3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d

Analysis

max time kernel
162s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe
Size

79KB
MD5

75281c6808facd9b45f479e7e5f05418
SHA1

603debb0a07ce2ec2234b970c7aa52ae64cfcf19
SHA256

3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d
SHA512

4ec30433443dd2570d1f60477862159c108c1dc8efdbeb11c70458724c148088a0a924908508e2db848a51d1ae3031719b0030d2e5e101b3194d96fea6b94761
SSDEEP

1536:r+HxFEoBl0JZ1vEibGDB/SN/Aec3iuDbAUehHG6dYTFUmtEbz:r4FEBvdEiCD8WNyGbAsTFmbz

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

59 4120 rundll32.exe
73 4120 rundll32.exe
90 4120 rundll32.exe
106 4120 rundll32.exe
108 4120 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3104 rundll32.exe
4120 rundll32.exe

flow	pid	process
59	4120	rundll32.exe
73	4120	rundll32.exe
90	4120	rundll32.exe
106	4120	rundll32.exe
108	4120	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nxuwozumahohew = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Howscm.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rundll32.exe

pid	process
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe
3104	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exerundll32.exe

description	pid	process	target process
PID 2560 wrote to memory of 3104	2560	3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe	rundll32.exe
PID 2560 wrote to memory of 3104	2560	3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe	rundll32.exe
PID 2560 wrote to memory of 3104	2560	3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe	rundll32.exe
PID 3104 wrote to memory of 4120	3104	rundll32.exe	rundll32.exe
PID 3104 wrote to memory of 4120	3104	rundll32.exe	rundll32.exe
PID 3104 wrote to memory of 4120	3104	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe
"C:\Users\Admin\AppData\Local\Temp\3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Howscm.dll",Startup
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Howscm.dll",iep
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Howscm.dll

Filesize
79KB

MD5
555e2a27897b0b816bbcc753d3f146fe

SHA1
55965ff65e16305dd2b36a0a5ae95f0366b177d0

SHA256
f3589bbd7d6c64fb330dea8041ec276375b5981aa521a87081f2f27c1d84ed1f

SHA512
03c9c143d9cc3091d4890b3735b0516ae284a6a5a8cc8db4553e4dfde67b61dc600577bc2457f675af81093efc3998247b1467ac3b8db19ee7f8d6e97b7971aa

Download Submit
C:\Users\Admin\AppData\Local\Howscm.dll

Filesize
79KB

MD5
555e2a27897b0b816bbcc753d3f146fe

SHA1
55965ff65e16305dd2b36a0a5ae95f0366b177d0

SHA256
f3589bbd7d6c64fb330dea8041ec276375b5981aa521a87081f2f27c1d84ed1f

SHA512
03c9c143d9cc3091d4890b3735b0516ae284a6a5a8cc8db4553e4dfde67b61dc600577bc2457f675af81093efc3998247b1467ac3b8db19ee7f8d6e97b7971aa

Download Submit
C:\Users\Admin\AppData\Local\Howscm.dll

Filesize
79KB

MD5
555e2a27897b0b816bbcc753d3f146fe

SHA1
55965ff65e16305dd2b36a0a5ae95f0366b177d0

SHA256
f3589bbd7d6c64fb330dea8041ec276375b5981aa521a87081f2f27c1d84ed1f

SHA512
03c9c143d9cc3091d4890b3735b0516ae284a6a5a8cc8db4553e4dfde67b61dc600577bc2457f675af81093efc3998247b1467ac3b8db19ee7f8d6e97b7971aa

Download Submit
memory/2560-143-0x00000000021D1000-0x00000000021DF000-memory.dmp

Filesize
56KB

Download
memory/2560-134-0x0000000010001000-0x000000001000D000-memory.dmp

Filesize
48KB

Download
memory/2560-133-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2560-132-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/3104-136-0x0000000000000000-mapping.dmp

Download
memory/3104-140-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/3104-144-0x0000000002B81000-0x0000000002B8F000-memory.dmp

Filesize
56KB

Download
memory/3104-139-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/4120-145-0x0000000000000000-mapping.dmp

Download
memory/4120-151-0x0000000001001000-0x000000000100F000-memory.dmp

Filesize
56KB

Download