e78806b107631499b6af8b48ac14eb4c435c5e1e6a47e051338e48feeb4bb070

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 15:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

031c6ebe3e538f532b8473700bcf0031.dll
Size

236KB
MD5

031c6ebe3e538f532b8473700bcf0031
SHA1

b619beaa9f5b2a3dbf25160f40f8e13d062722b2
SHA256

e78806b107631499b6af8b48ac14eb4c435c5e1e6a47e051338e48feeb4bb070
SHA512

bb18b67ec174265aa662050a14f0b845ef08866df5b057046fe3a938e7f84c955383e314455177c88d735ad320f6287d13ce7b5fb7fd6ac3807e8a5f5da0d96e
SSDEEP

1536:1dKaTHN2ymZ0ofa5uQm4V7HG8ldINh+RhFtFftCgpcGO5lPf/XG8GmGwktb4:1Y4tIQG8XAmbFfaGc1fawk14

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ungiv = "{a5e6d761-2d6e-72b3-3e7f-2d6e5fe9d2f0}"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2528	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hatvi.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\hatvi.dll	rundll32.exe
File created	C:\Windows\SysWOW64\pibdq.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\pibdq.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a5e6d761-2d6e-72b3-3e7f-2d6e5fe9d2f0}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a5e6d761-2d6e-72b3-3e7f-2d6e5fe9d2f0}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a5e6d761-2d6e-72b3-3e7f-2d6e5fe9d2f0}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a5e6d761-2d6e-72b3-3e7f-2d6e5fe9d2f0}\InprocServer32\ = "C:\\Windows\\SysWow64\\pibdq.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a5e6d761-2d6e-72b3-3e7f-2d6e5fe9d2f0}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2528	rundll32.exe
2528	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2528	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 2528	1472	rundll32.exe	16
PID 1472 wrote to memory of 2528	1472	rundll32.exe	16
PID 1472 wrote to memory of 2528	1472	rundll32.exe	16

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\031c6ebe3e538f532b8473700bcf0031.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\031c6ebe3e538f532b8473700bcf0031.dll,#1
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hatvi.dll

Filesize
109KB

MD5
4257cfe69d79882e60a843102278e70a

SHA1
989b31e21e1c9284b26f50f21d2aeb93aeb51522

SHA256
40ce36d7040cba9bcd6c2426b3068a1a1b01101d85f4ad115701565bfa53f9f9

SHA512
e557003effa557ad32b6ae6b08e09d0868f93fa7440184d24f4baae0b7709b99de63e0687aa44034570c9645831331803f08540d3d8ae8226c6dd949e07d6831

Download Submit
C:\Windows\SysWOW64\hatvi.dll

Filesize
201KB

MD5
dcbd7ead99380d86e9536196349393e7

SHA1
00ab6864adda23a6248c6c3d2525fd9a5c3fef9d

SHA256
f5526ded20180bec53ec6ebc0d281aaedfde13f78cba6be637b01ed79b04a254

SHA512
1b42ed04a2b8d3a7ea28e9a74fd4874d6280b97e5a398353752d1dabd601e17e2ee63a60bc73608515d57c5a11ec34f1ddce50188df04e3396aa6119a9997153

Download Submit
memory/2528-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2528-7-0x0000000075C90000-0x0000000075D0A000-memory.dmp

Filesize
488KB

Download
memory/2528-11-0x0000000075C90000-0x0000000075D0A000-memory.dmp

Filesize
488KB

Download
memory/2528-10-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download