257a77d33a7a712ae3ff0113ebd4061d78d27f7060e3bb9584aabe5f9c2746b7

Analysis

max time kernel
180s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lpk.dll
Size

85KB
MD5

8f114be9125798a2e24ab55fafb09590
SHA1

aa070d571279542fe8c06a16f06afe6945d28d6e
SHA256

9a542bd4f4349030fcb8c557ce997be76a8f12c2bcf38a03dd918ff3f6c6a4e5
SHA512

b8cdcca1c5f9ae7701eaef596ff629e9febd3e3929c05aba62602821f311fd4edce8924576ff07dc6ed7094a7992e60bc44bbf9f7b9289bed21c97a41587201d
SSDEEP

1536:0O3H4UYT7knSEUHAC4H3Pt9tyHpO3H4UYn:RX4Uo7kSEdzXPtPyHsX4Uo

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1860	hrl5217.tmp
4288	skwegk.exe

Loads dropped DLL 1 IoCs

pid	Process
4288	skwegk.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\skwegk.exe	hrl5217.tmp
File opened for modification	C:\Windows\SysWOW64\skwegk.exe	hrl5217.tmp
File created	C:\Windows\SysWOW64\hra33.dll	skwegk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1860 set thread context of 1108	1860	hrl5217.tmp	85

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 4376	1540	rundll32.exe	82
PID 1540 wrote to memory of 4376	1540	rundll32.exe	82
PID 1540 wrote to memory of 4376	1540	rundll32.exe	82
PID 4376 wrote to memory of 1860	4376	rundll32.exe	83
PID 4376 wrote to memory of 1860	4376	rundll32.exe	83
PID 4376 wrote to memory of 1860	4376	rundll32.exe	83
PID 1860 wrote to memory of 1108	1860	hrl5217.tmp	85
PID 1860 wrote to memory of 1108	1860	hrl5217.tmp	85
PID 1860 wrote to memory of 1108	1860	hrl5217.tmp	85
PID 1860 wrote to memory of 1108	1860	hrl5217.tmp	85
PID 1860 wrote to memory of 1108	1860	hrl5217.tmp	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\hrl5217.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl5217.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\SysWOW64\calc.exe
      calc.exe
      4⤵
      PID:1108

C:\Windows\SysWOW64\skwegk.exe
C:\Windows\SysWOW64\skwegk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrl5217.tmp

Filesize
72KB

MD5
6af92a073c5c8097ac07673156ebff4d

SHA1
d48b362ba12ad78446ee3380f792430d619617ee

SHA256
95643d36b6cc8f3704e57b6795fbd9e31145c87080657ffc353b5ebb7d118947

SHA512
df94ffa64f1cf97ef804fe1fed2fc37bc1fe5cc0663caa9b4dccd42abd399bd78afaa1c97b8992e433b796bfca8e2f3740b4724abf36534611aba5234b5a158e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrl5217.tmp

Filesize
72KB

MD5
6af92a073c5c8097ac07673156ebff4d

SHA1
d48b362ba12ad78446ee3380f792430d619617ee

SHA256
95643d36b6cc8f3704e57b6795fbd9e31145c87080657ffc353b5ebb7d118947

SHA512
df94ffa64f1cf97ef804fe1fed2fc37bc1fe5cc0663caa9b4dccd42abd399bd78afaa1c97b8992e433b796bfca8e2f3740b4724abf36534611aba5234b5a158e

Download Submit
C:\Windows\SysWOW64\hra33.dll

Filesize
85KB

MD5
8f114be9125798a2e24ab55fafb09590

SHA1
aa070d571279542fe8c06a16f06afe6945d28d6e

SHA256
9a542bd4f4349030fcb8c557ce997be76a8f12c2bcf38a03dd918ff3f6c6a4e5

SHA512
b8cdcca1c5f9ae7701eaef596ff629e9febd3e3929c05aba62602821f311fd4edce8924576ff07dc6ed7094a7992e60bc44bbf9f7b9289bed21c97a41587201d

Download Submit
C:\Windows\SysWOW64\skwegk.exe

Filesize
72KB

MD5
6af92a073c5c8097ac07673156ebff4d

SHA1
d48b362ba12ad78446ee3380f792430d619617ee

SHA256
95643d36b6cc8f3704e57b6795fbd9e31145c87080657ffc353b5ebb7d118947

SHA512
df94ffa64f1cf97ef804fe1fed2fc37bc1fe5cc0663caa9b4dccd42abd399bd78afaa1c97b8992e433b796bfca8e2f3740b4724abf36534611aba5234b5a158e

Download Submit
C:\Windows\SysWOW64\skwegk.exe

Filesize
72KB

MD5
6af92a073c5c8097ac07673156ebff4d

SHA1
d48b362ba12ad78446ee3380f792430d619617ee

SHA256
95643d36b6cc8f3704e57b6795fbd9e31145c87080657ffc353b5ebb7d118947

SHA512
df94ffa64f1cf97ef804fe1fed2fc37bc1fe5cc0663caa9b4dccd42abd399bd78afaa1c97b8992e433b796bfca8e2f3740b4724abf36534611aba5234b5a158e

Download Submit