ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79

Analysis

max time kernel
187s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe
Size

79KB
MD5

32c2e619a7600227ceab5048118d51c2
SHA1

5c4c76855f9c8eda78a6e0009ee090f94d7721ac
SHA256

ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79
SHA512

76c1a7e852ac0bfa24c7c03cb29ecb546856cb2687b0584fda925344761e03d8d50110dfaecfa19848cf01f886b5cafa062eff615bb4ec584c0e2d541bf4e87a
SSDEEP

1536:DOC8kXwuCz+3gSKkygWB5BsbH7nPLn0mp57ruxcYQmoMTCH:D78/u1QNkygegbHbPLXp5+xcYQ/MWH

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1764 rundll32.exe
3080 rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fdisabuyuto = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\KBDiloE.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rundll32.exe

pid	process
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exerundll32.exe

description	pid	process	target process
PID 5048 wrote to memory of 1764	5048	ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe	rundll32.exe
PID 5048 wrote to memory of 1764	5048	ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe	rundll32.exe
PID 5048 wrote to memory of 1764	5048	ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe	rundll32.exe
PID 1764 wrote to memory of 3080	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 3080	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 3080	1764	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe
"C:\Users\Admin\AppData\Local\Temp\ef874fec785e4327acf288f10d836c60efb0cdaa553b16d4991118778ccc2f79.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\KBDiloE.dll",Startup
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\KBDiloE.dll",iep
3⤵
- Loads dropped DLL
PID:3080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KBDiloE.dll
Filesize
79KB

MD5
ae05b964a6fb73ea395bcd935efb6463

SHA1
4d1577ef4232a8898c33bdcc16e3d4ff13656563

SHA256
c9a161c6ce536c69acc26021547eb3a630063b9159c988eee5ac530342c577fa

SHA512
1fbef436abdcaf73dbd5343b59d29eb17dc5b219d58165bcd936a74efa0022b9eab0aa8681f6dbef6f4cee2012466961a6a633080c27a5124de5f5c618655529

Download Submit
C:\Users\Admin\AppData\Local\KBDiloE.dll
Filesize
79KB

MD5
ae05b964a6fb73ea395bcd935efb6463

SHA1
4d1577ef4232a8898c33bdcc16e3d4ff13656563

SHA256
c9a161c6ce536c69acc26021547eb3a630063b9159c988eee5ac530342c577fa

SHA512
1fbef436abdcaf73dbd5343b59d29eb17dc5b219d58165bcd936a74efa0022b9eab0aa8681f6dbef6f4cee2012466961a6a633080c27a5124de5f5c618655529

Download Submit
C:\Users\Admin\AppData\Local\KBDiloE.dll
Filesize
79KB

MD5
ae05b964a6fb73ea395bcd935efb6463

SHA1
4d1577ef4232a8898c33bdcc16e3d4ff13656563

SHA256
c9a161c6ce536c69acc26021547eb3a630063b9159c988eee5ac530342c577fa

SHA512
1fbef436abdcaf73dbd5343b59d29eb17dc5b219d58165bcd936a74efa0022b9eab0aa8681f6dbef6f4cee2012466961a6a633080c27a5124de5f5c618655529

Download Submit
memory/1764-145-0x0000000002381000-0x000000000238F000-memory.dmp

Filesize
56KB

Download
memory/1764-137-0x0000000000000000-mapping.dmp

Download
memory/1764-140-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1764-141-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/3080-153-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/3080-152-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/3080-146-0x0000000000000000-mapping.dmp

Download
memory/5048-134-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/5048-144-0x00000000022B1000-0x00000000022BF000-memory.dmp

Filesize
56KB

Download
memory/5048-132-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/5048-135-0x0000000010001000-0x000000001000D000-memory.dmp

Filesize
48KB

Download
memory/5048-133-0x0000000010001000-0x000000001000D000-memory.dmp

Filesize
48KB

Download