9b2793a02440cb8ec7a226ec499834face24ef52dfb77b4d51b5ecdfcdb40041

General

Target

lpk.dll
Size

43KB
MD5

78311085e5cd3f86a7243d628bfacf95
SHA1

ba7c78590f1e940f51afd2945674d904a814f976
SHA256

7ced46b02becde70fc51e05e88f6261a1745e7cfaf869007e6b305fd8e0d26ca
SHA512

773def76b44722e96d45cfd84d8773159331409923993bb67c217848f582bb456327580554c39d82965376b29d25c1d58b1ed4da734256661f97adf1f3ffacfd
SSDEEP

768:695fppO8mYzyN7c9SKiGsU8fKKVuJvSHlNyHg95fpp:45PGN7c9SKiGN8fzplNyHm5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1264	hrl3498.tmp
2284	kkaaya.exe

Loads dropped DLL 2 IoCs

pid	Process
2448	rundll32.exe
2448	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kkaaya.exe	hrl3498.tmp
File opened for modification	C:\Windows\SysWOW64\kkaaya.exe	hrl3498.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2284 set thread context of 2652	2284	kkaaya.exe	31

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1264	hrl3498.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2448	1732	rundll32.exe	28
PID 1732 wrote to memory of 2448	1732	rundll32.exe	28
PID 1732 wrote to memory of 2448	1732	rundll32.exe	28
PID 1732 wrote to memory of 2448	1732	rundll32.exe	28
PID 1732 wrote to memory of 2448	1732	rundll32.exe	28
PID 1732 wrote to memory of 2448	1732	rundll32.exe	28
PID 1732 wrote to memory of 2448	1732	rundll32.exe	28
PID 2448 wrote to memory of 1264	2448	rundll32.exe	29
PID 2448 wrote to memory of 1264	2448	rundll32.exe	29
PID 2448 wrote to memory of 1264	2448	rundll32.exe	29
PID 2448 wrote to memory of 1264	2448	rundll32.exe	29
PID 2284 wrote to memory of 2652	2284	kkaaya.exe	31
PID 2284 wrote to memory of 2652	2284	kkaaya.exe	31
PID 2284 wrote to memory of 2652	2284	kkaaya.exe	31
PID 2284 wrote to memory of 2652	2284	kkaaya.exe	31
PID 2284 wrote to memory of 2652	2284	kkaaya.exe	31
PID 2284 wrote to memory of 2652	2284	kkaaya.exe	31
PID 1264 wrote to memory of 2796	1264	hrl3498.tmp	32
PID 1264 wrote to memory of 2796	1264	hrl3498.tmp	32
PID 1264 wrote to memory of 2796	1264	hrl3498.tmp	32
PID 1264 wrote to memory of 2796	1264	hrl3498.tmp	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\hrl3498.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl3498.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\hrl3498.tmp > nul
      4⤵
      PID:2796

C:\Windows\SysWOW64\kkaaya.exe
C:\Windows\SysWOW64\kkaaya.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrl3498.tmp

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrl3498.tmp

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrl3498.tmp

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
C:\Windows\SysWOW64\kkaaya.exe

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
C:\Windows\SysWOW64\kkaaya.exe

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
\Users\Admin\AppData\Local\Temp\hrl3498.tmp

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
\Users\Admin\AppData\Local\Temp\hrl3498.tmp

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
memory/2652-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2652-14-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2652-16-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2652-17-0x00000000004A0000-0x00000000004A0000-memory.dmp

Download

Analysis

Sharing