Analysis Overview
SHA256
972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80
Threat Level: Likely malicious
The file 972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80 was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Loads dropped DLL
VMProtect packed file
Drops file in System32 directory
Unsigned PE
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-08 10:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-08 10:24
Reported
2023-12-08 10:26
Platform
win10v2004-20231130-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\kkEKnete.sys | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\s22g.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CAEA990BBADFAE7FE5F474BF08829473C8F25255 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CAEA990BBADFAE7FE5F474BF08829473C8F25255\Blob = 030000000100000014000000caea990bbadfae7fe5f474bf08829473c8f2525520000000010000004e0300003082034a30820232a003020102021100d669155015a443be4d6ca72764747bf7300d06092a864886f70d01010b0500304d310b300906035504061302454e313e303c06035504030c35476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d20473220323020170d3033313231333130323431355a180f32303633313132383130323431355a304d310b300906035504061302454e313e303c06035504030c35476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d204732203230820122300d06092a864886f70d01010105000382010f003082010a0282010100b4daabe3ee8f04382ac7da829bf3874e1aeac07030182188ac34eae3814ba794f7fc0acd0c3945c038773f0f85c907ac46b01de3bb1c322fb83d1ed019ebdf34ad79905fdb73a123355a2feceb05bba05f2a43bfcb5655c48b9202da3911bc30e70f21c7d02a93f22ee1f6698f8dd856e82881102a910adc74bfc51e2b936e3f59f1c2e689fb0a1d476d19cb90d9546e7cedb15ba46bf530a25d49818dd3ec2c28d87da6178aa9a9ef3d466e84a85432f6f342bd8c35f5ace038475f8b96cb5d748a30aab5213ff6743e7470f7243cbec26841791c3017a2b5e7ba3c5cf9d97eb38accd9e3448af46236a13a9e63be7cacd2ee54b8ca96e6d18f609b972a9f390203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101002007db1af1c9573aca7fefcac98c594bbcd44123408201de55fd9e2c32f78025c52014f39005bb9cc802ff86c10181376d6b86002b3cea1ceeb5dca1b26d49d7350b6dbf03e001353c1f780dfbd24cca8f9e73f95b42f9c3845f9816e2b8a6bb37ec493f116a4f7c8bc46a5c89d89afe4d4e6419421f5bead19a3856e0ab2ecc4dd280625bbe657017e7faf1332d6c3d734655ff5738c3967aedf30f236c95a254e727cef50a5ee52788d3d068fbf0c7e58fc41fdc554c6228b5f1df2af7071a0c93b412ea0fc56ae4418606243e3d36b8a56cb4fc8b31355106b48a388ab6fa4f3a0bd0cfda06e3317eb6c32bf28758d440ce1415560b65156610175f36e539 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3040 wrote to memory of 2128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 2128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 2128 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#1
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| N/A | 127.0.0.1:65238 | tcp | |
| N/A | 127.0.0.1:65240 | tcp | |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\s22g.dll
| MD5 | b2ee390c0b9947b86ede4deb825710a4 |
| SHA1 | 267ca058a46609439560b4742b26e6b4b7d72a6b |
| SHA256 | 64a2135124c4ef3d47efe2ca1936dd9c6a99f5d6fb9aa9365ee26d43a2fd4aa0 |
| SHA512 | a81e1813bf0cb5eb3bf2ef32c98304e35d65242dab567c803166d123b6cc34639f598698b198ba85ee55b42c0ab439554340466f69eb5fcfd180bf454c12802b |
memory/4436-7-0x000001962D340000-0x000001962D350000-memory.dmp
memory/4436-23-0x000001962D440000-0x000001962D450000-memory.dmp
memory/4436-39-0x0000019635740000-0x0000019635741000-memory.dmp
memory/4436-41-0x0000019635770000-0x0000019635771000-memory.dmp
memory/4436-42-0x0000019635770000-0x0000019635771000-memory.dmp
memory/4436-43-0x0000019635880000-0x0000019635881000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-08 10:24
Reported
2023-12-08 10:26
Platform
