99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c

Analysis

max time kernel
166s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe
Size

184KB
MD5

ee93ea77139fdc0881d181de424be3db
SHA1

ea0efe310ee3794a4d5f6e074e2f1f56e50180bc
SHA256

99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c
SHA512

3e7013317814860cd439c11c7502d136464f6f16830960fb106d8546f3de112594461f741664eb3ed84a6610abd373863c61b15392e8ba17ea03f5dcd7b5fba2
SSDEEP

3072:bqPO7C6IiSX2hI/rmE8PjguXRY7ArrCEmguU1DNlFJa39g:bSOu6i2hI/rXGg4RLmED5F

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
59	4288	RUNDLL32.EXE
79	4288	RUNDLL32.EXE
86	4288	RUNDLL32.EXE
97	4288	RUNDLL32.EXE

Loads dropped DLL 2 IoCs

pid	Process
1220	RUNDLL32.EXE
4288	RUNDLL32.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	RUNDLL32.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Autorun = "RUNDLL32.EXE \"\\SxS.DLL\" GnrkQr 3爀"	RUNDLL32.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4288	RUNDLL32.EXE
Token: SeTcbPrivilege	4288	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1220	2104	99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe	84
PID 2104 wrote to memory of 1220	2104	99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe	84
PID 2104 wrote to memory of 1220	2104	99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe	84
PID 1220 wrote to memory of 4288	1220	RUNDLL32.EXE	85
PID 1220 wrote to memory of 4288	1220	RUNDLL32.EXE	85
PID 1220 wrote to memory of 4288	1220	RUNDLL32.EXE	85

C:\Users\Admin\AppData\Local\Temp\99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe
"C:\Users\Admin\AppData\Local\Temp\99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\RUNDLL32.EXE
  RUNDLL32.EXE "\SxS.DLL" GnrkQr 0 "C:\Users\Admin\AppData\Local\Temp\99ac31b4ef6d211eaf12d90975d0b75a0149c6c14acdb14abfda71ccdde6076c.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\SysWOW64\RUNDLL32.EXE
    RUNDLL32.EXE "\SxS.DLL" GnrkQr 3
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SxS.DLL

Filesize
184KB

MD5
5d5215ef8f5c5dbbb867cf73e081fad2

SHA1
b2a5830d7f6c5f2ad4cae0ad918f02c8b8eda43d

SHA256
34d9102d202bb16baaf24ee805b638570474cf717eb6356273827881cf09d687

SHA512
4e86f21c5e755e06c928279ccb74ecd91d15e317b9c11e04d4baf379cf9aafe686565c7d2b329778437609d44b97e3deb7d968b3d9325b68171f9bc5da97fcb8

Download Submit
C:\SxS.DLL

Filesize
184KB

MD5
5d5215ef8f5c5dbbb867cf73e081fad2

SHA1
b2a5830d7f6c5f2ad4cae0ad918f02c8b8eda43d

SHA256
34d9102d202bb16baaf24ee805b638570474cf717eb6356273827881cf09d687

SHA512
4e86f21c5e755e06c928279ccb74ecd91d15e317b9c11e04d4baf379cf9aafe686565c7d2b329778437609d44b97e3deb7d968b3d9325b68171f9bc5da97fcb8

Download Submit
C:\SxS.DLL

Filesize
184KB

MD5
5d5215ef8f5c5dbbb867cf73e081fad2

SHA1
b2a5830d7f6c5f2ad4cae0ad918f02c8b8eda43d

SHA256
34d9102d202bb16baaf24ee805b638570474cf717eb6356273827881cf09d687

SHA512
4e86f21c5e755e06c928279ccb74ecd91d15e317b9c11e04d4baf379cf9aafe686565c7d2b329778437609d44b97e3deb7d968b3d9325b68171f9bc5da97fcb8

Download Submit