5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f

Analysis

max time kernel
190s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe
Size

170KB
MD5

3885f2cdedf7facbec539074330331ab
SHA1

00d27c8dd889dd03559d5ce37330a19b6fd6da22
SHA256

5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f
SHA512

a270c6743a27402ad381046f8c42ec0eb97678605a66b5f70e6c0d343811ed7098a8e978db1b300acee0c7b238ab411105f67e629218d800f89923b043bc0af3
SSDEEP

3072:4gXdZt9P6D3XJcMCFW8p9gyWDlnADWOTosCCLMAjPkbBvrELb8AHmqP:4e34fCFB9TWpnhOTOCLMEeZEL1H1P

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4872	rundll32.exe
2464	Rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google = "Rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Google\\lluixanq.dll,DllRegisterServer"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4872	rundll32.exe
4872	rundll32.exe
2464	Rundll32.exe
2464	Rundll32.exe
2464	Rundll32.exe
2464	Rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2464	Rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4872	5036	5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe	82
PID 5036 wrote to memory of 4872	5036	5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe	82
PID 5036 wrote to memory of 4872	5036	5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe	82
PID 4872 wrote to memory of 2464	4872	rundll32.exe	83
PID 4872 wrote to memory of 2464	4872	rundll32.exe	83
PID 4872 wrote to memory of 2464	4872	rundll32.exe	83

C:\Users\Admin\AppData\Local\Temp\5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe
"C:\Users\Admin\AppData\Local\Temp\5242a8c409113ffee59b6317aaa96ebe7f21485e88f5ca7065545ce5bc0b9d1f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\nsp7A22.tmp\bgrjolsd.dll",DllRegisterServer
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32.exe C:\Users\Admin\AppData\Local\Google\lluixanq.dll,DllRegisterServer
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\lluixanq.dll

Filesize
782KB

MD5
0617d89053acad4f0259b515b8ae42ee

SHA1
2c651d9f62d4cfb24997f02a860b2634ec815cac

SHA256
f64bcac34581e0ede38ab3e1d191c27a3651317de7f825162d7f4852756b1f32

SHA512
96961937a72a527ceb318d035ee711eadadc316627cbeec51728a7d9d1e20d6f54c80f03d320baa1a416e8f818fcf4c89d099268ef0e4aac2e0dae7857d15e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp7A22.tmp\bgrjolsd.dll

Filesize
782KB

MD5
0617d89053acad4f0259b515b8ae42ee

SHA1
2c651d9f62d4cfb24997f02a860b2634ec815cac

SHA256
f64bcac34581e0ede38ab3e1d191c27a3651317de7f825162d7f4852756b1f32

SHA512
96961937a72a527ceb318d035ee711eadadc316627cbeec51728a7d9d1e20d6f54c80f03d320baa1a416e8f818fcf4c89d099268ef0e4aac2e0dae7857d15e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp7A22.tmp\bgrjolsd.dll

Filesize
782KB

MD5
0617d89053acad4f0259b515b8ae42ee

SHA1
2c651d9f62d4cfb24997f02a860b2634ec815cac

SHA256
f64bcac34581e0ede38ab3e1d191c27a3651317de7f825162d7f4852756b1f32

SHA512
96961937a72a527ceb318d035ee711eadadc316627cbeec51728a7d9d1e20d6f54c80f03d320baa1a416e8f818fcf4c89d099268ef0e4aac2e0dae7857d15e52

Download Submit
memory/2464-137-0x0000000008730000-0x0000000008802000-memory.dmp

Filesize
840KB

Download
memory/2464-138-0x0000000008730000-0x0000000008802000-memory.dmp

Filesize
840KB

Download