018ccb051805d210b672f2ce8db20662bb851737d12ac4778e8a630d159ed949

Analysis

max time kernel
26s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lpk.dll
Size

44KB
MD5

22709df8eb252472147ee0240f36229c
SHA1

5389c09454716c14289a4a653174fbad2f80a604
SHA256

1de7322ff118b46fa90b3c162523d8e58f37bddd28ee0220d8db181fdeaf8a1d
SHA512

ab78efdcdd27282e943d6a7d9960605f400e66a62ffc1e3ea6d10c52d5f79bd96de8d1b532a04cb64c6d5f5e302ab1e55109c321a23f1939e80c99ffd108722f
SSDEEP

768:fojY9PEumB2AOYc9Eej2V+67vrRfUGKQyHsojY9P:KmcuQ2ATcZ2VF3KQyHdm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1288	hrl4EEC.tmp
544	nyrtuc.exe

Loads dropped DLL 2 IoCs

pid	Process
1696	rundll32.exe
1696	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nyrtuc.exe	hrl4EEC.tmp
File opened for modification	C:\Windows\SysWOW64\nyrtuc.exe	hrl4EEC.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 544 set thread context of 824	544	nyrtuc.exe	31

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1696	1744	rundll32.exe	28
PID 1744 wrote to memory of 1696	1744	rundll32.exe	28
PID 1744 wrote to memory of 1696	1744	rundll32.exe	28
PID 1744 wrote to memory of 1696	1744	rundll32.exe	28
PID 1744 wrote to memory of 1696	1744	rundll32.exe	28
PID 1744 wrote to memory of 1696	1744	rundll32.exe	28
PID 1744 wrote to memory of 1696	1744	rundll32.exe	28
PID 1696 wrote to memory of 1288	1696	rundll32.exe	29
PID 1696 wrote to memory of 1288	1696	rundll32.exe	29
PID 1696 wrote to memory of 1288	1696	rundll32.exe	29
PID 1696 wrote to memory of 1288	1696	rundll32.exe	29
PID 544 wrote to memory of 824	544	nyrtuc.exe	31
PID 544 wrote to memory of 824	544	nyrtuc.exe	31
PID 544 wrote to memory of 824	544	nyrtuc.exe	31
PID 544 wrote to memory of 824	544	nyrtuc.exe	31
PID 544 wrote to memory of 824	544	nyrtuc.exe	31
PID 544 wrote to memory of 824	544	nyrtuc.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\hrl4EEC.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl4EEC.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1288

C:\Windows\SysWOW64\nyrtuc.exe
C:\Windows\SysWOW64\nyrtuc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrl4EEC.tmp

Filesize
37KB

MD5
5cc2a96ba61f8108ed673550f0e83f61

SHA1
28462f7b59c030bc22078df31701a98f65655f06

SHA256
7db2dfcd36a8bfc6b04b49898a6c2df0e2498273d34eaa2727bd5f60c95a3eda

SHA512
09cf8f10add77c983f5cabedfc6deeefb00b35a31299f75a01af604e3298a8a2200bbc937197db4bf03ad6d28c706d94ec3fa47a6c5aaff57d29e9c007aaebb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrl4EEC.tmp

Filesize
37KB

MD5
5cc2a96ba61f8108ed673550f0e83f61

SHA1
28462f7b59c030bc22078df31701a98f65655f06

SHA256
7db2dfcd36a8bfc6b04b49898a6c2df0e2498273d34eaa2727bd5f60c95a3eda

SHA512
09cf8f10add77c983f5cabedfc6deeefb00b35a31299f75a01af604e3298a8a2200bbc937197db4bf03ad6d28c706d94ec3fa47a6c5aaff57d29e9c007aaebb7

Download Submit
C:\Windows\SysWOW64\nyrtuc.exe

Filesize
37KB

MD5
5cc2a96ba61f8108ed673550f0e83f61

SHA1
28462f7b59c030bc22078df31701a98f65655f06

SHA256
7db2dfcd36a8bfc6b04b49898a6c2df0e2498273d34eaa2727bd5f60c95a3eda

SHA512
09cf8f10add77c983f5cabedfc6deeefb00b35a31299f75a01af604e3298a8a2200bbc937197db4bf03ad6d28c706d94ec3fa47a6c5aaff57d29e9c007aaebb7

Download Submit
C:\Windows\SysWOW64\nyrtuc.exe

Filesize
37KB

MD5
5cc2a96ba61f8108ed673550f0e83f61

SHA1
28462f7b59c030bc22078df31701a98f65655f06

SHA256
7db2dfcd36a8bfc6b04b49898a6c2df0e2498273d34eaa2727bd5f60c95a3eda

SHA512
09cf8f10add77c983f5cabedfc6deeefb00b35a31299f75a01af604e3298a8a2200bbc937197db4bf03ad6d28c706d94ec3fa47a6c5aaff57d29e9c007aaebb7

Download Submit
\Users\Admin\AppData\Local\Temp\hrl4EEC.tmp

Filesize
37KB

MD5
5cc2a96ba61f8108ed673550f0e83f61

SHA1
28462f7b59c030bc22078df31701a98f65655f06

SHA256
7db2dfcd36a8bfc6b04b49898a6c2df0e2498273d34eaa2727bd5f60c95a3eda

SHA512
09cf8f10add77c983f5cabedfc6deeefb00b35a31299f75a01af604e3298a8a2200bbc937197db4bf03ad6d28c706d94ec3fa47a6c5aaff57d29e9c007aaebb7

Download Submit
\Users\Admin\AppData\Local\Temp\hrl4EEC.tmp

Filesize
37KB

MD5
5cc2a96ba61f8108ed673550f0e83f61

SHA1
28462f7b59c030bc22078df31701a98f65655f06

SHA256
7db2dfcd36a8bfc6b04b49898a6c2df0e2498273d34eaa2727bd5f60c95a3eda

SHA512
09cf8f10add77c983f5cabedfc6deeefb00b35a31299f75a01af604e3298a8a2200bbc937197db4bf03ad6d28c706d94ec3fa47a6c5aaff57d29e9c007aaebb7

Download Submit
memory/824-65-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/824-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1696-55-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download