Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 03:30
Behavioral task
behavioral1
Sample
d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe
Resource
win7-20220901-en
General
-
Target
d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe
-
Size
100KB
-
MD5
1a6c10251af8011d7f32f62ada1c1910
-
SHA1
fe67092b62c9b5ef931c5685592cef65c03ffb17
-
SHA256
d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e
-
SHA512
b25000222fcf64f2d48e4612c7a63988a4ca8e3884a6c1f2cf9e627ae3d484bce7360f7531cdaa65501491d0581e8cdf2c9e046c6dd5dad56022614449c64f7f
-
SSDEEP
3072:U4yxy7cLKlWQokhrPb/uR1B+JT/L9Vq2G:U4yxe4KIG4+Jv9VG
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe -
resource yara_rule behavioral2/memory/3612-135-0x0000000000400000-0x000000000041B000-memory.dmp upx -
Loads dropped DLL 7 IoCs
pid Process 4012 rundll32.exe 4244 rundll32.exe 2092 rundll32.exe 4012 rundll32.exe 4012 rundll32.exe 4244 rundll32.exe 4244 rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\whhfd028.ocx d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Common Files\whh02039.ocx d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe File opened for modification C:\Program Files\Common Files\whh02039.ocx d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe File created C:\Program Files\Common Files\0E5680DDce.dll d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe File opened for modification C:\Program Files\Common Files\0E5680DDce.dll d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2092 rundll32.exe 2092 rundll32.exe 2092 rundll32.exe 2092 rundll32.exe 2092 rundll32.exe 2092 rundll32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 4012 rundll32.exe 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLoadDriverPrivilege 4012 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3612 wrote to memory of 4244 3612 d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe 80 PID 3612 wrote to memory of 4244 3612 d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe 80 PID 3612 wrote to memory of 4244 3612 d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe 80 PID 3612 wrote to memory of 4012 3612 d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe 81 PID 3612 wrote to memory of 4012 3612 d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe 81 PID 3612 wrote to memory of 4012 3612 d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe 81 PID 3612 wrote to memory of 2092 3612 d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe 82 PID 3612 wrote to memory of 2092 3612 d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe 82 PID 3612 wrote to memory of 2092 3612 d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe 82 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe"C:\Users\Admin\AppData\Local\Temp\d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe"1⤵
- UAC bypass
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3612 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\system32\whhfd028.ocx" InstallSvr02⤵
- Loads dropped DLL
PID:4244
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Program Files\Common Files\0E5680DDce.dll" InstallSvr32⤵
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Program Files\Common Files\whh02039.ocx" InstallSvr1 C:\Users\Admin\AppData\Local\Temp\d7c18f72801291b27f5123aeb9419764c2eb9b62dcfd4dc99ddd6dd0c7ec727e.exe2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD56fb92d25078bfff1c215229067b5beaa
SHA13d9a6f564f492b30981359bbcee5f9e02536e3be
SHA2565ce7c2eb8860f172dd5b68cd94307b6665f6785b207d936577bbaab196b61f33
SHA5129cf0b61f7e618df406104685158cf877ca892e7847a3c2efed3ea4a2fb08384cc0bc492cb1ea366d1b181f79a6014fe7b95ba7ed2c15744317187be080f77b24
-
Filesize
6KB
MD56fb92d25078bfff1c215229067b5beaa
SHA13d9a6f564f492b30981359bbcee5f9e02536e3be
SHA2565ce7c2eb8860f172dd5b68cd94307b6665f6785b207d936577bbaab196b61f33
SHA5129cf0b61f7e618df406104685158cf877ca892e7847a3c2efed3ea4a2fb08384cc0bc492cb1ea366d1b181f79a6014fe7b95ba7ed2c15744317187be080f77b24
-
Filesize
55KB
MD5a271a637b39a9c6ce04c68136c3ec022
SHA11ef0a9ed4347927a4bf7dc7860ff5864b8a8c106
SHA256dcd79f7ba6f911261c27428da03ec0aed0b2e743e69e17195f2c1aef93285754
SHA51284032f79ae9d3c3c2f4823fea1841dc4c4c4852a824006fb1ae674e0a2079824c6673650ef4dd8c1151dfea2038329cbfabbcc02cd8d170e4bbfaae5b0fee345
-
Filesize
55KB
MD5a271a637b39a9c6ce04c68136c3ec022
SHA11ef0a9ed4347927a4bf7dc7860ff5864b8a8c106
SHA256dcd79f7ba6f911261c27428da03ec0aed0b2e743e69e17195f2c1aef93285754
SHA51284032f79ae9d3c3c2f4823fea1841dc4c4c4852a824006fb1ae674e0a2079824c6673650ef4dd8c1151dfea2038329cbfabbcc02cd8d170e4bbfaae5b0fee345
-
Filesize
55KB
MD5a271a637b39a9c6ce04c68136c3ec022
SHA11ef0a9ed4347927a4bf7dc7860ff5864b8a8c106
SHA256dcd79f7ba6f911261c27428da03ec0aed0b2e743e69e17195f2c1aef93285754
SHA51284032f79ae9d3c3c2f4823fea1841dc4c4c4852a824006fb1ae674e0a2079824c6673650ef4dd8c1151dfea2038329cbfabbcc02cd8d170e4bbfaae5b0fee345
-
Filesize
55KB
MD5a271a637b39a9c6ce04c68136c3ec022
SHA11ef0a9ed4347927a4bf7dc7860ff5864b8a8c106
SHA256dcd79f7ba6f911261c27428da03ec0aed0b2e743e69e17195f2c1aef93285754
SHA51284032f79ae9d3c3c2f4823fea1841dc4c4c4852a824006fb1ae674e0a2079824c6673650ef4dd8c1151dfea2038329cbfabbcc02cd8d170e4bbfaae5b0fee345
-
Filesize
55KB
MD5a271a637b39a9c6ce04c68136c3ec022
SHA11ef0a9ed4347927a4bf7dc7860ff5864b8a8c106
SHA256dcd79f7ba6f911261c27428da03ec0aed0b2e743e69e17195f2c1aef93285754
SHA51284032f79ae9d3c3c2f4823fea1841dc4c4c4852a824006fb1ae674e0a2079824c6673650ef4dd8c1151dfea2038329cbfabbcc02cd8d170e4bbfaae5b0fee345
-
Filesize
55KB
MD5a271a637b39a9c6ce04c68136c3ec022
SHA11ef0a9ed4347927a4bf7dc7860ff5864b8a8c106
SHA256dcd79f7ba6f911261c27428da03ec0aed0b2e743e69e17195f2c1aef93285754
SHA51284032f79ae9d3c3c2f4823fea1841dc4c4c4852a824006fb1ae674e0a2079824c6673650ef4dd8c1151dfea2038329cbfabbcc02cd8d170e4bbfaae5b0fee345
-
Filesize
11KB
MD56b51354fb017488210e58687462ee83e
SHA1d3623503867948285e9d4741f058d693decd1c17
SHA2565707e445eeca460f2e7f320d5c99eaf7840fd94632638d48e65d66a66a4ba715
SHA512ddcbdbd7728899eaa93d3773e600b79248e1af266a27721e6018c28430482ceb1116779416bb04983f5a8730b2a981f08db32e405a6da635500a9b2a78701406
-
Filesize
11KB
MD56b51354fb017488210e58687462ee83e
SHA1d3623503867948285e9d4741f058d693decd1c17
SHA2565707e445eeca460f2e7f320d5c99eaf7840fd94632638d48e65d66a66a4ba715
SHA512ddcbdbd7728899eaa93d3773e600b79248e1af266a27721e6018c28430482ceb1116779416bb04983f5a8730b2a981f08db32e405a6da635500a9b2a78701406