Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2023, 10:24
Static task
static1
Behavioral task
behavioral1
Sample
972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll
Resource
win10v2004-20231130-en
General
-
Target
972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll
-
Size
3.5MB
-
MD5
bcc4727a9d1e2e8c69adffe97bc4f7b6
-
SHA1
60f2d82eced11c155c907116a96962dd2e14e959
-
SHA256
972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80
-
SHA512
34b20dac55d57002b28db055dc632fae680daf3c706500d1dcb0be4a0d80677d52278600c82914e8b53ea02fc39a231039a3ba2c5a6ffa07188c874ca3a199fd
-
SSDEEP
98304:NIL6ZfTRgRxkgC+DEbQl5zxEtxOm3MN9W8T1U8:6/xl5sImcGe1U8
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\kkEKnete.sys rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 2128 rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\s22g.dll rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CAEA990BBADFAE7FE5F474BF08829473C8F25255 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CAEA990BBADFAE7FE5F474BF08829473C8F25255\Blob = 030000000100000014000000caea990bbadfae7fe5f474bf08829473c8f2525520000000010000004e0300003082034a30820232a003020102021100d669155015a443be4d6ca72764747bf7300d06092a864886f70d01010b0500304d310b300906035504061302454e313e303c06035504030c35476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d20473220323020170d3033313231333130323431355a180f32303633313132383130323431355a304d310b300906035504061302454e313e303c06035504030c35476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d204732203230820122300d06092a864886f70d01010105000382010f003082010a0282010100b4daabe3ee8f04382ac7da829bf3874e1aeac07030182188ac34eae3814ba794f7fc0acd0c3945c038773f0f85c907ac46b01de3bb1c322fb83d1ed019ebdf34ad79905fdb73a123355a2feceb05bba05f2a43bfcb5655c48b9202da3911bc30e70f21c7d02a93f22ee1f6698f8dd856e82881102a910adc74bfc51e2b936e3f59f1c2e689fb0a1d476d19cb90d9546e7cedb15ba46bf530a25d49818dd3ec2c28d87da6178aa9a9ef3d466e84a85432f6f342bd8c35f5ace038475f8b96cb5d748a30aab5213ff6743e7470f7243cbec26841791c3017a2b5e7ba3c5cf9d97eb38accd9e3448af46236a13a9e63be7cacd2ee54b8ca96e6d18f609b972a9f390203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101002007db1af1c9573aca7fefcac98c594bbcd44123408201de55fd9e2c32f78025c52014f39005bb9cc802ff86c10181376d6b86002b3cea1ceeb5dca1b26d49d7350b6dbf03e001353c1f780dfbd24cca8f9e73f95b42f9c3845f9816e2b8a6bb37ec493f116a4f7c8bc46a5c89d89afe4d4e6419421f5bead19a3856e0ab2ecc4dd280625bbe657017e7faf1332d6c3d734655ff5738c3967aedf30f236c95a254e727cef50a5ee52788d3d068fbf0c7e58fc41fdc554c6228b5f1df2af7071a0c93b412ea0fc56ae4418606243e3d36b8a56cb4fc8b31355106b48a388ab6fa4f3a0bd0cfda06e3317eb6c32bf28758d440ce1415560b65156610175f36e539 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe 2128 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2128 rundll32.exe Token: SeDebugPrivilege 2128 rundll32.exe Token: SeManageVolumePrivilege 4436 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2128 3040 rundll32.exe 89 PID 3040 wrote to memory of 2128 3040 rundll32.exe 89 PID 3040 wrote to memory of 2128 3040 rundll32.exe 89
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#12⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2828
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5b2ee390c0b9947b86ede4deb825710a4
SHA1267ca058a46609439560b4742b26e6b4b7d72a6b
SHA25664a2135124c4ef3d47efe2ca1936dd9c6a99f5d6fb9aa9365ee26d43a2fd4aa0
SHA512a81e1813bf0cb5eb3bf2ef32c98304e35d65242dab567c803166d123b6cc34639f598698b198ba85ee55b42c0ab439554340466f69eb5fcfd180bf454c12802b