win7-20231130-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\kkEctgea.sys | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\s1l4.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\717642E4A28C98F0588854B430A2FD16F5B5B1B9 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\717642E4A28C98F0588854B430A2FD16F5B5B1B9\Blob = 030000000100000014000000717642e4a28c98f0588854b430a2fd16f5b5b1b920000000010000004e0300003082034a30820232a003020102021100a4046c55ab2d5eac79a31a645351be06300d06092a864886f70d01010b0500304d310b300906035504061302454e313e303c06035504030c35476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d20473220323020170d3033313231333130323432325a180f32303633313132383130323432325a304d310b300906035504061302454e313e303c06035504030c35476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d204732203230820122300d06092a864886f70d01010105000382010f003082010a02820101009cda33f5c08aac323761eb442d98f6056a956db5327204c6a1e493746eaf64e0ddff845f291bd7f6568e0876227277ec2887576a83a7d73a7230f6d177d86d228fb6f859dc08a69506faa1788c0a8855190a9f2755da57d449802991212856118b3216a3b87156f3dbf0208bf8025fcc0f3c9ebdac74ce5bab5eaf43e70cead6c08abc75d0cd6e5c617b7f0b4750078fd9b75210b323ec857a9edc3fc8df716785f7540df1cbccd1e08f1ac88b37993838e196ee00ce707d53fcfbc6f8692e76fd35bd8d41d443d3e54f4730b21c77a6de165e02d8c592bf4cde70a659e4f4ab2309c5a6d51fc4677b882083cf191e6fb3b445ce0beaa93e89f2a3c7ceaac4e70203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b0500038201010085fe4ab9a3793dc7a4abc5f3ad7f2dda9ad2a7e4b8bbc321048f068758a5904634d8b95816d7b3b9a323c26613af7c582ae895bcd427b48bbb1e9293e89ffe7824ac56ce95d2fcdef8019c416860cbae18d12e961248c908a35bd4eddb89d27d763c97d9abb1ca94b60ec4fd6e5f25f2da291baac278194ca3d840efe39e545065d107edca591bb1be8b769e6889e618e08bd2c95ac14af7ffece8f265cc3c1f450901be3281c9fad7cae65795a1b29661997cea1cec107f4e0250391d4d868039ff74dc5522312872ae2a1ef05abe0763d0e7fa7a746e856e5ceed90544d63b175719cad1188638d788014cff23aac9034b4145654b087a4d58f22357ea79cd | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\services.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\services.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1412 wrote to memory of 1700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1412 wrote to memory of 1700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1412 wrote to memory of 1700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1412 wrote to memory of 1700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1412 wrote to memory of 1700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1412 wrote to memory of 1700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1412 wrote to memory of 1700 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1700 wrote to memory of 480 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\services.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#1
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\972c162a6d27f9574e088674970ce6cb1eb96d2a56e93fd55b30253155643b80.dll,#1
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49196 | tcp | |
| N/A | 127.0.0.1:49198 | tcp |
Files
\Windows\SysWOW64\s1l4.dll
| MD5 | b2ee390c0b9947b86ede4deb825710a4 |
| SHA1 | 267ca058a46609439560b4742b26e6b4b7d72a6b |
| SHA256 | 64a2135124c4ef3d47efe2ca1936dd9c6a99f5d6fb9aa9365ee26d43a2fd4aa0 |
| SHA512 | a81e1813bf0cb5eb3bf2ef32c98304e35d65242dab567c803166d123b6cc34639f598698b198ba85ee55b42c0ab439554340466f69eb5fcfd180bf454c12802b |
memory/480-4-0x0000000000050000-0x0000000000076000-memory.dmp
memory/480-6-0x0000000000050000-0x0000000000076000-memory.dmp
memory/480-7-0x0000000000D30000-0x0000000000DB4000-memory.dmp
memory/480-10-0x0000000000D30000-0x0000000000DB4000-memory.dmp
memory/480-14-0x0000000000D30000-0x0000000000DB4000-memory.dmp
memory/480-16-0x00000000FF310000-0x00000000FF320000-memory.dmp
memory/480-18-0x0000000000D30000-0x0000000000DB4000-memory.dmp
memory/480-15-0x00000000FF310000-0x00000000FF320000-memory.dmp
memory/480-9-0x0000000000D30000-0x0000000000DB4000-memory.dmp