74532c96f70a3c352f78133704b015a7c0993397068b8eeddcdb5f0ce310b29b

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2023 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74532c96f70a3c352f78133704b015a7c0993397068b8eeddcdb5f0ce310b29b.exe
Size

782KB
MD5

d16c98798533c89a98058a20fccb800b
SHA1

95d200da8f4e40f913dff332eb6ebc40c3933f51
SHA256

74532c96f70a3c352f78133704b015a7c0993397068b8eeddcdb5f0ce310b29b
SHA512

d104c69e7414812d152db7be6db19f894f8e97ea75440dea9527f0fa14c366517ea2f38c58ec797bdef31cf06c26a3372f4ca4d2fe1a2d03a5cdfd2e1b5899a5
SSDEEP

12288:YaSYc8+QL82IQ7QYXZ0pPWuv91tftzZG9L979hw0jTC85Ff9y1TFqAyEmf:YT5g/Ew4PfZZUh79fjTC898B3yzf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
32	rundl123.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundl123.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundl123.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks	rundl123.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\38.181.24.91:1150	rundl123.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe
32	rundl123.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2600	74532c96f70a3c352f78133704b015a7c0993397068b8eeddcdb5f0ce310b29b.exe
2600	74532c96f70a3c352f78133704b015a7c0993397068b8eeddcdb5f0ce310b29b.exe
32	rundl123.exe
32	rundl123.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 32	2600	74532c96f70a3c352f78133704b015a7c0993397068b8eeddcdb5f0ce310b29b.exe	85
PID 2600 wrote to memory of 32	2600	74532c96f70a3c352f78133704b015a7c0993397068b8eeddcdb5f0ce310b29b.exe	85
PID 2600 wrote to memory of 32	2600	74532c96f70a3c352f78133704b015a7c0993397068b8eeddcdb5f0ce310b29b.exe	85

C:\Users\Admin\AppData\Local\Temp\74532c96f70a3c352f78133704b015a7c0993397068b8eeddcdb5f0ce310b29b.exe
"C:\Users\Admin\AppData\Local\Temp\74532c96f70a3c352f78133704b015a7c0993397068b8eeddcdb5f0ce310b29b.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600
- \??\c:\ProgramData\rundl123.exe
  "c:\ProgramData\rundl123.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:32

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rundl123.exe

Filesize
782KB

MD5
d16c98798533c89a98058a20fccb800b

SHA1
95d200da8f4e40f913dff332eb6ebc40c3933f51

SHA256
74532c96f70a3c352f78133704b015a7c0993397068b8eeddcdb5f0ce310b29b

SHA512
d104c69e7414812d152db7be6db19f894f8e97ea75440dea9527f0fa14c366517ea2f38c58ec797bdef31cf06c26a3372f4ca4d2fe1a2d03a5cdfd2e1b5899a5

Download Submit
\??\c:\ProgramData\rundl123.exe

Filesize
782KB

MD5
d16c98798533c89a98058a20fccb800b

SHA1
95d200da8f4e40f913dff332eb6ebc40c3933f51

SHA256
74532c96f70a3c352f78133704b015a7c0993397068b8eeddcdb5f0ce310b29b

SHA512
d104c69e7414812d152db7be6db19f894f8e97ea75440dea9527f0fa14c366517ea2f38c58ec797bdef31cf06c26a3372f4ca4d2fe1a2d03a5cdfd2e1b5899a5

Download Submit
memory/32-161-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/32-152-0x0000000010000000-0x000000001004C000-memory.dmp

Filesize
304KB

Download
memory/32-151-0x0000000004880000-0x00000000048CE000-memory.dmp

Filesize
312KB

Download
memory/32-150-0x0000000000AA0000-0x0000000000AFF000-memory.dmp

Filesize
380KB

Download
memory/32-149-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/32-148-0x0000000003340000-0x0000000003343000-memory.dmp

Filesize
12KB

Download
memory/2600-142-0x0000000003490000-0x0000000003492000-memory.dmp

Filesize
8KB

Download
memory/2600-143-0x0000000003480000-0x0000000003483000-memory.dmp

Filesize
12KB

Download
memory/2600-134-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2600-141-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2600-147-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2600-140-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2600-137-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2600-139-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2600-138-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/2600-136-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2600-135-0x0000000002400000-0x000000000245F000-memory.dmp

Filesize
380KB

Download