e11b1f26174bb8ccccc54f16e0a64bc2b6782ba970fd3cc06668e6f201f3ff60

Analysis

max time kernel
200s
max time network
204s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e11b1f26174bb8ccccc54f16e0a64bc2b6782ba970fd3cc06668e6f201f3ff60.dll
Size

100KB
MD5

7834e5f2d044622f78de7c9badead312
SHA1

ef98914c767b7a221bb0ba4f14f031fc9bda236d
SHA256

e11b1f26174bb8ccccc54f16e0a64bc2b6782ba970fd3cc06668e6f201f3ff60
SHA512

d714d36c334a87c0238e6a9767320c018dcae245e84ab14c49236f377fe05b035a0f3b7a711a0c43f2fae10a5931d778c98475152d69c7c62caee9654d2a75c0
SSDEEP

1536:ymTJdMmJyDl+AVZpoWyHjmg9PC3xH87XTy51Z77DtcQ5RxIZM1j/8y1:yyJuIyD9ZRyHj99PAFKEDvZcKbIKL8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2000	hrlE235.tmp
560	vcjlye.exe

Loads dropped DLL 3 IoCs

pid	Process
1220	rundll32.exe
1220	rundll32.exe
560	vcjlye.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	vcjlye.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\M:	vcjlye.exe
File opened (read-only)	\??\R:	vcjlye.exe
File opened (read-only)	\??\S:	vcjlye.exe
File opened (read-only)	\??\N:	vcjlye.exe
File opened (read-only)	\??\P:	vcjlye.exe
File opened (read-only)	\??\T:	vcjlye.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\H:	vcjlye.exe
File opened (read-only)	\??\W:	vcjlye.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\V:	vcjlye.exe
File opened (read-only)	\??\Y:	vcjlye.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\F:	vcjlye.exe
File opened (read-only)	\??\J:	vcjlye.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\G:	vcjlye.exe
File opened (read-only)	\??\K:	vcjlye.exe
File opened (read-only)	\??\Q:	vcjlye.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\E:	vcjlye.exe
File opened (read-only)	\??\I:	vcjlye.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\O:	vcjlye.exe
File opened (read-only)	\??\X:	vcjlye.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\L:	vcjlye.exe
File opened (read-only)	\??\Z:	vcjlye.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vcjlye.exe	hrlE235.tmp
File created	C:\Windows\SysWOW64\hra33.dll	vcjlye.exe
File created	C:\Windows\SysWOW64\vcjlye.exe	hrlE235.tmp

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\lpk.dll	vcjlye.exe
File created	C:\Program Files\7-Zip\lpk.dll	vcjlye.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2000	hrlE235.tmp
560	vcjlye.exe

Suspicious behavior: MapViewOfSection 49 IoCs

pid	Process
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
2000	hrlE235.tmp
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe
560	vcjlye.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	hrlE235.tmp
Token: SeDebugPrivilege	560	vcjlye.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2000	hrlE235.tmp
2000	hrlE235.tmp
560	vcjlye.exe
560	vcjlye.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1220	1664	rundll32.exe	28
PID 1664 wrote to memory of 1220	1664	rundll32.exe	28
PID 1664 wrote to memory of 1220	1664	rundll32.exe	28
PID 1664 wrote to memory of 1220	1664	rundll32.exe	28
PID 1664 wrote to memory of 1220	1664	rundll32.exe	28
PID 1664 wrote to memory of 1220	1664	rundll32.exe	28
PID 1664 wrote to memory of 1220	1664	rundll32.exe	28
PID 1220 wrote to memory of 2000	1220	rundll32.exe	29
PID 1220 wrote to memory of 2000	1220	rundll32.exe	29
PID 1220 wrote to memory of 2000	1220	rundll32.exe	29
PID 1220 wrote to memory of 2000	1220	rundll32.exe	29
PID 2000 wrote to memory of 368	2000	hrlE235.tmp	5
PID 2000 wrote to memory of 368	2000	hrlE235.tmp	5
PID 2000 wrote to memory of 368	2000	hrlE235.tmp	5
PID 2000 wrote to memory of 368	2000	hrlE235.tmp	5
PID 2000 wrote to memory of 368	2000	hrlE235.tmp	5
PID 2000 wrote to memory of 368	2000	hrlE235.tmp	5
PID 2000 wrote to memory of 368	2000	hrlE235.tmp	5
PID 2000 wrote to memory of 384	2000	hrlE235.tmp	4
PID 2000 wrote to memory of 384	2000	hrlE235.tmp	4
PID 2000 wrote to memory of 384	2000	hrlE235.tmp	4
PID 2000 wrote to memory of 384	2000	hrlE235.tmp	4
PID 2000 wrote to memory of 384	2000	hrlE235.tmp	4
PID 2000 wrote to memory of 384	2000	hrlE235.tmp	4
PID 2000 wrote to memory of 384	2000	hrlE235.tmp	4
PID 2000 wrote to memory of 420	2000	hrlE235.tmp	3
PID 2000 wrote to memory of 420	2000	hrlE235.tmp	3
PID 2000 wrote to memory of 420	2000	hrlE235.tmp	3
PID 2000 wrote to memory of 420	2000	hrlE235.tmp	3
PID 2000 wrote to memory of 420	2000	hrlE235.tmp	3
PID 2000 wrote to memory of 420	2000	hrlE235.tmp	3
PID 2000 wrote to memory of 420	2000	hrlE235.tmp	3
PID 2000 wrote to memory of 464	2000	hrlE235.tmp	2
PID 2000 wrote to memory of 464	2000	hrlE235.tmp	2
PID 2000 wrote to memory of 464	2000	hrlE235.tmp	2
PID 2000 wrote to memory of 464	2000	hrlE235.tmp	2
PID 2000 wrote to memory of 464	2000	hrlE235.tmp	2
PID 2000 wrote to memory of 464	2000	hrlE235.tmp	2
PID 2000 wrote to memory of 464	2000	hrlE235.tmp	2
PID 2000 wrote to memory of 480	2000	hrlE235.tmp	1
PID 2000 wrote to memory of 480	2000	hrlE235.tmp	1
PID 2000 wrote to memory of 480	2000	hrlE235.tmp	1
PID 2000 wrote to memory of 480	2000	hrlE235.tmp	1
PID 2000 wrote to memory of 480	2000	hrlE235.tmp	1
PID 2000 wrote to memory of 480	2000	hrlE235.tmp	1
PID 2000 wrote to memory of 480	2000	hrlE235.tmp	1
PID 2000 wrote to memory of 488	2000	hrlE235.tmp	8
PID 2000 wrote to memory of 488	2000	hrlE235.tmp	8
PID 2000 wrote to memory of 488	2000	hrlE235.tmp	8
PID 2000 wrote to memory of 488	2000	hrlE235.tmp	8
PID 2000 wrote to memory of 488	2000	hrlE235.tmp	8
PID 2000 wrote to memory of 488	2000	hrlE235.tmp	8
PID 2000 wrote to memory of 488	2000	hrlE235.tmp	8
PID 2000 wrote to memory of 588	2000	hrlE235.tmp	27
PID 2000 wrote to memory of 588	2000	hrlE235.tmp	27
PID 2000 wrote to memory of 588	2000	hrlE235.tmp	27
PID 2000 wrote to memory of 588	2000	hrlE235.tmp	27
PID 2000 wrote to memory of 588	2000	hrlE235.tmp	27
PID 2000 wrote to memory of 588	2000	hrlE235.tmp	27
PID 2000 wrote to memory of 588	2000	hrlE235.tmp	27
PID 2000 wrote to memory of 668	2000	hrlE235.tmp	26
PID 2000 wrote to memory of 668	2000	hrlE235.tmp	26
PID 2000 wrote to memory of 668	2000	hrlE235.tmp	26
PID 2000 wrote to memory of 668	2000	hrlE235.tmp	26

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:276
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1940
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1384
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1116
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1040
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:336
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:876
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:840
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:796
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:752
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588
- C:\Windows\SysWOW64\vcjlye.exe
  C:\Windows\SysWOW64\vcjlye.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:560

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:488

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1212

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1260

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2024

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e11b1f26174bb8ccccc54f16e0a64bc2b6782ba970fd3cc06668e6f201f3ff60.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e11b1f26174bb8ccccc54f16e0a64bc2b6782ba970fd3cc06668e6f201f3ff60.dll,#1
    3⤵
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\hrlE235.tmp
      C:\Users\Admin\AppData\Local\Temp\hrlE235.tmp
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrlE235.tmp

Filesize
93KB

MD5
5549549cafc332e4ffb5048a5aa3be1b

SHA1
129e4b0c51f6639b76f7ec9cd9059b736cd5b771

SHA256
912728cd41d23ddfece0c0b85c3c2476c730be014b137c8cb8aae6f194d6bd8c

SHA512
b601a61f629a7e041eafa7e8056348246425d4bb182eb1cf6fa1c8496868550a076723ebf1581c274839681f4dd4373c4fc8d9abf491fd0931f40e66938527d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrlE235.tmp

Filesize
93KB

MD5
5549549cafc332e4ffb5048a5aa3be1b

SHA1
129e4b0c51f6639b76f7ec9cd9059b736cd5b771

SHA256
912728cd41d23ddfece0c0b85c3c2476c730be014b137c8cb8aae6f194d6bd8c

SHA512
b601a61f629a7e041eafa7e8056348246425d4bb182eb1cf6fa1c8496868550a076723ebf1581c274839681f4dd4373c4fc8d9abf491fd0931f40e66938527d7

Download Submit
C:\WINDOWS\SysWOW64\VCJLYE.EXE

Filesize
93KB

MD5
5549549cafc332e4ffb5048a5aa3be1b

SHA1
129e4b0c51f6639b76f7ec9cd9059b736cd5b771

SHA256
912728cd41d23ddfece0c0b85c3c2476c730be014b137c8cb8aae6f194d6bd8c

SHA512
b601a61f629a7e041eafa7e8056348246425d4bb182eb1cf6fa1c8496868550a076723ebf1581c274839681f4dd4373c4fc8d9abf491fd0931f40e66938527d7

Download Submit
C:\Windows\SysWOW64\vcjlye.exe

Filesize
93KB

MD5
5549549cafc332e4ffb5048a5aa3be1b

SHA1
129e4b0c51f6639b76f7ec9cd9059b736cd5b771

SHA256
912728cd41d23ddfece0c0b85c3c2476c730be014b137c8cb8aae6f194d6bd8c

SHA512
b601a61f629a7e041eafa7e8056348246425d4bb182eb1cf6fa1c8496868550a076723ebf1581c274839681f4dd4373c4fc8d9abf491fd0931f40e66938527d7

Download Submit
\Users\Admin\AppData\Local\Temp\hrlE235.tmp

Filesize
93KB

MD5
5549549cafc332e4ffb5048a5aa3be1b

SHA1
129e4b0c51f6639b76f7ec9cd9059b736cd5b771

SHA256
912728cd41d23ddfece0c0b85c3c2476c730be014b137c8cb8aae6f194d6bd8c

SHA512
b601a61f629a7e041eafa7e8056348246425d4bb182eb1cf6fa1c8496868550a076723ebf1581c274839681f4dd4373c4fc8d9abf491fd0931f40e66938527d7

Download Submit
\Users\Admin\AppData\Local\Temp\hrlE235.tmp

Filesize
93KB

MD5
5549549cafc332e4ffb5048a5aa3be1b

SHA1
129e4b0c51f6639b76f7ec9cd9059b736cd5b771

SHA256
912728cd41d23ddfece0c0b85c3c2476c730be014b137c8cb8aae6f194d6bd8c

SHA512
b601a61f629a7e041eafa7e8056348246425d4bb182eb1cf6fa1c8496868550a076723ebf1581c274839681f4dd4373c4fc8d9abf491fd0931f40e66938527d7

Download Submit
\Windows\SysWOW64\hra33.dll

Filesize
100KB

MD5
7834e5f2d044622f78de7c9badead312

SHA1
ef98914c767b7a221bb0ba4f14f031fc9bda236d

SHA256
e11b1f26174bb8ccccc54f16e0a64bc2b6782ba970fd3cc06668e6f201f3ff60

SHA512
d714d36c334a87c0238e6a9767320c018dcae245e84ab14c49236f377fe05b035a0f3b7a711a0c43f2fae10a5931d778c98475152d69c7c62caee9654d2a75c0

Download Submit
memory/560-73-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/560-67-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1220-61-0x00000000001F0000-0x000000000020C000-memory.dmp

Filesize
112KB

Download
memory/1220-62-0x00000000001F0000-0x000000000020C000-memory.dmp

Filesize
112KB

Download
memory/1220-71-0x00000000001F0000-0x000000000020C000-memory.dmp

Filesize
112KB

Download
memory/1220-72-0x00000000001F0000-0x000000000020C000-memory.dmp

Filesize
112KB

Download
memory/1220-55-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/2000-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2000-65-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2000-66-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download