018ccb051805d210b672f2ce8db20662bb851737d12ac4778e8a630d159ed949

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lpk.dll
Size

44KB
MD5

22709df8eb252472147ee0240f36229c
SHA1

5389c09454716c14289a4a653174fbad2f80a604
SHA256

1de7322ff118b46fa90b3c162523d8e58f37bddd28ee0220d8db181fdeaf8a1d
SHA512

ab78efdcdd27282e943d6a7d9960605f400e66a62ffc1e3ea6d10c52d5f79bd96de8d1b532a04cb64c6d5f5e302ab1e55109c321a23f1939e80c99ffd108722f
SSDEEP

768:fojY9PEumB2AOYc9Eej2V+67vrRfUGKQyHsojY9P:KmcuQ2ATcZ2VF3KQyHdm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5016	hrl6B71.tmp
4768	cugcue.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cugcue.exe	hrl6B71.tmp
File created	C:\Windows\SysWOW64\cugcue.exe	hrl6B71.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4768 set thread context of 2084	4768	cugcue.exe	82

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2732	2084	WerFault.exe	82

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2084	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 808	3760	rundll32.exe	75
PID 3760 wrote to memory of 808	3760	rundll32.exe	75
PID 3760 wrote to memory of 808	3760	rundll32.exe	75
PID 808 wrote to memory of 5016	808	rundll32.exe	80
PID 808 wrote to memory of 5016	808	rundll32.exe	80
PID 808 wrote to memory of 5016	808	rundll32.exe	80
PID 4768 wrote to memory of 2084	4768	cugcue.exe	82
PID 4768 wrote to memory of 2084	4768	cugcue.exe	82
PID 4768 wrote to memory of 2084	4768	cugcue.exe	82
PID 4768 wrote to memory of 2084	4768	cugcue.exe	82
PID 4768 wrote to memory of 2084	4768	cugcue.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Users\Admin\AppData\Local\Temp\hrl6B71.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl6B71.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:5016

C:\Windows\SysWOW64\cugcue.exe
C:\Windows\SysWOW64\cugcue.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of UnmapMainImage
  PID:2084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 12
    3⤵
    - Program crash
    PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2084 -ip 2084
1⤵
PID:4920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrl6B71.tmp

Filesize
37KB

MD5
5cc2a96ba61f8108ed673550f0e83f61

SHA1
28462f7b59c030bc22078df31701a98f65655f06

SHA256
7db2dfcd36a8bfc6b04b49898a6c2df0e2498273d34eaa2727bd5f60c95a3eda

SHA512
09cf8f10add77c983f5cabedfc6deeefb00b35a31299f75a01af604e3298a8a2200bbc937197db4bf03ad6d28c706d94ec3fa47a6c5aaff57d29e9c007aaebb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrl6B71.tmp

Filesize
37KB

MD5
5cc2a96ba61f8108ed673550f0e83f61

SHA1
28462f7b59c030bc22078df31701a98f65655f06

SHA256
7db2dfcd36a8bfc6b04b49898a6c2df0e2498273d34eaa2727bd5f60c95a3eda

SHA512
09cf8f10add77c983f5cabedfc6deeefb00b35a31299f75a01af604e3298a8a2200bbc937197db4bf03ad6d28c706d94ec3fa47a6c5aaff57d29e9c007aaebb7

Download Submit
C:\Windows\SysWOW64\cugcue.exe

Filesize
37KB

MD5
5cc2a96ba61f8108ed673550f0e83f61

SHA1
28462f7b59c030bc22078df31701a98f65655f06

SHA256
7db2dfcd36a8bfc6b04b49898a6c2df0e2498273d34eaa2727bd5f60c95a3eda

SHA512
09cf8f10add77c983f5cabedfc6deeefb00b35a31299f75a01af604e3298a8a2200bbc937197db4bf03ad6d28c706d94ec3fa47a6c5aaff57d29e9c007aaebb7

Download Submit
C:\Windows\SysWOW64\cugcue.exe

Filesize
37KB

MD5
5cc2a96ba61f8108ed673550f0e83f61

SHA1
28462f7b59c030bc22078df31701a98f65655f06

SHA256
7db2dfcd36a8bfc6b04b49898a6c2df0e2498273d34eaa2727bd5f60c95a3eda

SHA512
09cf8f10add77c983f5cabedfc6deeefb00b35a31299f75a01af604e3298a8a2200bbc937197db4bf03ad6d28c706d94ec3fa47a6c5aaff57d29e9c007aaebb7

Download Submit
memory/2084-139-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download