e3e1b289dace431d4180f255491d189fa33b6e1cff69622a50b3075ae642c529

Analysis

max time kernel
145s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a0daeadd60234e7c9adaf1830b06ac.dll
Size

236KB
MD5

04a0daeadd60234e7c9adaf1830b06ac
SHA1

e36e0172303dca5304b3fbd65b6cf8c35bb4cc68
SHA256

e3e1b289dace431d4180f255491d189fa33b6e1cff69622a50b3075ae642c529
SHA512

e6088c08c9fd9054e401e53525a6b81b1ff904f34657e453d8882b4d772a6f7bdc5322e665768c2daf130ae6f5ef19507ce98e9f0a831a6105f4da34eaa4ca97
SSDEEP

3072:3F24fliN+7XlmZKxbLYH1rhAwHL5K2W5QVgxwkF9:3F24flic7X8ZibLYHFhAkKZYgn9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\iildm = "{ccfd0926-4475-99ca-5586-447581aec2a1}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
3036	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vvyqz.dll	rundll32.exe
File created	C:\Windows\SysWOW64\ddgyh.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ddgyh.dll	rundll32.exe
File created	C:\Windows\SysWOW64\vvyqz.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ccfd0926-4475-99ca-5586-447581aec2a1}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ccfd0926-4475-99ca-5586-447581aec2a1}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ccfd0926-4475-99ca-5586-447581aec2a1}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ccfd0926-4475-99ca-5586-447581aec2a1}\InprocServer32\ = "C:\\Windows\\SysWow64\\ddgyh.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ccfd0926-4475-99ca-5586-447581aec2a1}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3036	rundll32.exe
3036	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3036	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 3036	2412	rundll32.exe	14
PID 2412 wrote to memory of 3036	2412	rundll32.exe	14
PID 2412 wrote to memory of 3036	2412	rundll32.exe	14

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\04a0daeadd60234e7c9adaf1830b06ac.dll,#1
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3036

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\04a0daeadd60234e7c9adaf1830b06ac.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vvyqz.dll

Filesize
78KB

MD5
635390d9ca8ed8d9766551adeaa1f452

SHA1
0819885357ac21b4d6d60df360c784ba37b637d8

SHA256
8988bd6d3da8c49d2dd29a3165baa8e7d7bbf8e3fbb44271afd63a61de54d209

SHA512
ea0e54bd20db8ca7b5cc7c3e9c71c7d9c7943bc576da1e05087de883344c294d3af449ddc5249c22b499eba1bf9f6ff6b75b422778078b6380e49d7c8210ef13

Download Submit
C:\Windows\SysWOW64\vvyqz.dll

Filesize
74KB

MD5
27f61670081a3625e3fade177aa283b7

SHA1
f0fb79b42af33620f61f13f3c99849598381f857

SHA256
0f0aaaea627f5713aa68031822bf4870260451fe5e473b715b0d45cb736b0ad2

SHA512
50999dede6402b25336f216432d41794d215dd04c552a7a88c392e907b17bbadb27bd670248c1dbab5997099c3e0ad2b0aa72b904f22e7b0f30215a604d337ba

Download Submit
memory/3036-6-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3036-7-0x0000000076E40000-0x0000000076EBA000-memory.dmp

Filesize
488KB

Download
memory/3036-11-0x0000000076E40000-0x0000000076EBA000-memory.dmp

Filesize
488KB

Download
memory/3036-10-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download