f958c1ea9160ebb3d6805ef6fe553c42ca61e9c1a3697bc408341301803e77c8

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f958c1ea9160ebb3d6805ef6fe553c42ca61e9c1a3697bc408341301803e77c8.dll
Size

34KB
MD5

115d368a51b06404d3d0e2fb46aac65a
SHA1

fe19bd287a693b40fd7c8c14cdd627f79460e349
SHA256

f958c1ea9160ebb3d6805ef6fe553c42ca61e9c1a3697bc408341301803e77c8
SHA512

1e00b13a4e444eeaab4b09d928bceaaf861d10738c876347736be2cbacc28fed987e2d30b4e8dab736f6091dc5ba37e7e1f87f763a1dd53e42d158fa1dd06808
SSDEEP

768:A34nRoRqjFwX/Hf8wHj41lpVfn0UaEauU+75S0LIlZ2ja:84aRqhwX3ND41TWUmh+75SoIPwa

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
32	1136	rundll32.exe
34	1136	rundll32.exe
35	1136	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4876	rundll32.exe
4876	rundll32.exe
1136	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\ssqNGYqQ.dll,#1"	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ssqNGYqQ.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ssqNGYqQ.dll	rundll32.exe
File created	C:\Windows\SysWOW64\hgGaAqol.dll	rundll32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ = "C:\\Windows\\SysWow64\\ssqNGYqQ.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ThreadingModel = "Both"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4876	rundll32.exe
4876	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe
1136	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4876	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4876	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 4876	1588	rundll32.exe	80
PID 1588 wrote to memory of 4876	1588	rundll32.exe	80
PID 1588 wrote to memory of 4876	1588	rundll32.exe	80
PID 4876 wrote to memory of 612	4876	rundll32.exe	4
PID 4876 wrote to memory of 1136	4876	rundll32.exe	88
PID 4876 wrote to memory of 1136	4876	rundll32.exe	88
PID 4876 wrote to memory of 1136	4876	rundll32.exe	88
PID 1136 wrote to memory of 3748	1136	rundll32.exe	89
PID 1136 wrote to memory of 3748	1136	rundll32.exe	89
PID 1136 wrote to memory of 3748	1136	rundll32.exe	89

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f958c1ea9160ebb3d6805ef6fe553c42ca61e9c1a3697bc408341301803e77c8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f958c1ea9160ebb3d6805ef6fe553c42ca61e9c1a3697bc408341301803e77c8.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\system32\ssqNGYqQ.dll,a
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Windows\system32\hgGaAqol.dll",s
      4⤵
      PID:3748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hgGaAqol.dll

Filesize
41KB

MD5
069e7dc833a0fd0ca182f24c278c4f23

SHA1
76960494f4f84abd569d905bbc6346c32cddee30

SHA256
85f7221d3294f5b8bc960ba2cac02c102af319d59fd90bed30f362dad2cf2549

SHA512
0ee565dab3a488e704c489b64c0e4c70d45fac3bfc2586955d57192185c09a9a5f89d079063c1d49003e381ae6d1860ec077cb403bccf18218914fc366045ca6

Download Submit
C:\Windows\SysWOW64\ssqNGYqQ.dll

Filesize
34KB

MD5
115d368a51b06404d3d0e2fb46aac65a

SHA1
fe19bd287a693b40fd7c8c14cdd627f79460e349

SHA256
f958c1ea9160ebb3d6805ef6fe553c42ca61e9c1a3697bc408341301803e77c8

SHA512
1e00b13a4e444eeaab4b09d928bceaaf861d10738c876347736be2cbacc28fed987e2d30b4e8dab736f6091dc5ba37e7e1f87f763a1dd53e42d158fa1dd06808

Download Submit
C:\Windows\SysWOW64\ssqNGYqQ.dll

Filesize
34KB

MD5
115d368a51b06404d3d0e2fb46aac65a

SHA1
fe19bd287a693b40fd7c8c14cdd627f79460e349

SHA256
f958c1ea9160ebb3d6805ef6fe553c42ca61e9c1a3697bc408341301803e77c8

SHA512
1e00b13a4e444eeaab4b09d928bceaaf861d10738c876347736be2cbacc28fed987e2d30b4e8dab736f6091dc5ba37e7e1f87f763a1dd53e42d158fa1dd06808

Download Submit
C:\Windows\SysWOW64\ssqNGYqQ.dll

Filesize
34KB

MD5
115d368a51b06404d3d0e2fb46aac65a

SHA1
fe19bd287a693b40fd7c8c14cdd627f79460e349

SHA256
f958c1ea9160ebb3d6805ef6fe553c42ca61e9c1a3697bc408341301803e77c8

SHA512
1e00b13a4e444eeaab4b09d928bceaaf861d10738c876347736be2cbacc28fed987e2d30b4e8dab736f6091dc5ba37e7e1f87f763a1dd53e42d158fa1dd06808

Download Submit
C:\Windows\SysWOW64\ssqNGYqQ.dll

Filesize
34KB

MD5
115d368a51b06404d3d0e2fb46aac65a

SHA1
fe19bd287a693b40fd7c8c14cdd627f79460e349

SHA256
f958c1ea9160ebb3d6805ef6fe553c42ca61e9c1a3697bc408341301803e77c8

SHA512
1e00b13a4e444eeaab4b09d928bceaaf861d10738c876347736be2cbacc28fed987e2d30b4e8dab736f6091dc5ba37e7e1f87f763a1dd53e42d158fa1dd06808

Download Submit
memory/1136-145-0x0000000000EB0000-0x0000000000EB5000-memory.dmp

Filesize
20KB

Download
memory/1136-144-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4876-138-0x00000000028A0000-0x00000000028B4000-memory.dmp

Filesize
80KB

Download
memory/4876-139-0x0000000000FA0000-0x0000000000FA5000-memory.dmp

Filesize
20KB

Download
memory/4876-140-0x0000000000E80000-0x0000000000E85000-memory.dmp

Filesize
20KB

Download
memory/4876-137-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4876-134-0x0000000000E80000-0x0000000000E85000-memory.dmp

Filesize
20KB

Download
memory/4876-133-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download