f6563d7eda2105f325e93ce391cb45302a750c7dc8ba04413a22136bbf1d5fce

General

Target

lpk.dll
Size

85KB
MD5

8f114be9125798a2e24ab55fafb09590
SHA1

aa070d571279542fe8c06a16f06afe6945d28d6e
SHA256

9a542bd4f4349030fcb8c557ce997be76a8f12c2bcf38a03dd918ff3f6c6a4e5
SHA512

b8cdcca1c5f9ae7701eaef596ff629e9febd3e3929c05aba62602821f311fd4edce8924576ff07dc6ed7094a7992e60bc44bbf9f7b9289bed21c97a41587201d
SSDEEP

1536:0O3H4UYT7knSEUHAC4H3Pt9tyHpO3H4UYn:RX4Uo7kSEdzXPtPyHsX4Uo

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1772	hrl20F9.tmp
1108	gemuas.exe

Loads dropped DLL 3 IoCs

pid	Process
1452	rundll32.exe
1452	rundll32.exe
1108	gemuas.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	gemuas.exe
File opened (read-only)	\??\S:	gemuas.exe
File opened (read-only)	\??\W:	gemuas.exe
File opened (read-only)	\??\Z:	gemuas.exe
File opened (read-only)	\??\F:	gemuas.exe
File opened (read-only)	\??\M:	gemuas.exe
File opened (read-only)	\??\Q:	gemuas.exe
File opened (read-only)	\??\U:	gemuas.exe
File opened (read-only)	\??\L:	gemuas.exe
File opened (read-only)	\??\R:	gemuas.exe
File opened (read-only)	\??\T:	gemuas.exe
File opened (read-only)	\??\Y:	gemuas.exe
File opened (read-only)	\??\G:	gemuas.exe
File opened (read-only)	\??\I:	gemuas.exe
File opened (read-only)	\??\J:	gemuas.exe
File opened (read-only)	\??\K:	gemuas.exe
File opened (read-only)	\??\V:	gemuas.exe
File opened (read-only)	\??\X:	gemuas.exe
File opened (read-only)	\??\E:	gemuas.exe
File opened (read-only)	\??\N:	gemuas.exe
File opened (read-only)	\??\O:	gemuas.exe
File opened (read-only)	\??\P:	gemuas.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hra33.dll	gemuas.exe
File created	C:\Windows\SysWOW64\gemuas.exe	hrl20F9.tmp
File opened for modification	C:\Windows\SysWOW64\gemuas.exe	hrl20F9.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1772 set thread context of 2036	1772	hrl20F9.tmp	31

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	gemuas.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	gemuas.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1452	1972	rundll32.exe	28
PID 1972 wrote to memory of 1452	1972	rundll32.exe	28
PID 1972 wrote to memory of 1452	1972	rundll32.exe	28
PID 1972 wrote to memory of 1452	1972	rundll32.exe	28
PID 1972 wrote to memory of 1452	1972	rundll32.exe	28
PID 1972 wrote to memory of 1452	1972	rundll32.exe	28
PID 1972 wrote to memory of 1452	1972	rundll32.exe	28
PID 1452 wrote to memory of 1772	1452	rundll32.exe	29
PID 1452 wrote to memory of 1772	1452	rundll32.exe	29
PID 1452 wrote to memory of 1772	1452	rundll32.exe	29
PID 1452 wrote to memory of 1772	1452	rundll32.exe	29
PID 1772 wrote to memory of 2036	1772	hrl20F9.tmp	31
PID 1772 wrote to memory of 2036	1772	hrl20F9.tmp	31
PID 1772 wrote to memory of 2036	1772	hrl20F9.tmp	31
PID 1772 wrote to memory of 2036	1772	hrl20F9.tmp	31
PID 1772 wrote to memory of 2036	1772	hrl20F9.tmp	31
PID 1772 wrote to memory of 2036	1772	hrl20F9.tmp	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Local\Temp\hrl20F9.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl20F9.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\calc.exe
      calc.exe
      4⤵
      PID:2036

C:\Windows\SysWOW64\gemuas.exe
C:\Windows\SysWOW64\gemuas.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrl20F9.tmp

