Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 00:15
Static task
static1
Behavioral task
behavioral1
Sample
5537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90.dll
Resource
win7-20221111-en
General
-
Target
5537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90.dll
-
Size
140KB
-
MD5
035dda146051417ca897caa0282435d0
-
SHA1
d4e365c7fa51ead1a3218eada4cfc295501cd165
-
SHA256
5537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90
-
SHA512
783acad010ebff23acf69c8e5df3593d4bd80cc2544fa2692bffa9f38a7f212cf7657b6387fb910b9ec36e923dae407f163e8ff5a5345c8f74e2acfdc68e009a
-
SSDEEP
3072:qZMMrEQoS2ymTSUmdngNBTMPo7GACZTJIO2eRq8QpKlzIPOs2zLoRCyI:MMK6mdg7MPCGxJ43KSPSLoRm
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3868 rundll32.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{de4a744f-745b-46c7-9e4f-5cddcda72b4c} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{de4a744f-745b-46c7-9e4f-5cddcda72b4c}\ = "{c4b27adc-ddc5-f4e9-7c64-b547f447a4ed}" rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\mxnqwy.dll rundll32.exe File opened for modification C:\Windows\SysWOW64\mxnqwy.dll rundll32.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{de4a744f-745b-46c7-9e4f-5cddcda72b4c}\InprocServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{de4a744f-745b-46c7-9e4f-5cddcda72b4c} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{de4a744f-745b-46c7-9e4f-5cddcda72b4c}\InprocServer32\ = "C:\\Windows\\SysWow64\\mxnqwy.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{de4a744f-745b-46c7-9e4f-5cddcda72b4c}\InprocServer32\ThreadingModel = "free" rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2956 2492 rundll32.exe 79 PID 2492 wrote to memory of 2956 2492 rundll32.exe 79 PID 2492 wrote to memory of 2956 2492 rundll32.exe 79 PID 2956 wrote to memory of 3868 2956 rundll32.exe 80 PID 2956 wrote to memory of 3868 2956 rundll32.exe 80 PID 2956 wrote to memory of 3868 2956 rundll32.exe 80
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\system32\mxnqwy.dll",i3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:3868
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5035dda146051417ca897caa0282435d0
SHA1d4e365c7fa51ead1a3218eada4cfc295501cd165
SHA2565537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90
SHA512783acad010ebff23acf69c8e5df3593d4bd80cc2544fa2692bffa9f38a7f212cf7657b6387fb910b9ec36e923dae407f163e8ff5a5345c8f74e2acfdc68e009a
-
Filesize
140KB
MD5035dda146051417ca897caa0282435d0
SHA1d4e365c7fa51ead1a3218eada4cfc295501cd165
SHA2565537a9a58bd5f81fef7c51b0f153bc1526bf67910af90bedfc5927542d0eef90
SHA512783acad010ebff23acf69c8e5df3593d4bd80cc2544fa2692bffa9f38a7f212cf7657b6387fb910b9ec36e923dae407f163e8ff5a5345c8f74e2acfdc68e009a