e56b4bd66250725d8eec4a1e2953acb46cdd30c3ba3ad159079f6980554294a0

General

Target

04cc43bb4a21ce1e4970fece41622730.dll
Size

237KB
MD5

04cc43bb4a21ce1e4970fece41622730
SHA1

534665a7767056ff2c476165fa04afcee8c074c5
SHA256

e56b4bd66250725d8eec4a1e2953acb46cdd30c3ba3ad159079f6980554294a0
SHA512

d5d006bbadbbe6b9714d205fd16acd74970102e1e1233af42fdb0ddd4abffa40998a91a1056d56888d1d11ae41c411b7f2cbf5c0528f92c5ac20c2100ba98d2f
SSDEEP

1536:v62JJyFkQk+oE0XCTsT2xGaPsK/shfHOAP38fgkFRd5vIrfG8GRwk/p:v62HJE0XIGaT/scK32RXvISwkB

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tkpfzuxcy = "{9c919e30-1419-696e-252a-141916b88959}"	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
1844	rundll32.exe
1844	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gxcsmhkpl.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\gxcsmhkpl.dll	rundll32.exe
File created	C:\Windows\SysWOW64\sjoeytwbx.dll	rundll32.exe
File created	C:\Windows\SysWOW64\ofkaupsxt.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9c919e30-1419-696e-252a-141916b88959}\InprocServer32\ = "C:\\Windows\\SysWow64\\ofkaupsxt.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9c919e30-1419-696e-252a-141916b88959}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9c919e30-1419-696e-252a-141916b88959}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9c919e30-1419-696e-252a-141916b88959}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9c919e30-1419-696e-252a-141916b88959}\InprocServer32	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1844	rundll32.exe
1844	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1844	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 1844	4312	rundll32.exe	14
PID 4312 wrote to memory of 1844	4312	rundll32.exe	14
PID 4312 wrote to memory of 1844	4312	rundll32.exe	14

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\04cc43bb4a21ce1e4970fece41622730.dll,#1
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\04cc43bb4a21ce1e4970fece41622730.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\gxcsmhkpl.dll

Filesize
119KB

MD5
32cc4d862b7db58a6d11dff2e5bfe4e9

SHA1
4bfbf8adc27764bfd5ab3396c235406db6eb2b37

SHA256
84d030235d0e105e42aba36fc7b5c2bd87eb7605896b0aa32b203c0dfb5f3b09

SHA512
511dab27714e50da81ca46779e0ce57cc2e115c545780b87571bdac8fa0fb28d667209e2874247f6146620678ad9e9befac9ffb4ef8ed45f727c6b68fb71cb85

Download Submit
C:\Windows\SysWOW64\gxcsmhkpl.dll

Filesize
183KB

MD5
dd6837d132bb702a7d6b8b11e4ec595f

SHA1
c76ba49109f967fae5900a2eb5896bfedd77e32f

SHA256
32658a06fb0b99f91927947ceeedcb1eb4512ebb56de79d8a3b94fe59d6095d8

SHA512
5241cf1a50e6ca88151d654acd403cc501cf292c78a5eef896bd2c229d3205d07bc09c20139db6d30fdc1b18cfc49c1072b851c1f72532b0d7bfccb15d77a525

Download Submit
C:\Windows\SysWOW64\sjoeytwbx.dll

Filesize
139KB

MD5
c07602ebe0b2720a8c021b5e3af7564d

SHA1
2d9bbe908b0cf3d6565fb12cf34348e5cf3979db

SHA256
e026ae96ed173c42d292b57f92a894656505aa4ea647bab83cd965628bd9fa09

SHA512
6afd06894e28b0d4ac888a7d46ce059e0a79e9e9c70a906ff2654dab64f225788926a8a9e7ee64331b5a58162415a2bc1ea0825fe656204a8d3ef386564daabc

Download Submit
memory/1844-16-0x0000000075330000-0x0000000075420000-memory.dmp

Filesize
960KB

Download
memory/1844-15-0x0000000075330000-0x0000000075420000-memory.dmp

Filesize
960KB

Download
memory/1844-14-0x0000000075330000-0x0000000075420000-memory.dmp

Filesize
960KB

Download
memory/1844-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1844-13-0x0000000077190000-0x000000007720A000-memory.dmp

Filesize
488KB

Download
memory/1844-17-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1844-19-0x0000000077190000-0x000000007720A000-memory.dmp

Filesize
488KB

Download
memory/1844-21-0x0000000075330000-0x0000000075420000-memory.dmp

Filesize
960KB

Download
memory/1844-20-0x0000000075330000-0x0000000075420000-memory.dmp

Filesize
960KB

Download
memory/1844-22-0x0000000075330000-0x0000000075420000-memory.dmp

Filesize
960KB

Download
memory/1844-23-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads