e45e4f595928c1b6bf02db6353086e9f4b2123e9b9f7ad1836d630cceec05fbe

Analysis

max time kernel
162s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e45e4f595928c1b6bf02db6353086e9f4b2123e9b9f7ad1836d630cceec05fbe.dll
Size

48KB
MD5

cfa04dc1e4469d70f62dabd382e61090
SHA1

73c035d524287543adb509fb1770d06fbe57d66f
SHA256

e45e4f595928c1b6bf02db6353086e9f4b2123e9b9f7ad1836d630cceec05fbe
SHA512

77a7e71413dbbdab2e478eb22f48fbdadfe6fa34a5261b6ca2faa3ac2586c12e9c18d104109bab40572031e35c65ed9698de10f2f47f4a159d08de08eb2cec98
SSDEEP

768:hojY9POJdMmJyj0Ml+oi/XSpSZbVfDBoWyHaojY9PouJAun:0mGJdMmJyDl+tVZDoWyHjmguqun

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3424	hrlD892.tmp
312	qekuau.exe

Loads dropped DLL 1 IoCs

pid	Process
312	qekuau.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\qekuau.exe	hrlD892.tmp
File created	C:\Windows\SysWOW64\hra33.dll	qekuau.exe
File created	C:\Windows\SysWOW64\qekuau.exe	hrlD892.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3424	hrlD892.tmp
3424	hrlD892.tmp
312	qekuau.exe
312	qekuau.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2248	1188	rundll32.exe	79
PID 1188 wrote to memory of 2248	1188	rundll32.exe	79
PID 1188 wrote to memory of 2248	1188	rundll32.exe	79
PID 2248 wrote to memory of 3424	2248	rundll32.exe	80
PID 2248 wrote to memory of 3424	2248	rundll32.exe	80
PID 2248 wrote to memory of 3424	2248	rundll32.exe	80

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e45e4f595928c1b6bf02db6353086e9f4b2123e9b9f7ad1836d630cceec05fbe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e45e4f595928c1b6bf02db6353086e9f4b2123e9b9f7ad1836d630cceec05fbe.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\hrlD892.tmp
    C:\Users\Admin\AppData\Local\Temp\hrlD892.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:3424

C:\Windows\SysWOW64\qekuau.exe
C:\Windows\SysWOW64\qekuau.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrlD892.tmp

Filesize
38KB

MD5
5cfdb0ad1a0b5d343bec719eae9af38c

SHA1
f6c3ac3c7d58bb8aacd76f8f81b70421f749e884

SHA256
c0d5f095f215c5252db7a72132057d431b63dab7df4759dc56cbc30c6c4d00d8

SHA512
04994535a08e896137ca957ca9686014ac0204ed721f4f498a3e49b9fc66472fe658a84bffc7c7f570e3e18cd302dc9982c69837969233ec0a77f4a06ac104d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrlD892.tmp

Filesize
38KB

MD5
5cfdb0ad1a0b5d343bec719eae9af38c

SHA1
f6c3ac3c7d58bb8aacd76f8f81b70421f749e884

SHA256
c0d5f095f215c5252db7a72132057d431b63dab7df4759dc56cbc30c6c4d00d8

SHA512
04994535a08e896137ca957ca9686014ac0204ed721f4f498a3e49b9fc66472fe658a84bffc7c7f570e3e18cd302dc9982c69837969233ec0a77f4a06ac104d1

Download Submit
C:\Windows\SysWOW64\hra33.dll

Filesize
46KB

MD5
0756b1a173080c4bb5feebe2c4b58c08

SHA1
d99c51e1494774bbe2828e5dbf746c0bb99c6ce2

SHA256
fa8f9c469adea08ea3d91a0f8253084d92ffc6ad2cfaefe7cbd4eb4afaf246ab

SHA512
9c75660fc1852726f58e7939b780ce298be68172543bbd588d2e21e39b399eec7a81dfbfbcf761a516d9bb91cd8ce1a7bfbb17127759c8fe36ae653d461e37f2

Download Submit
C:\Windows\SysWOW64\qekuau.exe

Filesize
38KB

MD5
5cfdb0ad1a0b5d343bec719eae9af38c

SHA1
f6c3ac3c7d58bb8aacd76f8f81b70421f749e884

SHA256
c0d5f095f215c5252db7a72132057d431b63dab7df4759dc56cbc30c6c4d00d8

SHA512
04994535a08e896137ca957ca9686014ac0204ed721f4f498a3e49b9fc66472fe658a84bffc7c7f570e3e18cd302dc9982c69837969233ec0a77f4a06ac104d1

Download Submit
C:\Windows\SysWOW64\qekuau.exe

Filesize
38KB

MD5
5cfdb0ad1a0b5d343bec719eae9af38c

SHA1
f6c3ac3c7d58bb8aacd76f8f81b70421f749e884

SHA256
c0d5f095f215c5252db7a72132057d431b63dab7df4759dc56cbc30c6c4d00d8

SHA512
04994535a08e896137ca957ca9686014ac0204ed721f4f498a3e49b9fc66472fe658a84bffc7c7f570e3e18cd302dc9982c69837969233ec0a77f4a06ac104d1

Download Submit