Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 03:30

General

  • Target

    d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe

  • Size

    100KB

  • MD5

    1a6c10251af8011d7f32f62ada1c1910

  • SHA1

    fe67092b62c9b5ef931c5685592cef65c03ffb17

  • SHA256

    d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e

  • SHA512

    b25000222fcf64f2d48e4612c7a63988a4ca8e3884a6c1f2cf9e627ae3d484bce7360f7531cdaa65501491d0581e8cdf2c9e046c6dd5dad56022614449c64f7f

  • SSDEEP

    3072:U4yxy7cLKlWQokhrPb/uR1B+JT/L9Vq2G:U4yxe4KIG4+Jv9VG

Score
10/10

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe
    "C:\Users\Admin\AppData\Local\Temp\d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe"
    1⤵
    • UAC bypass
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3612
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Windows\system32\whhfd028.ocx" InstallSvr0
      2⤵
      • Loads dropped DLL
      PID:4244
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Program Files\Common Files\0E5680DDce.dll" InstallSvr3
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:4012
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Program Files\Common Files\whh02039.ocx" InstallSvr1 C:\Users\Admin\AppData\Local\Temp\d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:2092

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Common Files\0E5680DDce.dll

          Filesize

          6KB

          MD5

          6fb92d25078bfff1c215229067b5beaa

          SHA1

          3d9a6f564f492b30981359bbcee5f9e02536e3be

          SHA256

          5ce7c2eb8860f172dd5b68cd94307b6665f6785b207d936577bbaab196b61f33

          SHA512

          9cf0b61f7e618df406104685158cf877ca892e7847a3c2efed3ea4a2fb08384cc0bc492cb1ea366d1b181f79a6014fe7b95ba7ed2c15744317187be080f77b24

        • C:\Program Files\Common Files\0E5680DDce.dll

          Filesize

          6KB

          MD5

          6fb92d25078bfff1c215229067b5beaa

          SHA1

          3d9a6f564f492b30981359bbcee5f9e02536e3be

          SHA256

          5ce7c2eb8860f172dd5b68cd94307b6665f6785b207d936577bbaab196b61f33

          SHA512

          9cf0b61f7e618df406104685158cf877ca892e7847a3c2efed3ea4a2fb08384cc0bc492cb1ea366d1b181f79a6014fe7b95ba7ed2c15744317187be080f77b24

        • C:\Program Files\Common Files\whh02039.ocx

          Filesize

          55KB

          MD5

          a271a637b39a9c6ce04c68136c3ec022

          SHA1

          1ef0a9ed4347927a4bf7dc7860ff5864b8a8c106

          SHA256

          dcd79f7ba6f911261c27428da03ec0aed0b2e743e69e17195f2c1aef93285754

          SHA512

          84032f79ae9d3c3c2f4823fea1841dc4c4c4852a824006fb1ae674e0a2079824c6673650ef4dd8c1151dfea2038329cbfabbcc02cd8d170e4bbfaae5b0fee345

        • C:\Program Files\Common Files\whh02039.ocx

          Filesize

          55KB

          MD5

          a271a637b39a9c6ce04c68136c3ec022

          SHA1

          1ef0a9ed4347927a4bf7dc7860ff5864b8a8c106

          SHA256

          dcd79f7ba6f911261c27428da03ec0aed0b2e743e69e17195f2c1aef93285754

          SHA512

          84032f79ae9d3c3c2f4823fea1841dc4c4c4852a824006fb1ae674e0a2079824c6673650ef4dd8c1151dfea2038329cbfabbcc02cd8d170e4bbfaae5b0fee345

        • C:\Program Files\Common Files\whh02039.ocx

          Filesize

          55KB

          MD5

          a271a637b39a9c6ce04c68136c3ec022

          SHA1

          1ef0a9ed4347927a4bf7dc7860ff5864b8a8c106

          SHA256

          dcd79f7ba6f911261c27428da03ec0aed0b2e743e69e17195f2c1aef93285754

          SHA512

          84032f79ae9d3c3c2f4823fea1841dc4c4c4852a824006fb1ae674e0a2079824c6673650ef4dd8c1151dfea2038329cbfabbcc02cd8d170e4bbfaae5b0fee345

        • C:\Program Files\Common Files\whh02039.ocx

          Filesize

          55KB

          MD5

          a271a637b39a9c6ce04c68136c3ec022

          SHA1

          1ef0a9ed4347927a4bf7dc7860ff5864b8a8c106

          SHA256

          dcd79f7ba6f911261c27428da03ec0aed0b2e743e69e17195f2c1aef93285754

          SHA512

          84032f79ae9d3c3c2f4823fea1841dc4c4c4852a824006fb1ae674e0a2079824c6673650ef4dd8c1151dfea2038329cbfabbcc02cd8d170e4bbfaae5b0fee345

        • C:\Program Files\Common Files\whh02039.ocx

          Filesize

          55KB

          MD5

          a271a637b39a9c6ce04c68136c3ec022

          SHA1

          1ef0a9ed4347927a4bf7dc7860ff5864b8a8c106

          SHA256

          dcd79f7ba6f911261c27428da03ec0aed0b2e743e69e17195f2c1aef93285754

          SHA512

          84032f79ae9d3c3c2f4823fea1841dc4c4c4852a824006fb1ae674e0a2079824c6673650ef4dd8c1151dfea2038329cbfabbcc02cd8d170e4bbfaae5b0fee345

        • C:\Program Files\Common Files\whh02039.ocx

          Filesize

          55KB

          MD5

          a271a637b39a9c6ce04c68136c3ec022

          SHA1

          1ef0a9ed4347927a4bf7dc7860ff5864b8a8c106

          SHA256

          dcd79f7ba6f911261c27428da03ec0aed0b2e743e69e17195f2c1aef93285754

          SHA512

          84032f79ae9d3c3c2f4823fea1841dc4c4c4852a824006fb1ae674e0a2079824c6673650ef4dd8c1151dfea2038329cbfabbcc02cd8d170e4bbfaae5b0fee345

        • C:\Windows\SysWOW64\whhfd028.ocx

          Filesize

          11KB

          MD5

          6b51354fb017488210e58687462ee83e

          SHA1

          d3623503867948285e9d4741f058d693decd1c17

          SHA256

          5707e445eeca460f2e7f320d5c99eaf7840fd94632638d48e65d66a66a4ba715

          SHA512

          ddcbdbd7728899eaa93d3773e600b79248e1af266a27721e6018c28430482ceb1116779416bb04983f5a8730b2a981f08db32e405a6da635500a9b2a78701406

        • C:\Windows\SysWOW64\whhfd028.ocx

          Filesize

          11KB

          MD5

          6b51354fb017488210e58687462ee83e

          SHA1

          d3623503867948285e9d4741f058d693decd1c17

          SHA256

          5707e445eeca460f2e7f320d5c99eaf7840fd94632638d48e65d66a66a4ba715

          SHA512

          ddcbdbd7728899eaa93d3773e600b79248e1af266a27721e6018c28430482ceb1116779416bb04983f5a8730b2a981f08db32e405a6da635500a9b2a78701406

        • memory/2092-150-0x0000000010000000-0x0000000010013000-memory.dmp

          Filesize

          76KB

        • memory/3612-135-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

        • memory/4012-144-0x0000000002550000-0x0000000002563000-memory.dmp

          Filesize

          76KB

        • memory/4012-148-0x0000000010000000-0x0000000010005000-memory.dmp

          Filesize

          20KB

        • memory/4012-151-0x0000000002550000-0x0000000002563000-memory.dmp

          Filesize

          76KB

        • memory/4244-147-0x0000000000D50000-0x0000000000D63000-memory.dmp

          Filesize

          76KB

        • memory/4244-149-0x0000000010000000-0x0000000010007000-memory.dmp

          Filesize

          28KB

        • memory/4244-152-0x0000000000D50000-0x0000000000D63000-memory.dmp

          Filesize

          76KB