f6563d7eda2105f325e93ce391cb45302a750c7dc8ba04413a22136bbf1d5fce

Analysis

max time kernel
146s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lpk.dll
Size

85KB
MD5

8f114be9125798a2e24ab55fafb09590
SHA1

aa070d571279542fe8c06a16f06afe6945d28d6e
SHA256

9a542bd4f4349030fcb8c557ce997be76a8f12c2bcf38a03dd918ff3f6c6a4e5
SHA512

b8cdcca1c5f9ae7701eaef596ff629e9febd3e3929c05aba62602821f311fd4edce8924576ff07dc6ed7094a7992e60bc44bbf9f7b9289bed21c97a41587201d
SSDEEP

1536:0O3H4UYT7knSEUHAC4H3Pt9tyHpO3H4UYn:RX4Uo7kSEdzXPtPyHsX4Uo

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2040	hrl8FE1.tmp
4984	iaoqau.exe

Loads dropped DLL 1 IoCs

pid	Process
4984	iaoqau.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hra33.dll	iaoqau.exe
File created	C:\Windows\SysWOW64\iaoqau.exe	hrl8FE1.tmp
File opened for modification	C:\Windows\SysWOW64\iaoqau.exe	hrl8FE1.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 4336	2040	hrl8FE1.tmp	82

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 1748	2944	rundll32.exe	79
PID 2944 wrote to memory of 1748	2944	rundll32.exe	79
PID 2944 wrote to memory of 1748	2944	rundll32.exe	79
PID 1748 wrote to memory of 2040	1748	rundll32.exe	80
PID 1748 wrote to memory of 2040	1748	rundll32.exe	80
PID 1748 wrote to memory of 2040	1748	rundll32.exe	80
PID 2040 wrote to memory of 4336	2040	hrl8FE1.tmp	82
PID 2040 wrote to memory of 4336	2040	hrl8FE1.tmp	82
PID 2040 wrote to memory of 4336	2040	hrl8FE1.tmp	82
PID 2040 wrote to memory of 4336	2040	hrl8FE1.tmp	82
PID 2040 wrote to memory of 4336	2040	hrl8FE1.tmp	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\hrl8FE1.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl8FE1.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\calc.exe
      calc.exe
      4⤵
      PID:4336

C:\Windows\SysWOW64\iaoqau.exe
C:\Windows\SysWOW64\iaoqau.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrl8FE1.tmp

Filesize
72KB

MD5
6af92a073c5c8097ac07673156ebff4d

SHA1
d48b362ba12ad78446ee3380f792430d619617ee

SHA256
95643d36b6cc8f3704e57b6795fbd9e31145c87080657ffc353b5ebb7d118947

SHA512
df94ffa64f1cf97ef804fe1fed2fc37bc1fe5cc0663caa9b4dccd42abd399bd78afaa1c97b8992e433b796bfca8e2f3740b4724abf36534611aba5234b5a158e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrl8FE1.tmp

Filesize
72KB

MD5
6af92a073c5c8097ac07673156ebff4d

SHA1
d48b362ba12ad78446ee3380f792430d619617ee

SHA256
95643d36b6cc8f3704e57b6795fbd9e31145c87080657ffc353b5ebb7d118947

SHA512
df94ffa64f1cf97ef804fe1fed2fc37bc1fe5cc0663caa9b4dccd42abd399bd78afaa1c97b8992e433b796bfca8e2f3740b4724abf36534611aba5234b5a158e

Download Submit
C:\Windows\SysWOW64\hra33.dll

Filesize
85KB

MD5
8f114be9125798a2e24ab55fafb09590

SHA1
aa070d571279542fe8c06a16f06afe6945d28d6e

SHA256
9a542bd4f4349030fcb8c557ce997be76a8f12c2bcf38a03dd918ff3f6c6a4e5

SHA512
b8cdcca1c5f9ae7701eaef596ff629e9febd3e3929c05aba62602821f311fd4edce8924576ff07dc6ed7094a7992e60bc44bbf9f7b9289bed21c97a41587201d

Download Submit
C:\Windows\SysWOW64\iaoqau.exe

Filesize
72KB

MD5
6af92a073c5c8097ac07673156ebff4d

SHA1
d48b362ba12ad78446ee3380f792430d619617ee

SHA256
95643d36b6cc8f3704e57b6795fbd9e31145c87080657ffc353b5ebb7d118947

SHA512
df94ffa64f1cf97ef804fe1fed2fc37bc1fe5cc0663caa9b4dccd42abd399bd78afaa1c97b8992e433b796bfca8e2f3740b4724abf36534611aba5234b5a158e

Download Submit
C:\Windows\SysWOW64\iaoqau.exe

Filesize
72KB

MD5
6af92a073c5c8097ac07673156ebff4d

SHA1
d48b362ba12ad78446ee3380f792430d619617ee

SHA256
95643d36b6cc8f3704e57b6795fbd9e31145c87080657ffc353b5ebb7d118947

SHA512
df94ffa64f1cf97ef804fe1fed2fc37bc1fe5cc0663caa9b4dccd42abd399bd78afaa1c97b8992e433b796bfca8e2f3740b4724abf36534611aba5234b5a158e

Download Submit