9b2793a02440cb8ec7a226ec499834face24ef52dfb77b4d51b5ecdfcdb40041

Analysis

max time kernel
131s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2023 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lpk.dll
Size

43KB
MD5

78311085e5cd3f86a7243d628bfacf95
SHA1

ba7c78590f1e940f51afd2945674d904a814f976
SHA256

7ced46b02becde70fc51e05e88f6261a1745e7cfaf869007e6b305fd8e0d26ca
SHA512

773def76b44722e96d45cfd84d8773159331409923993bb67c217848f582bb456327580554c39d82965376b29d25c1d58b1ed4da734256661f97adf1f3ffacfd
SSDEEP

768:695fppO8mYzyN7c9SKiGsU8fKKVuJvSHlNyHg95fpp:45PGN7c9SKiGN8fzplNyHm5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3160	hrlE128.tmp
1352	dipzew.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dipzew.exe	hrlE128.tmp
File created	C:\Windows\SysWOW64\dipzew.exe	hrlE128.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1352 set thread context of 4712	1352	dipzew.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2316	4712	WerFault.exe	87

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3160	hrlE128.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 5104	1272	rundll32.exe	81
PID 1272 wrote to memory of 5104	1272	rundll32.exe	81
PID 1272 wrote to memory of 5104	1272	rundll32.exe	81
PID 5104 wrote to memory of 3160	5104	rundll32.exe	85
PID 5104 wrote to memory of 3160	5104	rundll32.exe	85
PID 5104 wrote to memory of 3160	5104	rundll32.exe	85
PID 1352 wrote to memory of 4712	1352	dipzew.exe	87
PID 1352 wrote to memory of 4712	1352	dipzew.exe	87
PID 1352 wrote to memory of 4712	1352	dipzew.exe	87
PID 1352 wrote to memory of 4712	1352	dipzew.exe	87
PID 1352 wrote to memory of 4712	1352	dipzew.exe	87
PID 3160 wrote to memory of 4888	3160	hrlE128.tmp	92
PID 3160 wrote to memory of 4888	3160	hrlE128.tmp	92
PID 3160 wrote to memory of 4888	3160	hrlE128.tmp	92

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\lpk.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\hrlE128.tmp
    C:\Users\Admin\AppData\Local\Temp\hrlE128.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\hrlE128.tmp > nul
      4⤵
      PID:4888

C:\Windows\SysWOW64\dipzew.exe
C:\Windows\SysWOW64\dipzew.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:4712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 12
    3⤵
    - Program crash
    PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4712 -ip 4712
1⤵
PID:4448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrlE128.tmp

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrlE128.tmp

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
C:\Windows\SysWOW64\dipzew.exe

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
C:\Windows\SysWOW64\dipzew.exe

Filesize
36KB

MD5
eb4ddda9e715be4be7423fc87e42c1c6

SHA1
ec541ac7cfcd55f37758f9a33137e19257307c11

SHA256
842ee71c9e4b9e8b30d8471eb3632f3f4d1b29796a08c0e804d4fcf89a53b1b9

SHA512
8b1091a412c81bc9e143f838ab1b589c110e83bee9d5a45c0cdf79aea868e2a31e5713625db513ff74a923732ee1bceafcce8b51d83e79f7d013ca46d7967c4e

Download Submit
memory/4712-7-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4712-8-0x0000000000310000-0x0000000000310000-memory.dmp

Download