db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512

Analysis

max time kernel
209s
max time network
243s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe
Size

31KB
MD5

f2b7453819308dee3db93a362174bc1d
SHA1

6b6d41027837ff3e8921c687c2271ef77c645530
SHA256

db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512
SHA512

2238ee254df2e6e8b7675aa9c427ffdb051ac731f5446567446afb098d96bedacc83dca9699e50997d11ce1e6ae5713e2d7ab0e61fae3f304e4bcf8140b2962b
SSDEEP

768:YFf2dFzNtv+EOb7RF+uWbSSVXHOEg6DC1xrAjK:YFf2fvZIRBnKHOEXG

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe
File created	C:\Windows\SysWOW64\drivers\acpiec.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe

Loads dropped DLL 2 IoCs

pid	Process
4716	rundll32.exe
1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe
File opened for modification	C:\autorun.inf	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\func.dll	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\phpq.dll	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1332	sc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
5004	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2952	taskkill.exe
4676	taskkill.exe
3832	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeDebugPrivilege	4716	rundll32.exe
Token: SeDebugPrivilege	4716	rundll32.exe
Token: SeDebugPrivilege	4716	rundll32.exe
Token: SeDebugPrivilege	4716	rundll32.exe
Token: SeDebugPrivilege	4716	rundll32.exe
Token: SeDebugPrivilege	4716	rundll32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 4356	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	84
PID 1636 wrote to memory of 4356	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	84
PID 1636 wrote to memory of 4356	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	84
PID 1636 wrote to memory of 2704	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	85
PID 1636 wrote to memory of 2704	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	85
PID 1636 wrote to memory of 2704	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	85
PID 1636 wrote to memory of 4896	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	91
PID 1636 wrote to memory of 4896	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	91
PID 1636 wrote to memory of 4896	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	91
PID 1636 wrote to memory of 3164	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	90
PID 1636 wrote to memory of 3164	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	90
PID 1636 wrote to memory of 3164	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	90
PID 1636 wrote to memory of 3936	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	89
PID 1636 wrote to memory of 3936	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	89
PID 1636 wrote to memory of 3936	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	89
PID 1636 wrote to memory of 888	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	95
PID 1636 wrote to memory of 888	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	95
PID 1636 wrote to memory of 888	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	95
PID 4896 wrote to memory of 1332	4896	cmd.exe	99
PID 4896 wrote to memory of 1332	4896	cmd.exe	99
PID 4896 wrote to memory of 1332	4896	cmd.exe	99
PID 4356 wrote to memory of 1508	4356	cmd.exe	101
PID 4356 wrote to memory of 1508	4356	cmd.exe	101
PID 4356 wrote to memory of 1508	4356	cmd.exe	101
PID 2704 wrote to memory of 4076	2704	cmd.exe	100
PID 2704 wrote to memory of 4076	2704	cmd.exe	100
PID 2704 wrote to memory of 4076	2704	cmd.exe	100
PID 3164 wrote to memory of 3832	3164	cmd.exe	98
PID 3164 wrote to memory of 3832	3164	cmd.exe	98
PID 3164 wrote to memory of 3832	3164	cmd.exe	98
PID 888 wrote to memory of 4676	888	cmd.exe	97
PID 888 wrote to memory of 4676	888	cmd.exe	97
PID 888 wrote to memory of 4676	888	cmd.exe	97
PID 3936 wrote to memory of 2952	3936	cmd.exe	96
PID 3936 wrote to memory of 2952	3936	cmd.exe	96
PID 3936 wrote to memory of 2952	3936	cmd.exe	96
PID 1636 wrote to memory of 4716	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	103
PID 1636 wrote to memory of 4716	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	103
PID 1636 wrote to memory of 4716	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	103
PID 1636 wrote to memory of 5004	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	106
PID 1636 wrote to memory of 5004	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	106
PID 1636 wrote to memory of 5004	1636	db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe	106

C:\Users\Admin\AppData\Local\Temp\db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe
"C:\Users\Admin\AppData\Local\Temp\db86e26f21fa3a2fae51fbe3a751bad4fd463120dc31067ce5c92cb6553e8512.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls C:\Windows /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows /e /p everyone:f
    3⤵
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    PID:4076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im egui.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im egui.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im ekrn.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ekrn.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc config ekrn start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\sc.exe
    sc config ekrn start= disabled
    3⤵
    - Launches sc.exe
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im ScanFrm.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ScanFrm.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe func.dll, droqp
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:5004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\func.dll

Filesize
37KB

MD5
534efcd3197edc9906072345a4b97ef7

SHA1
f6d544cfdb1cad87375e31bc199bc0aa68022617

SHA256
62fb66c7fa9edf7851ed484bbcd986c098d09896afa32ebbf5d478ab476b9695

SHA512
dd94eade742b66c881ac1ad52f0b501845947c689a73c7e0f8dc44aa8dc1d8964031619928a0aec2fa2568204cb5937cb370e463f12083387fb6123a0e94ad21

Download Submit
C:\Windows\SysWOW64\func.dll

Filesize
37KB

MD5
534efcd3197edc9906072345a4b97ef7

SHA1
f6d544cfdb1cad87375e31bc199bc0aa68022617

SHA256
62fb66c7fa9edf7851ed484bbcd986c098d09896afa32ebbf5d478ab476b9695

SHA512
dd94eade742b66c881ac1ad52f0b501845947c689a73c7e0f8dc44aa8dc1d8964031619928a0aec2fa2568204cb5937cb370e463f12083387fb6123a0e94ad21

Download Submit
C:\Windows\phpq.dll

Filesize
44KB

MD5
5f17746f32293d1b8877847d13f27cd7

SHA1
9167973cc9ce6319ed3609cc9575f7d7dc1e15a7

SHA256
0f504815e6a8d6f2ce626a980c0618e7c482db47e4a34a97b81ea73b94a3c9c7

SHA512
3a27e15e1f6460c8348aca42e96158efc92dc1ffcd7919d08965abb9e754d6e796f0ce23a0c4c7d83af04f8b6989d8f727cd5f9c9680a99d6328171e02a7c283

Download Submit
memory/1636-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download