Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
08/12/2023, 10:24
Static task
static1
Behavioral task
behavioral1
Sample
972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll
Resource
win10v2004-20231130-en
General
-
Target
972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll
-
Size
3.5MB
-
MD5
bcc4727a9d1e2e8c69adffe97bc4f7b6
-
SHA1
60f2d82eced11c155c907116a96962dd2e14e959
-
SHA256
972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80
-
SHA512
34b20dac55d57002b28db055dc632fae680daf3c706500d1dcb0be4a0d80677d52278600c82914e8b53ea02fc39a231039a3ba2c5a6ffa07188c874ca3a199fd
-
SSDEEP
98304:NIL6ZfTRgRxkgC+DEbQl5zxEtxOm3MN9W8T1U8:6/xl5sImcGe1U8
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\kkEctgea.sys rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 1700 rundll32.exe -
resource yara_rule behavioral1/memory/480-7-0x0000000000D30000-0x0000000000DB4000-memory.dmp vmprotect behavioral1/memory/480-10-0x0000000000D30000-0x0000000000DB4000-memory.dmp vmprotect behavioral1/memory/480-14-0x0000000000D30000-0x0000000000DB4000-memory.dmp vmprotect behavioral1/memory/480-18-0x0000000000D30000-0x0000000000DB4000-memory.dmp vmprotect behavioral1/memory/480-9-0x0000000000D30000-0x0000000000DB4000-memory.dmp vmprotect -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\s1l4.dll rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\717642E4A28C98F0588854B430A2FD16F5B5B1B9 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\717642E4A28C98F0588854B430A2FD16F5B5B1B9\Blob = 030000000100000014000000717642e4a28c98f0588854b430a2fd16f5b5b1b920000000010000004e0300003082034a30820232a003020102021100a4046c55ab2d5eac79a31a645351be06300d06092a864886f70d01010b0500304d310b300906035504061302454e313e303c06035504030c35476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d20473220323020170d3033313231333130323432325a180f32303633313132383130323432325a304d310b300906035504061302454e313e303c06035504030c35476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d204732203230820122300d06092a864886f70d01010105000382010f003082010a02820101009cda33f5c08aac323761eb442d98f6056a956db5327204c6a1e493746eaf64e0ddff845f291bd7f6568e0876227277ec2887576a83a7d73a7230f6d177d86d228fb6f859dc08a69506faa1788c0a8855190a9f2755da57d449802991212856118b3216a3b87156f3dbf0208bf8025fcc0f3c9ebdac74ce5bab5eaf43e70cead6c08abc75d0cd6e5c617b7f0b4750078fd9b75210b323ec857a9edc3fc8df716785f7540df1cbccd1e08f1ac88b37993838e196ee00ce707d53fcfbc6f8692e76fd35bd8d41d443d3e54f4730b21c77a6de165e02d8c592bf4cde70a659e4f4ab2309c5a6d51fc4677b882083cf191e6fb3b445ce0beaa93e89f2a3c7ceaac4e70203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b0500038201010085fe4ab9a3793dc7a4abc5f3ad7f2dda9ad2a7e4b8bbc321048f068758a5904634d8b95816d7b3b9a323c26613af7c582ae895bcd427b48bbb1e9293e89ffe7824ac56ce95d2fcdef8019c416860cbae18d12e961248c908a35bd4eddb89d27d763c97d9abb1ca94b60ec4fd6e5f25f2da291baac278194ca3d840efe39e545065d107edca591bb1be8b769e6889e618e08bd2c95ac14af7ffece8f265cc3c1f450901be3281c9fad7cae65795a1b29661997cea1cec107f4e0250391d4d868039ff74dc5522312872ae2a1ef05abe0763d0e7fa7a746e856e5ceed90544d63b175719cad1188638d788014cff23aac9034b4145654b087a4d58f22357ea79cd rundll32.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1700 rundll32.exe 1700 rundll32.exe 1700 rundll32.exe 1700 rundll32.exe 1700 rundll32.exe 1700 rundll32.exe 480 services.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1700 rundll32.exe Token: SeDebugPrivilege 480 services.exe Token: SeDebugPrivilege 1700 rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1412 wrote to memory of 1700 1412 rundll32.exe 28 PID 1412 wrote to memory of 1700 1412 rundll32.exe 28 PID 1412 wrote to memory of 1700 1412 rundll32.exe 28 PID 1412 wrote to memory of 1700 1412 rundll32.exe 28 PID 1412 wrote to memory of 1700 1412 rundll32.exe 28 PID 1412 wrote to memory of 1700 1412 rundll32.exe 28 PID 1412 wrote to memory of 1700 1412 rundll32.exe 28 PID 1700 wrote to memory of 480 1700 rundll32.exe 22
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#12⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
-
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5b2ee390c0b9947b86ede4deb825710a4
SHA1267ca058a46609439560b4742b26e6b4b7d72a6b
SHA25664a2135124c4ef3d47efe2ca1936dd9c6a99f5d6fb9aa9365ee26d43a2fd4aa0
SHA512a81e1813bf0cb5eb3bf2ef32c98304e35d65242dab567c803166d123b6cc34639f598698b198ba85ee55b42c0ab439554340466f69eb5fcfd180bf454c12802b