e56b4bd66250725d8eec4a1e2953acb46cdd30c3ba3ad159079f6980554294a0

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04cc43bb4a21ce1e4970fece41622730.dll
Size

237KB
MD5

04cc43bb4a21ce1e4970fece41622730
SHA1

534665a7767056ff2c476165fa04afcee8c074c5
SHA256

e56b4bd66250725d8eec4a1e2953acb46cdd30c3ba3ad159079f6980554294a0
SHA512

d5d006bbadbbe6b9714d205fd16acd74970102e1e1233af42fdb0ddd4abffa40998a91a1056d56888d1d11ae41c411b7f2cbf5c0528f92c5ac20c2100ba98d2f
SSDEEP

1536:v62JJyFkQk+oE0XCTsT2xGaPsK/shfHOAP38fgkFRd5vIrfG8GRwk/p:v62HJE0XIGaT/scK32RXvISwkB

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\hucvopeug = "{5023890c-d8ab-2df0-e9bc-d8ab0184047f}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
2692	rundll32.exe
2692	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\uhpibcrht.dll	rundll32.exe
File created	C:\Windows\SysWOW64\gtbunodtf.dll	rundll32.exe
File created	C:\Windows\SysWOW64\cpxqjkzpb.dll	rundll32.exe
File created	C:\Windows\SysWOW64\uhpibcrht.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5023890c-d8ab-2df0-e9bc-d8ab0184047f}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5023890c-d8ab-2df0-e9bc-d8ab0184047f}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5023890c-d8ab-2df0-e9bc-d8ab0184047f}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5023890c-d8ab-2df0-e9bc-d8ab0184047f}\InprocServer32\ = "C:\\Windows\\SysWow64\\cpxqjkzpb.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5023890c-d8ab-2df0-e9bc-d8ab0184047f}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2692	2084	rundll32.exe	17
PID 2084 wrote to memory of 2692	2084	rundll32.exe	17
PID 2084 wrote to memory of 2692	2084	rundll32.exe	17
PID 2084 wrote to memory of 2692	2084	rundll32.exe	17
PID 2084 wrote to memory of 2692	2084	rundll32.exe	17
PID 2084 wrote to memory of 2692	2084	rundll32.exe	17
PID 2084 wrote to memory of 2692	2084	rundll32.exe	17

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\04cc43bb4a21ce1e4970fece41622730.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\04cc43bb4a21ce1e4970fece41622730.dll,#1
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\gtbunodtf.dll

Filesize
245KB

MD5
5e3e2561c0198c8658b5a0d1b2ae8fd3

SHA1
a488b546babe221864f25d655e3a0fd1d90f4dcc

SHA256
b20193b5695a6395ed55b1f84757e8b972635963185cf28fe6a063acdf3df3a1

SHA512
242b50d680738cd8c78c1022722e0d6afb83e0309fb76a20972fc0433e5ada1eb454c17a6a347ca3a6fe80c6a0f4f812fc95520dac81c0cb8342eed5db6a71f7

Download Submit
\Windows\SysWOW64\uhpibcrht.dll

Filesize
231KB

MD5
8cc6c9908be7863e29511654a08c87ed

SHA1
3e655a8a8d46f699e465ab7c04f93024bbf591c6

SHA256
0f5890f2ccf8bba7293c21b69809822f6b210289b9719b0be7eccbe4cc3c44c3

SHA512
0d6a35981d2deaf7b8550e46390a2e8264d362b86029fd4c5d123960a16d0a3ea9923a91657b9a327e8dbb6fb818247a1f2ac538716c3d4d9ad0b68bd234bf76

Download Submit
memory/2692-2-0x0000000000230000-0x0000000000275000-memory.dmp

Filesize
276KB

Download
memory/2692-13-0x0000000076970000-0x0000000076A80000-memory.dmp

Filesize
1.1MB

Download
memory/2692-16-0x00000000761D0000-0x0000000076270000-memory.dmp

Filesize
640KB

Download
memory/2692-15-0x0000000076970000-0x0000000076A80000-memory.dmp

Filesize
1.1MB

Download
memory/2692-14-0x0000000076970000-0x0000000076A80000-memory.dmp

Filesize
1.1MB

Download
memory/2692-12-0x0000000000230000-0x0000000000275000-memory.dmp

Filesize
276KB

Download
memory/2692-0-0x0000000000230000-0x0000000000275000-memory.dmp

Filesize
276KB

Download
memory/2692-17-0x00000000761D0000-0x0000000076270000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads