e45e4f595928c1b6bf02db6353086e9f4b2123e9b9f7ad1836d630cceec05fbe

Analysis

max time kernel
154s
max time network
193s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e45e4f595928c1b6bf02db6353086e9f4b2123e9b9f7ad1836d630cceec05fbe.dll
Size

48KB
MD5

cfa04dc1e4469d70f62dabd382e61090
SHA1

73c035d524287543adb509fb1770d06fbe57d66f
SHA256

e45e4f595928c1b6bf02db6353086e9f4b2123e9b9f7ad1836d630cceec05fbe
SHA512

77a7e71413dbbdab2e478eb22f48fbdadfe6fa34a5261b6ca2faa3ac2586c12e9c18d104109bab40572031e35c65ed9698de10f2f47f4a159d08de08eb2cec98
SSDEEP

768:hojY9POJdMmJyj0Ml+oi/XSpSZbVfDBoWyHaojY9PouJAun:0mGJdMmJyDl+tVZDoWyHjmguqun

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1308	hrl9BB4.tmp
2016	oiameu.exe

Loads dropped DLL 3 IoCs

pid	Process
1372	rundll32.exe
1372	rundll32.exe
2016	oiameu.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	oiameu.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\H:	oiameu.exe
File opened (read-only)	\??\W:	oiameu.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\F:	oiameu.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\V:	oiameu.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\L:	oiameu.exe
File opened (read-only)	\??\S:	oiameu.exe
File opened (read-only)	\??\U:	oiameu.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\E:	oiameu.exe
File opened (read-only)	\??\G:	oiameu.exe
File opened (read-only)	\??\X:	oiameu.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\K:	oiameu.exe
File opened (read-only)	\??\M:	oiameu.exe
File opened (read-only)	\??\R:	oiameu.exe
File opened (read-only)	\??\Y:	oiameu.exe
File opened (read-only)	\??\Z:	oiameu.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\J:	oiameu.exe
File opened (read-only)	\??\I:	oiameu.exe
File opened (read-only)	\??\N:	oiameu.exe
File opened (read-only)	\??\O:	oiameu.exe
File opened (read-only)	\??\P:	oiameu.exe
File opened (read-only)	\??\Q:	oiameu.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\oiameu.exe	hrl9BB4.tmp
File created	C:\Windows\SysWOW64\hra33.dll	oiameu.exe
File created	C:\Windows\SysWOW64\oiameu.exe	hrl9BB4.tmp

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\lpk.dll	oiameu.exe
File opened for modification	C:\Program Files\7-Zip\lpk.dll	oiameu.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1308	hrl9BB4.tmp
1308	hrl9BB4.tmp
2016	oiameu.exe
2016	oiameu.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1372	1368	rundll32.exe	28
PID 1368 wrote to memory of 1372	1368	rundll32.exe	28
PID 1368 wrote to memory of 1372	1368	rundll32.exe	28
PID 1368 wrote to memory of 1372	1368	rundll32.exe	28
PID 1368 wrote to memory of 1372	1368	rundll32.exe	28
PID 1368 wrote to memory of 1372	1368	rundll32.exe	28
PID 1368 wrote to memory of 1372	1368	rundll32.exe	28
PID 1372 wrote to memory of 1308	1372	rundll32.exe	29
PID 1372 wrote to memory of 1308	1372	rundll32.exe	29
PID 1372 wrote to memory of 1308	1372	rundll32.exe	29
PID 1372 wrote to memory of 1308	1372	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e45e4f595928c1b6bf02db6353086e9f4b2123e9b9f7ad1836d630cceec05fbe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e45e4f595928c1b6bf02db6353086e9f4b2123e9b9f7ad1836d630cceec05fbe.dll,#1
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\hrl9BB4.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl9BB4.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1308

C:\Windows\SysWOW64\oiameu.exe
C:\Windows\SysWOW64\oiameu.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrl9BB4.tmp

Filesize
38KB

MD5
5cfdb0ad1a0b5d343bec719eae9af38c

SHA1
f6c3ac3c7d58bb8aacd76f8f81b70421f749e884

SHA256
c0d5f095f215c5252db7a72132057d431b63dab7df4759dc56cbc30c6c4d00d8

SHA512
04994535a08e896137ca957ca9686014ac0204ed721f4f498a3e49b9fc66472fe658a84bffc7c7f570e3e18cd302dc9982c69837969233ec0a77f4a06ac104d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrl9BB4.tmp

Filesize
38KB

MD5
5cfdb0ad1a0b5d343bec719eae9af38c

SHA1
f6c3ac3c7d58bb8aacd76f8f81b70421f749e884

SHA256
c0d5f095f215c5252db7a72132057d431b63dab7df4759dc56cbc30c6c4d00d8

SHA512
04994535a08e896137ca957ca9686014ac0204ed721f4f498a3e49b9fc66472fe658a84bffc7c7f570e3e18cd302dc9982c69837969233ec0a77f4a06ac104d1

Download Submit
C:\Windows\SysWOW64\oiameu.exe

Filesize
38KB

MD5
5cfdb0ad1a0b5d343bec719eae9af38c

SHA1
f6c3ac3c7d58bb8aacd76f8f81b70421f749e884

SHA256
c0d5f095f215c5252db7a72132057d431b63dab7df4759dc56cbc30c6c4d00d8

SHA512
04994535a08e896137ca957ca9686014ac0204ed721f4f498a3e49b9fc66472fe658a84bffc7c7f570e3e18cd302dc9982c69837969233ec0a77f4a06ac104d1

Download Submit
C:\Windows\SysWOW64\oiameu.exe

Filesize
38KB

MD5
5cfdb0ad1a0b5d343bec719eae9af38c

SHA1
f6c3ac3c7d58bb8aacd76f8f81b70421f749e884

SHA256
c0d5f095f215c5252db7a72132057d431b63dab7df4759dc56cbc30c6c4d00d8

SHA512
04994535a08e896137ca957ca9686014ac0204ed721f4f498a3e49b9fc66472fe658a84bffc7c7f570e3e18cd302dc9982c69837969233ec0a77f4a06ac104d1

Download Submit
\Users\Admin\AppData\Local\Temp\hrl9BB4.tmp

Filesize
38KB

MD5
5cfdb0ad1a0b5d343bec719eae9af38c

SHA1
f6c3ac3c7d58bb8aacd76f8f81b70421f749e884

SHA256
c0d5f095f215c5252db7a72132057d431b63dab7df4759dc56cbc30c6c4d00d8

SHA512
04994535a08e896137ca957ca9686014ac0204ed721f4f498a3e49b9fc66472fe658a84bffc7c7f570e3e18cd302dc9982c69837969233ec0a77f4a06ac104d1

Download Submit
\Users\Admin\AppData\Local\Temp\hrl9BB4.tmp

Filesize
38KB

MD5
5cfdb0ad1a0b5d343bec719eae9af38c

SHA1
f6c3ac3c7d58bb8aacd76f8f81b70421f749e884

SHA256
c0d5f095f215c5252db7a72132057d431b63dab7df4759dc56cbc30c6c4d00d8

SHA512
04994535a08e896137ca957ca9686014ac0204ed721f4f498a3e49b9fc66472fe658a84bffc7c7f570e3e18cd302dc9982c69837969233ec0a77f4a06ac104d1

Download Submit
\Windows\SysWOW64\hra33.dll

Filesize
46KB

MD5
0756b1a173080c4bb5feebe2c4b58c08

SHA1
d99c51e1494774bbe2828e5dbf746c0bb99c6ce2

SHA256
fa8f9c469adea08ea3d91a0f8253084d92ffc6ad2cfaefe7cbd4eb4afaf246ab

SHA512
9c75660fc1852726f58e7939b780ce298be68172543bbd588d2e21e39b399eec7a81dfbfbcf761a516d9bb91cd8ce1a7bfbb17127759c8fe36ae653d461e37f2

Download Submit
memory/1372-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download