Filesize
72KB

MD5
6af92a073c5c8097ac07673156ebff4d

SHA1
d48b362ba12ad78446ee3380f792430d619617ee

SHA256
95643d36b6cc8f3704e57b6795fbd9e31145c87080657ffc353b5ebb7d118947

SHA512
df94ffa64f1cf97ef804fe1fed2fc37bc1fe5cc0663caa9b4dccd42abd399bd78afaa1c97b8992e433b796bfca8e2f3740b4724abf36534611aba5234b5a158e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrl20F9.tmp

Filesize
72KB

MD5
6af92a073c5c8097ac07673156ebff4d

SHA1
d48b362ba12ad78446ee3380f792430d619617ee

SHA256
95643d36b6cc8f3704e57b6795fbd9e31145c87080657ffc353b5ebb7d118947

SHA512
df94ffa64f1cf97ef804fe1fed2fc37bc1fe5cc0663caa9b4dccd42abd399bd78afaa1c97b8992e433b796bfca8e2f3740b4724abf36534611aba5234b5a158e

Download Submit
C:\Windows\SysWOW64\gemuas.exe

Filesize
72KB

MD5
6af92a073c5c8097ac07673156ebff4d

SHA1
d48b362ba12ad78446ee3380f792430d619617ee

SHA256
95643d36b6cc8f3704e57b6795fbd9e31145c87080657ffc353b5ebb7d118947

SHA512
df94ffa64f1cf97ef804fe1fed2fc37bc1fe5cc0663caa9b4dccd42abd399bd78afaa1c97b8992e433b796bfca8e2f3740b4724abf36534611aba5234b5a158e

Download Submit
C:\Windows\SysWOW64\gemuas.exe

Filesize
72KB

MD5
6af92a073c5c8097ac07673156ebff4d

SHA1
d48b362ba12ad78446ee3380f792430d619617ee

SHA256
95643d36b6cc8f3704e57b6795fbd9e31145c87080657ffc353b5ebb7d118947

SHA512
df94ffa64f1cf97ef804fe1fed2fc37bc1fe5cc0663caa9b4dccd42abd399bd78afaa1c97b8992e433b796bfca8e2f3740b4724abf36534611aba5234b5a158e

Download Submit
\Users\Admin\AppData\Local\Temp\hrl20F9.tmp

Filesize
72KB

MD5
6af92a073c5c8097ac07673156ebff4d

SHA1
d48b362ba12ad78446ee3380f792430d619617ee

SHA256
95643d36b6cc8f3704e57b6795fbd9e31145c87080657ffc353b5ebb7d118947

SHA512
df94ffa64f1cf97ef804fe1fed2fc37bc1fe5cc0663caa9b4dccd42abd399bd78afaa1c97b8992e433b796bfca8e2f3740b4724abf36534611aba5234b5a158e

Download Submit
\Users\Admin\AppData\Local\Temp\hrl20F9.tmp

Filesize
72KB

MD5
6af92a073c5c8097ac07673156ebff4d

SHA1
d48b362ba12ad78446ee3380f792430d619617ee

SHA256
95643d36b6cc8f3704e57b6795fbd9e31145c87080657ffc353b5ebb7d118947

SHA512
df94ffa64f1cf97ef804fe1fed2fc37bc1fe5cc0663caa9b4dccd42abd399bd78afaa1c97b8992e433b796bfca8e2f3740b4724abf36534611aba5234b5a158e

Download Submit
\Windows\SysWOW64\hra33.dll

Filesize
85KB

MD5
8f114be9125798a2e24ab55fafb09590

SHA1
aa070d571279542fe8c06a16f06afe6945d28d6e

SHA256
9a542bd4f4349030fcb8c557ce997be76a8f12c2bcf38a03dd918ff3f6c6a4e5

SHA512
b8cdcca1c5f9ae7701eaef596ff629e9febd3e3929c05aba62602821f311fd4edce8924576ff07dc6ed7094a7992e60bc44bbf9f7b9289bed21c97a41587201d

Download Submit
memory/1452-55-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/2036-64-0x0000000000170000-0x00000000001F0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads