b7116123fd1d6434bd1ee2bc89ef7de150f50afea238cace95ac04940b9e7310

General

Target

b7116123fd1d6434bd1ee2bc89ef7de150f50afea238cace95ac04940b9e7310.exe
Size

126KB
MD5

32e67e9cc0da37d4cd41b6a23d164cf7
SHA1

fc47a280f2b010b797be4d1465d177884e86a255
SHA256

b7116123fd1d6434bd1ee2bc89ef7de150f50afea238cace95ac04940b9e7310
SHA512

fb903c8b222ace3c724e936a8e1ec8673c8239479f325a120e3e4742f436464338722a0ca450f025769ec87f29dfa8e1d595c19bf63459f9ab64df7839688f75
SSDEEP

3072:B19UwRBemNc/X2dT+06Qt4njXDto19UrAlps1q:Bc5N/XkT+ZQtZ19

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1372	rundll32.exe

Loads dropped DLL 5 IoCs

pid	Process
2028	b7116123fd1d6434bd1ee2bc89ef7de150f50afea238cace95ac04940b9e7310.exe
1372	rundll32.exe
1372	rundll32.exe
1372	rundll32.exe
1372	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kqusp = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kqusp.dll\",AssembleShader"	b7116123fd1d6434bd1ee2bc89ef7de150f50afea238cace95ac04940b9e7310.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2028	b7116123fd1d6434bd1ee2bc89ef7de150f50afea238cace95ac04940b9e7310.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1372	2028	b7116123fd1d6434bd1ee2bc89ef7de150f50afea238cace95ac04940b9e7310.exe	27
PID 2028 wrote to memory of 1372	2028	b7116123fd1d6434bd1ee2bc89ef7de150f50afea238cace95ac04940b9e7310.exe	27
PID 2028 wrote to memory of 1372	2028	b7116123fd1d6434bd1ee2bc89ef7de150f50afea238cace95ac04940b9e7310.exe	27
PID 2028 wrote to memory of 1372	2028	b7116123fd1d6434bd1ee2bc89ef7de150f50afea238cace95ac04940b9e7310.exe	27
PID 2028 wrote to memory of 1372	2028	b7116123fd1d6434bd1ee2bc89ef7de150f50afea238cace95ac04940b9e7310.exe	27
PID 2028 wrote to memory of 1372	2028	b7116123fd1d6434bd1ee2bc89ef7de150f50afea238cace95ac04940b9e7310.exe	27
PID 2028 wrote to memory of 1372	2028	b7116123fd1d6434bd1ee2bc89ef7de150f50afea238cace95ac04940b9e7310.exe	27

C:\Users\Admin\AppData\Local\Temp\b7116123fd1d6434bd1ee2bc89ef7de150f50afea238cace95ac04940b9e7310.exe
"C:\Users\Admin\AppData\Local\Temp\b7116123fd1d6434bd1ee2bc89ef7de150f50afea238cace95ac04940b9e7310.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\kqusp.dll",CreatePRTBufferTex
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kqusp.dll

Filesize
126KB

MD5
6972bb1489453610f6351ae82544bc34

SHA1
e84e5162d4f06e52bf9ee7d040e9b4f675c75298

SHA256
af648c9665fe5323a0572099cc7ff3b7bdfc891cfd793401b20269b7b00f35bb

SHA512
a7ca112f3514d1f97f31a9e1f0dda7ec8f7f183ea3c098ec1e2e8561ec49dd397de90e3534c6b0bbcb9864af7e26fc279f8175badea4870c8a3d904697e3e24f

Download Submit
\Users\Admin\AppData\Local\Temp\kqusp.dll

Filesize
126KB

MD5
6972bb1489453610f6351ae82544bc34

SHA1
e84e5162d4f06e52bf9ee7d040e9b4f675c75298

SHA256
af648c9665fe5323a0572099cc7ff3b7bdfc891cfd793401b20269b7b00f35bb

SHA512
a7ca112f3514d1f97f31a9e1f0dda7ec8f7f183ea3c098ec1e2e8561ec49dd397de90e3534c6b0bbcb9864af7e26fc279f8175badea4870c8a3d904697e3e24f

Download Submit
\Users\Admin\AppData\Local\Temp\kqusp.dll

Filesize
126KB

MD5
6972bb1489453610f6351ae82544bc34

SHA1
e84e5162d4f06e52bf9ee7d040e9b4f675c75298

SHA256
af648c9665fe5323a0572099cc7ff3b7bdfc891cfd793401b20269b7b00f35bb

SHA512
a7ca112f3514d1f97f31a9e1f0dda7ec8f7f183ea3c098ec1e2e8561ec49dd397de90e3534c6b0bbcb9864af7e26fc279f8175badea4870c8a3d904697e3e24f

Download Submit
\Users\Admin\AppData\Local\Temp\kqusp.dll

Filesize
126KB

MD5
6972bb1489453610f6351ae82544bc34

SHA1
e84e5162d4f06e52bf9ee7d040e9b4f675c75298

SHA256
af648c9665fe5323a0572099cc7ff3b7bdfc891cfd793401b20269b7b00f35bb

SHA512
a7ca112f3514d1f97f31a9e1f0dda7ec8f7f183ea3c098ec1e2e8561ec49dd397de90e3534c6b0bbcb9864af7e26fc279f8175badea4870c8a3d904697e3e24f

Download Submit
\Users\Admin\AppData\Local\Temp\kqusp.dll

Filesize
126KB

MD5
6972bb1489453610f6351ae82544bc34

SHA1
e84e5162d4f06e52bf9ee7d040e9b4f675c75298

SHA256
af648c9665fe5323a0572099cc7ff3b7bdfc891cfd793401b20269b7b00f35bb

SHA512
a7ca112f3514d1f97f31a9e1f0dda7ec8f7f183ea3c098ec1e2e8561ec49dd397de90e3534c6b0bbcb9864af7e26fc279f8175badea4870c8a3d904697e3e24f

Download Submit
\Users\Admin\AppData\Local\Temp\kqusp.dll

Filesize
126KB

MD5
6972bb1489453610f6351ae82544bc34

SHA1
e84e5162d4f06e52bf9ee7d040e9b4f675c75298

SHA256
af648c9665fe5323a0572099cc7ff3b7bdfc891cfd793401b20269b7b00f35bb

SHA512
a7ca112f3514d1f97f31a9e1f0dda7ec8f7f183ea3c098ec1e2e8561ec49dd397de90e3534c6b0bbcb9864af7e26fc279f8175badea4870c8a3d904697e3e24f

Download Submit
memory/1372-76-0x0000000000260000-0x0000000000282000-memory.dmp

Filesize
136KB

Download
memory/1372-80-0x00000000001A0000-0x00000000001AF000-memory.dmp

Filesize
60KB

Download
memory/1372-81-0x00000000001A0000-0x00000000001AF000-memory.dmp

Filesize
60KB

Download
memory/2028-67-0x0000000000220000-0x000000000022F000-memory.dmp

Filesize
60KB

Download
memory/2028-66-0x0000000000220000-0x000000000022F000-memory.dmp

Filesize
60KB

Download
memory/2028-62-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2028-56-0x00000000002C0000-0x00000000002E2000-memory.dmp

Filesize
136KB

Download
memory/2028-55-0x0000000000220000-0x000000000022F000-memory.dmp

Filesize
60KB

Download
memory/2028-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing