f5b8f60a158e5270a0c5dff3351e40f659dbb24984e8be3c3eede5412a720569

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5b8f60a158e5270a0c5dff3351e40f659dbb24984e8be3c3eede5412a720569.dll
Size

2.8MB
MD5

d24ab8ead6b8b01d5ebab5406392efd4
SHA1

7cb073544797e09bd8282548116f0caa574939a2
SHA256

f5b8f60a158e5270a0c5dff3351e40f659dbb24984e8be3c3eede5412a720569
SHA512

6efe753accfd1b3df70b08dbfe310e085b9eb2f3a31d287bb1e40d886605e3329b84ac8a5ff2a132d53f50bc87aa932f2cdb421a15383f5db5320d3107edca5d
SSDEEP

6144:VS4wBE/oKXJdrI/ed3IHpxWDWain/JeoCK5pkLNFe+:8DWFzUK8bWDmBjCUpkxF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1744	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\linyloa.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\linyloa.dll	rundll32.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\ = "C:\\Windows\\SysWow64\\linyloa.dll"	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1744	1104	rundll32.exe	27
PID 1104 wrote to memory of 1744	1104	rundll32.exe	27
PID 1104 wrote to memory of 1744	1104	rundll32.exe	27
PID 1104 wrote to memory of 1744	1104	rundll32.exe	27
PID 1104 wrote to memory of 1744	1104	rundll32.exe	27
PID 1104 wrote to memory of 1744	1104	rundll32.exe	27
PID 1104 wrote to memory of 1744	1104	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5b8f60a158e5270a0c5dff3351e40f659dbb24984e8be3c3eede5412a720569.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5b8f60a158e5270a0c5dff3351e40f659dbb24984e8be3c3eede5412a720569.dll,#1
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\linyloa.dll

Filesize
3.7MB

MD5
cf0249b9e7044ff14f280e9e8c89a736

SHA1
bf5dc0bceeaa8b8e3a23d2b9efe5f4a29d54f9de

SHA256
e8489106a57e6efdbc530d91b87c18eca3b3d0e57c6ed092fae46458379c6863

SHA512
7bd872e417b25e57b7ba5d00577af46ec391bc622176dfabe5c85a294af471897c61b58ef29cbeabf772fd3c51c21f6d0cc6e566ebe3cd2925c2a45bed625dcd

Download Submit
memory/1744-55-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1744-56-0x00000000001E0000-0x000000000021C000-memory.dmp

Filesize
240KB

Download
memory/1744-58-0x00000000002A0000-0x00000000002F5000-memory.dmp

Filesize
340KB

Download
memory/1744-65-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1744-70-0x0000000000770000-0x00000000007AC000-memory.dmp

Filesize
240KB

Download
memory/1744-72-0x0000000001D10000-0x0000000001D65000-memory.dmp

Filesize
340KB

Download
memory/1744-79-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download