3995a9a2bcd8da259d9df6a8b0b4615dfb0c3236f8fd0ab0c65d034e3d506396

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 11:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3995a9a2bcd8da259d9df6a8b0b4615dfb0c3236f8fd0ab0c65d034e3d506396.dll
Size

73KB
MD5

77e94c42e5cda17d1022d780a93d2a98
SHA1

50b60b4368dbaffd3ff186fc47f763cfaa27293a
SHA256

3995a9a2bcd8da259d9df6a8b0b4615dfb0c3236f8fd0ab0c65d034e3d506396
SHA512

9c0c9b4fcbf43093f3cd716e5bb02568af1808fe7342de473630449c2112658716be9b068450a5130b3d16acdf97b86eb6c23310a4e4db1962108a7be65807db
SSDEEP

1536:omVJdMmJyDl+t7LZpoWyHjmgQifdsW9Uz2X+Ox:ogJuIyDCZRyHj9QGiqUCu+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
968	hrlE9A4.tmp
1532	rcflye.exe

Loads dropped DLL 3 IoCs

pid	Process
916	rundll32.exe
916	rundll32.exe
1532	rcflye.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	rcflye.exe
File opened (read-only)	\??\U:	rcflye.exe
File opened (read-only)	\??\V:	rcflye.exe
File opened (read-only)	\??\X:	rcflye.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\I:	rcflye.exe
File opened (read-only)	\??\E:	rcflye.exe
File opened (read-only)	\??\Q:	rcflye.exe
File opened (read-only)	\??\S:	rcflye.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\F:	rcflye.exe
File opened (read-only)	\??\M:	rcflye.exe
File opened (read-only)	\??\T:	rcflye.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\W:	rcflye.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\N:	rcflye.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\G:	rcflye.exe
File opened (read-only)	\??\J:	rcflye.exe
File opened (read-only)	\??\K:	rcflye.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\H:	rcflye.exe
File opened (read-only)	\??\L:	rcflye.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\R:	rcflye.exe
File opened (read-only)	\??\Y:	rcflye.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\Z:	rcflye.exe
File opened (read-only)	\??\O:	rcflye.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rcflye.exe	hrlE9A4.tmp
File opened for modification	C:\Windows\SysWOW64\rcflye.exe	hrlE9A4.tmp
File created	C:\Windows\SysWOW64\hra33.dll	rcflye.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\lpk.dll	rcflye.exe
File opened for modification	C:\Program Files\7-Zip\lpk.dll	rcflye.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
968	hrlE9A4.tmp
1532	rcflye.exe

Suspicious behavior: MapViewOfSection 49 IoCs

pid	Process
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
968	hrlE9A4.tmp
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe
1532	rcflye.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	hrlE9A4.tmp
Token: SeDebugPrivilege	1532	rcflye.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
968	hrlE9A4.tmp
968	hrlE9A4.tmp
1532	rcflye.exe
1532	rcflye.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 916	1848	rundll32.exe	28
PID 1848 wrote to memory of 916	1848	rundll32.exe	28
PID 1848 wrote to memory of 916	1848	rundll32.exe	28
PID 1848 wrote to memory of 916	1848	rundll32.exe	28
PID 1848 wrote to memory of 916	1848	rundll32.exe	28
PID 1848 wrote to memory of 916	1848	rundll32.exe	28
PID 1848 wrote to memory of 916	1848	rundll32.exe	28
PID 916 wrote to memory of 968	916	rundll32.exe	29
PID 916 wrote to memory of 968	916	rundll32.exe	29
PID 916 wrote to memory of 968	916	rundll32.exe	29
PID 916 wrote to memory of 968	916	rundll32.exe	29
PID 968 wrote to memory of 368	968	hrlE9A4.tmp	25
PID 968 wrote to memory of 368	968	hrlE9A4.tmp	25
PID 968 wrote to memory of 368	968	hrlE9A4.tmp	25
PID 968 wrote to memory of 368	968	hrlE9A4.tmp	25
PID 968 wrote to memory of 368	968	hrlE9A4.tmp	25
PID 968 wrote to memory of 368	968	hrlE9A4.tmp	25
PID 968 wrote to memory of 368	968	hrlE9A4.tmp	25
PID 968 wrote to memory of 384	968	hrlE9A4.tmp	4
PID 968 wrote to memory of 384	968	hrlE9A4.tmp	4
PID 968 wrote to memory of 384	968	hrlE9A4.tmp	4
PID 968 wrote to memory of 384	968	hrlE9A4.tmp	4
PID 968 wrote to memory of 384	968	hrlE9A4.tmp	4
PID 968 wrote to memory of 384	968	hrlE9A4.tmp	4
PID 968 wrote to memory of 384	968	hrlE9A4.tmp	4
PID 968 wrote to memory of 420	968	hrlE9A4.tmp	3
PID 968 wrote to memory of 420	968	hrlE9A4.tmp	3
PID 968 wrote to memory of 420	968	hrlE9A4.tmp	3
PID 968 wrote to memory of 420	968	hrlE9A4.tmp	3
PID 968 wrote to memory of 420	968	hrlE9A4.tmp	3
PID 968 wrote to memory of 420	968	hrlE9A4.tmp	3
PID 968 wrote to memory of 420	968	hrlE9A4.tmp	3
PID 968 wrote to memory of 468	968	hrlE9A4.tmp	2
PID 968 wrote to memory of 468	968	hrlE9A4.tmp	2
PID 968 wrote to memory of 468	968	hrlE9A4.tmp	2
PID 968 wrote to memory of 468	968	hrlE9A4.tmp	2
PID 968 wrote to memory of 468	968	hrlE9A4.tmp	2
PID 968 wrote to memory of 468	968	hrlE9A4.tmp	2
PID 968 wrote to memory of 468	968	hrlE9A4.tmp	2
PID 968 wrote to memory of 484	968	hrlE9A4.tmp	1
PID 968 wrote to memory of 484	968	hrlE9A4.tmp	1
PID 968 wrote to memory of 484	968	hrlE9A4.tmp	1
PID 968 wrote to memory of 484	968	hrlE9A4.tmp	1
PID 968 wrote to memory of 484	968	hrlE9A4.tmp	1
PID 968 wrote to memory of 484	968	hrlE9A4.tmp	1
PID 968 wrote to memory of 484	968	hrlE9A4.tmp	1
PID 968 wrote to memory of 492	968	hrlE9A4.tmp	24
PID 968 wrote to memory of 492	968	hrlE9A4.tmp	24
PID 968 wrote to memory of 492	968	hrlE9A4.tmp	24
PID 968 wrote to memory of 492	968	hrlE9A4.tmp	24
PID 968 wrote to memory of 492	968	hrlE9A4.tmp	24
PID 968 wrote to memory of 492	968	hrlE9A4.tmp	24
PID 968 wrote to memory of 492	968	hrlE9A4.tmp	24
PID 968 wrote to memory of 608	968	hrlE9A4.tmp	23
PID 968 wrote to memory of 608	968	hrlE9A4.tmp	23
PID 968 wrote to memory of 608	968	hrlE9A4.tmp	23
PID 968 wrote to memory of 608	968	hrlE9A4.tmp	23
PID 968 wrote to memory of 608	968	hrlE9A4.tmp	23
PID 968 wrote to memory of 608	968	hrlE9A4.tmp	23
PID 968 wrote to memory of 608	968	hrlE9A4.tmp	23
PID 968 wrote to memory of 684	968	hrlE9A4.tmp	22
PID 968 wrote to memory of 684	968	hrlE9A4.tmp	22
PID 968 wrote to memory of 684	968	hrlE9A4.tmp	22
PID 968 wrote to memory of 684	968	hrlE9A4.tmp	22

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:484

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:296
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1036
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1820
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1128
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1088
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:112
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:892
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:844
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:752
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:684
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:608
- C:\Windows\SysWOW64\rcflye.exe
  C:\Windows\SysWOW64\rcflye.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1532

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1960

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1992

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3995a9a2bcd8da259d9df6a8b0b4615dfb0c3236f8fd0ab0c65d034e3d506396.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3995a9a2bcd8da259d9df6a8b0b4615dfb0c3236f8fd0ab0c65d034e3d506396.dll,#1
    3⤵
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Users\Admin\AppData\Local\Temp\hrlE9A4.tmp
      C:\Users\Admin\AppData\Local\Temp\hrlE9A4.tmp
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:968

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:492

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrlE9A4.tmp

Filesize
65KB

MD5
c639fbcf3d0131711f15d5aa1b82e490

SHA1
c31553db91295fa020af4cdeac405ec3355aa88f

SHA256
c599fbae010fc0556785d5b71d07ba475c3b4f3293ffeb78f099e8ae32e68f9a

SHA512
3d0daefd3e5dfa269e43c04195bfba97380c3b79e51e5b4b6e5ebaa5adde14367cc9091e3aadc562793d141e3c11b8b56fc274fad41ddcbe0caf2affcab2ecbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrlE9A4.tmp

Filesize
65KB

MD5
c639fbcf3d0131711f15d5aa1b82e490

SHA1
c31553db91295fa020af4cdeac405ec3355aa88f

SHA256
c599fbae010fc0556785d5b71d07ba475c3b4f3293ffeb78f099e8ae32e68f9a

SHA512
3d0daefd3e5dfa269e43c04195bfba97380c3b79e51e5b4b6e5ebaa5adde14367cc9091e3aadc562793d141e3c11b8b56fc274fad41ddcbe0caf2affcab2ecbc

Download Submit
C:\WINDOWS\SysWOW64\RCFLYE.EXE

Filesize
65KB

MD5
c639fbcf3d0131711f15d5aa1b82e490

SHA1
c31553db91295fa020af4cdeac405ec3355aa88f

SHA256
c599fbae010fc0556785d5b71d07ba475c3b4f3293ffeb78f099e8ae32e68f9a

SHA512
3d0daefd3e5dfa269e43c04195bfba97380c3b79e51e5b4b6e5ebaa5adde14367cc9091e3aadc562793d141e3c11b8b56fc274fad41ddcbe0caf2affcab2ecbc

Download Submit
C:\Windows\SysWOW64\rcflye.exe

Filesize
65KB

MD5
c639fbcf3d0131711f15d5aa1b82e490

SHA1
c31553db91295fa020af4cdeac405ec3355aa88f

SHA256
c599fbae010fc0556785d5b71d07ba475c3b4f3293ffeb78f099e8ae32e68f9a

SHA512
3d0daefd3e5dfa269e43c04195bfba97380c3b79e51e5b4b6e5ebaa5adde14367cc9091e3aadc562793d141e3c11b8b56fc274fad41ddcbe0caf2affcab2ecbc

Download Submit
\Users\Admin\AppData\Local\Temp\hrlE9A4.tmp

Filesize
65KB

MD5
c639fbcf3d0131711f15d5aa1b82e490

SHA1
c31553db91295fa020af4cdeac405ec3355aa88f

SHA256
c599fbae010fc0556785d5b71d07ba475c3b4f3293ffeb78f099e8ae32e68f9a

SHA512
3d0daefd3e5dfa269e43c04195bfba97380c3b79e51e5b4b6e5ebaa5adde14367cc9091e3aadc562793d141e3c11b8b56fc274fad41ddcbe0caf2affcab2ecbc

Download Submit
\Users\Admin\AppData\Local\Temp\hrlE9A4.tmp

Filesize
65KB

MD5
c639fbcf3d0131711f15d5aa1b82e490

SHA1
c31553db91295fa020af4cdeac405ec3355aa88f

SHA256
c599fbae010fc0556785d5b71d07ba475c3b4f3293ffeb78f099e8ae32e68f9a

SHA512
3d0daefd3e5dfa269e43c04195bfba97380c3b79e51e5b4b6e5ebaa5adde14367cc9091e3aadc562793d141e3c11b8b56fc274fad41ddcbe0caf2affcab2ecbc

Download Submit
\Windows\SysWOW64\hra33.dll

Filesize
73KB

MD5
77e94c42e5cda17d1022d780a93d2a98

SHA1
50b60b4368dbaffd3ff186fc47f763cfaa27293a

SHA256
3995a9a2bcd8da259d9df6a8b0b4615dfb0c3236f8fd0ab0c65d034e3d506396

SHA512
9c0c9b4fcbf43093f3cd716e5bb02568af1808fe7342de473630449c2112658716be9b068450a5130b3d16acdf97b86eb6c23310a4e4db1962108a7be65807db

Download Submit
memory/916-55-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/916-61-0x0000000000130000-0x0000000000145000-memory.dmp

Filesize
84KB

Download
memory/916-62-0x0000000000130000-0x0000000000145000-memory.dmp

Filesize
84KB

Download
memory/916-71-0x0000000000130000-0x0000000000145000-memory.dmp

Filesize
84KB

Download
memory/968-66-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/968-65-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/968-63-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1532-67-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1532-72-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download