cd1c750cd10f9768c7552627c9c76e62c4f164bb958c5b9a5066707af9d23550

General

Target

cd1c750cd10f9768c7552627c9c76e62c4f164bb958c5b9a5066707af9d23550.dll
Size

64KB
MD5

3746f30b531d9f3a017cf1a73e7d8060
SHA1

51cad0a3d23d32a9ac92cf7ca6edc5151e16b462
SHA256

cd1c750cd10f9768c7552627c9c76e62c4f164bb958c5b9a5066707af9d23550
SHA512

79a1ca45a34ffab00ce97cfb51bd8b4bbee4387e8dd2b8bca5c516bffa5283f7da605a17f22e67c0722f7009bfb471453613bc1abb14d470b21225c1684cb39d
SSDEEP

1536:Gm46BS7LL18Uo9yHSmdmzwGkbr3kM+IxODZiqWiYVhvBsWqLJ7ERJyq8uhgDAw87:GMBon18ryHSqB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1920	hrlE15.tmp
1952	gemuas.exe

Loads dropped DLL 2 IoCs

pid	Process
780	rundll32.exe
780	rundll32.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gemuas.exe	hrlE15.tmp
File opened for modification	C:\Windows\SysWOW64\gemuas.exe	hrlE15.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1952 set thread context of 1980	1952	gemuas.exe	30

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 780	900	rundll32.exe	27
PID 900 wrote to memory of 780	900	rundll32.exe	27
PID 900 wrote to memory of 780	900	rundll32.exe	27
PID 900 wrote to memory of 780	900	rundll32.exe	27
PID 900 wrote to memory of 780	900	rundll32.exe	27
PID 900 wrote to memory of 780	900	rundll32.exe	27
PID 900 wrote to memory of 780	900	rundll32.exe	27
PID 780 wrote to memory of 1920	780	rundll32.exe	28
PID 780 wrote to memory of 1920	780	rundll32.exe	28
PID 780 wrote to memory of 1920	780	rundll32.exe	28
PID 780 wrote to memory of 1920	780	rundll32.exe	28
PID 1952 wrote to memory of 1980	1952	gemuas.exe	30
PID 1952 wrote to memory of 1980	1952	gemuas.exe	30
PID 1952 wrote to memory of 1980	1952	gemuas.exe	30
PID 1952 wrote to memory of 1980	1952	gemuas.exe	30
PID 1952 wrote to memory of 1980	1952	gemuas.exe	30
PID 1952 wrote to memory of 1980	1952	gemuas.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd1c750cd10f9768c7552627c9c76e62c4f164bb958c5b9a5066707af9d23550.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd1c750cd10f9768c7552627c9c76e62c4f164bb958c5b9a5066707af9d23550.dll,#1
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\hrlE15.tmp
    C:\Users\Admin\AppData\Local\Temp\hrlE15.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1920

C:\Windows\SysWOW64\gemuas.exe
C:\Windows\SysWOW64\gemuas.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrlE15.tmp

Filesize
38KB

MD5
7f0d34d040b495d00901ef4d34bd67d4

SHA1
d776c1703723dcee77c1ea8a33de6aff9273fe03

SHA256
953069a5332c058224df36634c8e887557a0d6e023bb2bbeda32bf054fe63d6f

SHA512
8f1da9ef9d3ecf8a319eb0e9568b61b45599be7b8b85f6d5a40783546db5688d5c8e6475a4e3a88088c6be004822d08d5a5a938592bf7a85c77067688b781106

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrlE15.tmp

Filesize
38KB

MD5
7f0d34d040b495d00901ef4d34bd67d4

SHA1
d776c1703723dcee77c1ea8a33de6aff9273fe03

SHA256
953069a5332c058224df36634c8e887557a0d6e023bb2bbeda32bf054fe63d6f

SHA512
8f1da9ef9d3ecf8a319eb0e9568b61b45599be7b8b85f6d5a40783546db5688d5c8e6475a4e3a88088c6be004822d08d5a5a938592bf7a85c77067688b781106

Download Submit
C:\Windows\SysWOW64\gemuas.exe

Filesize
38KB

MD5
7f0d34d040b495d00901ef4d34bd67d4

SHA1
d776c1703723dcee77c1ea8a33de6aff9273fe03

SHA256
953069a5332c058224df36634c8e887557a0d6e023bb2bbeda32bf054fe63d6f

SHA512
8f1da9ef9d3ecf8a319eb0e9568b61b45599be7b8b85f6d5a40783546db5688d5c8e6475a4e3a88088c6be004822d08d5a5a938592bf7a85c77067688b781106

Download Submit
C:\Windows\SysWOW64\gemuas.exe

Filesize
38KB

MD5
7f0d34d040b495d00901ef4d34bd67d4

SHA1
d776c1703723dcee77c1ea8a33de6aff9273fe03

SHA256
953069a5332c058224df36634c8e887557a0d6e023bb2bbeda32bf054fe63d6f

SHA512
8f1da9ef9d3ecf8a319eb0e9568b61b45599be7b8b85f6d5a40783546db5688d5c8e6475a4e3a88088c6be004822d08d5a5a938592bf7a85c77067688b781106

Download Submit
\Users\Admin\AppData\Local\Temp\hrlE15.tmp

Filesize
38KB

MD5
7f0d34d040b495d00901ef4d34bd67d4

SHA1
d776c1703723dcee77c1ea8a33de6aff9273fe03

SHA256
953069a5332c058224df36634c8e887557a0d6e023bb2bbeda32bf054fe63d6f

SHA512
8f1da9ef9d3ecf8a319eb0e9568b61b45599be7b8b85f6d5a40783546db5688d5c8e6475a4e3a88088c6be004822d08d5a5a938592bf7a85c77067688b781106

Download Submit
\Users\Admin\AppData\Local\Temp\hrlE15.tmp

Filesize
38KB

MD5
7f0d34d040b495d00901ef4d34bd67d4

SHA1
d776c1703723dcee77c1ea8a33de6aff9273fe03

SHA256
953069a5332c058224df36634c8e887557a0d6e023bb2bbeda32bf054fe63d6f

SHA512
8f1da9ef9d3ecf8a319eb0e9568b61b45599be7b8b85f6d5a40783546db5688d5c8e6475a4e3a88088c6be004822d08d5a5a938592bf7a85c77067688b781106

Download Submit
memory/780-55-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1980-63-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1980-65-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing