8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c

General

Target

8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe
Size

115KB
MD5

f92a5666ea36c16b839e87950e4d6ed9
SHA1

55c32079ec63bc4d1a9e8fd33ba829e463eab0b2
SHA256

8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c
SHA512

2ceecf7c1181c256c45d81db084a7a8b3c4d6b1c27c91acbd7495581c892ae167859d22b90f9b1db44e2da28f594ffab73678866d957a2f4bcb223e270c92c87
SSDEEP

3072:CtJlBQjQbrxBSvp7PBEYcORIOCBSqIEkCtQ:OJnQEqPBdXRWSNjX

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4532 rundll32.exe

pid	process
4532	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZUi8H4k1 = "rundll32.exe C:\\239kKj\\ZUi8H4k1.dll,KieeBon"	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syotom = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4532 set thread context of 3644 4532 rundll32.exe svchost.exe

description	pid	process	target process
PID 4532 set thread context of 3644	4532	rundll32.exe	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exerundll32.exe

description	pid	process	target process
PID 2024 wrote to memory of 4532	2024	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	rundll32.exe
PID 2024 wrote to memory of 4532	2024	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	rundll32.exe
PID 2024 wrote to memory of 4532	2024	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	rundll32.exe
PID 2024 wrote to memory of 3492	2024	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	cmd.exe
PID 2024 wrote to memory of 3492	2024	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	cmd.exe
PID 2024 wrote to memory of 3492	2024	8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe	cmd.exe
PID 4532 wrote to memory of 3644	4532	rundll32.exe	svchost.exe
PID 4532 wrote to memory of 3644	4532	rundll32.exe	svchost.exe
PID 4532 wrote to memory of 3644	4532	rundll32.exe	svchost.exe
PID 4532 wrote to memory of 3644	4532	rundll32.exe	svchost.exe
PID 4532 wrote to memory of 3644	4532	rundll32.exe	svchost.exe
PID 4532 wrote to memory of 3644	4532	rundll32.exe	svchost.exe
PID 4532 wrote to memory of 3644	4532	rundll32.exe	svchost.exe
PID 4532 wrote to memory of 3644	4532	rundll32.exe	svchost.exe
PID 4532 wrote to memory of 3644	4532	rundll32.exe	svchost.exe
PID 4532 wrote to memory of 3644	4532	rundll32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe
"C:\Users\Admin\AppData\Local\Temp\8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\239kKj\ZUi8H4k1.dll,KieeBon
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
3⤵
- Adds Run key to start application
PID:3644

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\8d2d3f159b35b648de8d1d1c83a1a0ece50cd2a00cf1063a8b4134b8bf3e342c.exe"
2⤵
PID:3492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\239kKj\ZUi8H4k1.dll

Filesize
87KB

MD5
3ceaa0d25d7ed31a8f8d57a3356a8b5e

SHA1
278c5c8f823d502958fd4ade03019a1206400765

SHA256
fd5a974df24d838051588459974b6436bb3aef4d9b4fb9a2bdcf265c5e6c39b8

SHA512
29e35eb2b04194d0500a0c4cfece5c55b24d37e38465a17e838b188637a97b5fbbc7dd1eeff7c56b5819c94376d6e569595dd16a2c10b056cffb7299b6f43519

Download Submit
C:\239kKj\ZUi8H4k1.dll

Filesize
87KB

MD5
3ceaa0d25d7ed31a8f8d57a3356a8b5e

SHA1
278c5c8f823d502958fd4ade03019a1206400765

SHA256
fd5a974df24d838051588459974b6436bb3aef4d9b4fb9a2bdcf265c5e6c39b8

SHA512
29e35eb2b04194d0500a0c4cfece5c55b24d37e38465a17e838b188637a97b5fbbc7dd1eeff7c56b5819c94376d6e569595dd16a2c10b056cffb7299b6f43519

Download Submit
memory/2024-133-0x0000000002030000-0x0000000002033000-memory.dmp

Filesize
12KB

Download
memory/2024-132-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3492-135-0x0000000000000000-mapping.dmp

Download
memory/3644-140-0x0000000000000000-mapping.dmp

Download
memory/3644-141-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3644-142-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3644-143-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3644-145-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3644-144-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3644-147-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4532-139-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4532-138-0x00000000007C0000-0x00000000007C3000-memory.dmp

Filesize
12KB

Download
memory/4532-134-0x0000000000000000-mapping.dmp

Download
memory/4532-148-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing