82bccb6476a650468604313f2e029898e1907e1d8f9d91afd95f253c14ca5340

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 02:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

82bccb6476a650468604313f2e029898e1907e1d8f9d91afd95f253c14ca5340.dll
Size

34KB
MD5

ef32572d95435530dd693f5d61759fe2
SHA1

5e1c9684a6b2cb9db8f23de939c0547f152953be
SHA256

82bccb6476a650468604313f2e029898e1907e1d8f9d91afd95f253c14ca5340
SHA512

f3dc14efabccb409749a88d11b2a89fdf792e9c37c778da22354a87b706a1a7506e5e079c13f408e6e30f392d3dc47df0572859f030b76ec38b228d1d8ad33e4
SSDEEP

768:72SSHDBM8RehIfAMN+z2flaz/7jXOpkRUi+qS8flCBhW3:7BSHlM8Yy++UzXOpaU0S8flKhk

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
33	1248	rundll32.exe
35	1248	rundll32.exe
36	1248	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4232	rundll32.exe
4232	rundll32.exe
1248	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\khfFVMdE.dll,#1"	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\khfFVMdE.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\khfFVMdE.dll	rundll32.exe
File created	C:\Windows\SysWOW64\gebbaAPF.dll	rundll32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ = "C:\\Windows\\SysWow64\\khfFVMdE.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ThreadingModel = "Both"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4232	rundll32.exe
4232	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4232	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4232	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4232	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 4232	4496	rundll32.exe	81
PID 4496 wrote to memory of 4232	4496	rundll32.exe	81
PID 4496 wrote to memory of 4232	4496	rundll32.exe	81
PID 4232 wrote to memory of 604	4232	rundll32.exe	5
PID 4232 wrote to memory of 1248	4232	rundll32.exe	87
PID 4232 wrote to memory of 1248	4232	rundll32.exe	87
PID 4232 wrote to memory of 1248	4232	rundll32.exe	87
PID 1248 wrote to memory of 1308	1248	rundll32.exe	89
PID 1248 wrote to memory of 1308	1248	rundll32.exe	89
PID 1248 wrote to memory of 1308	1248	rundll32.exe	89

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\82bccb6476a650468604313f2e029898e1907e1d8f9d91afd95f253c14ca5340.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\82bccb6476a650468604313f2e029898e1907e1d8f9d91afd95f253c14ca5340.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\system32\khfFVMdE.dll,a
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Windows\system32\gebbaAPF.dll",s
      4⤵
      PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\gebbaAPF.dll

Filesize
41KB

MD5
45cd6461a06ea34bde566157e21032a6

SHA1
3ff33c4b53d640b0c169d3ef4155f2bb3a91b43f

SHA256
4db32d42858b3aad989f6e0928500a6ef138c06bc5a31f552a9c56c0630753e9

SHA512
09ed6f93a54f7bddede0b76651d3c3fffd322f6ef18a14e9d6bb8308c0ff281ad43d2b6bf8d3d94665be34abebb40ea120f8455577bbf2017f30256833a6c986

Download Submit
C:\Windows\SysWOW64\khfFVMdE.dll

Filesize
34KB

MD5
ef32572d95435530dd693f5d61759fe2

SHA1
5e1c9684a6b2cb9db8f23de939c0547f152953be

SHA256
82bccb6476a650468604313f2e029898e1907e1d8f9d91afd95f253c14ca5340

SHA512
f3dc14efabccb409749a88d11b2a89fdf792e9c37c778da22354a87b706a1a7506e5e079c13f408e6e30f392d3dc47df0572859f030b76ec38b228d1d8ad33e4

Download Submit
C:\Windows\SysWOW64\khfFVMdE.dll

Filesize
34KB

MD5
ef32572d95435530dd693f5d61759fe2

SHA1
5e1c9684a6b2cb9db8f23de939c0547f152953be

SHA256
82bccb6476a650468604313f2e029898e1907e1d8f9d91afd95f253c14ca5340

SHA512
f3dc14efabccb409749a88d11b2a89fdf792e9c37c778da22354a87b706a1a7506e5e079c13f408e6e30f392d3dc47df0572859f030b76ec38b228d1d8ad33e4

Download Submit
C:\Windows\SysWOW64\khfFVMdE.dll

Filesize
34KB

MD5
ef32572d95435530dd693f5d61759fe2

SHA1
5e1c9684a6b2cb9db8f23de939c0547f152953be

SHA256
82bccb6476a650468604313f2e029898e1907e1d8f9d91afd95f253c14ca5340

SHA512
f3dc14efabccb409749a88d11b2a89fdf792e9c37c778da22354a87b706a1a7506e5e079c13f408e6e30f392d3dc47df0572859f030b76ec38b228d1d8ad33e4

Download Submit
C:\Windows\SysWOW64\khfFVMdE.dll

Filesize
34KB

MD5
ef32572d95435530dd693f5d61759fe2

SHA1
5e1c9684a6b2cb9db8f23de939c0547f152953be

SHA256
82bccb6476a650468604313f2e029898e1907e1d8f9d91afd95f253c14ca5340

SHA512
f3dc14efabccb409749a88d11b2a89fdf792e9c37c778da22354a87b706a1a7506e5e079c13f408e6e30f392d3dc47df0572859f030b76ec38b228d1d8ad33e4

Download Submit
memory/1248-144-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1248-145-0x00000000001C0000-0x00000000001C5000-memory.dmp

Filesize
20KB

Download
memory/4232-138-0x00000000011D0000-0x00000000011E4000-memory.dmp

Filesize
80KB

Download
memory/4232-139-0x0000000002A30000-0x0000000002A35000-memory.dmp

Filesize
20KB

Download
memory/4232-140-0x0000000000BB0000-0x0000000000BB5000-memory.dmp

Filesize
20KB

Download
memory/4232-135-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4232-134-0x0000000000BB0000-0x0000000000BB5000-memory.dmp

Filesize
20KB

Download
memory/4232-133-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download