa8681f6dbef6f4cee2012466961a6a633080c27a5124de5f5c618655529

Download Submit
\Users\Admin\AppData\Local\utic1026.dll

Filesize
79KB

MD5
ae05b964a6fb73ea395bcd935efb6463

SHA1
4d1577ef4232a8898c33bdcc16e3d4ff13656563

SHA256
c9a161c6ce536c69acc26021547eb3a630063b9159c988eee5ac530342c577fa

SHA512
1fbef436abdcaf73dbd5343b59d29eb17dc5b219d58165bcd936a74efa0022b9eab0aa8681f6dbef6f4cee2012466961a6a633080c27a5124de5f5c618655529

Download Submit
\Users\Admin\AppData\Local\utic1026.dll

Filesize
79KB

MD5
ae05b964a6fb73ea395bcd935efb6463

SHA1
4d1577ef4232a8898c33bdcc16e3d4ff13656563

SHA256
c9a161c6ce536c69acc26021547eb3a630063b9159c988eee5ac530342c577fa

SHA512
1fbef436abdcaf73dbd5343b59d29eb17dc5b219d58165bcd936a74efa0022b9eab0aa8681f6dbef6f4cee2012466961a6a633080c27a5124de5f5c618655529

Download Submit
\Users\Admin\AppData\Local\utic1026.dll

Filesize
79KB

MD5
ae05b964a6fb73ea395bcd935efb6463

SHA1
4d1577ef4232a8898c33bdcc16e3d4ff13656563

SHA256
c9a161c6ce536c69acc26021547eb3a630063b9159c988eee5ac530342c577fa

SHA512
1fbef436abdcaf73dbd5343b59d29eb17dc5b219d58165bcd936a74efa0022b9eab0aa8681f6dbef6f4cee2012466961a6a633080c27a5124de5f5c618655529

Download Submit
memory/1364-59-0x0000000000000000-mapping.dmp

Download
memory/1364-66-0x0000000010001000-0x000000001000D000-memory.dmp

Filesize
48KB

Download
memory/1364-67-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1364-70-0x00000000003F1000-0x00000000003FE000-memory.dmp

Filesize
52KB

Download
memory/1520-54-0x0000000076301000-0x0000000076303000-memory.dmp

Filesize
8KB

Download
memory/1520-58-0x0000000001E31000-0x0000000001E3E000-memory.dmp

Filesize
52KB

Download
memory/1520-56-0x0000000010001000-0x000000001000D000-memory.dmp

Filesize
48KB

Download
memory/1520-55-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1644-71-0x0000000000000000-mapping.dmp

Download
memory/1644-81-0x00000000023A1000-0x00000000023AE000-memory.dmp

Filesize
52KB

Download