e9cd80b16d9c424ea632a20e0adefa7852708f0d671cccf644b15cf288754021

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

006575179789887d62d2ee8b5ba820b5.dll
Size

237KB
MD5

006575179789887d62d2ee8b5ba820b5
SHA1

980772976812c7ef3d644645165b5ea33ff34c0b
SHA256

e9cd80b16d9c424ea632a20e0adefa7852708f0d671cccf644b15cf288754021
SHA512

88eeac529607f50f8341f436ec871cd462081c8f9b25249684f89a8c3e780ec7fa83d03f2f5e4752b354faffbbff3199802d62455269bfa721991bb06f8f0016
SSDEEP

1536:XeHcpAz1xBApIP95YywPgBiUqrklgWhKHkDK9vj6gKLuf50/vQODGsGDwkk0t:eVz1xBApIP95RiUMWXm9vkuR0/4PwkLt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kiuzborlc = "{66259073-eead-33f2-ffbe-eead18fb2b0a}"	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	rundll32.exe
1720	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fdpuwjmgx.dll	rundll32.exe
File created	C:\Windows\SysWOW64\xvhmobeyp.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\xvhmobeyp.dll	rundll32.exe
File created	C:\Windows\SysWOW64\jhtyanqkb.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66259073-eead-33f2-ffbe-eead18fb2b0a}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66259073-eead-33f2-ffbe-eead18fb2b0a}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66259073-eead-33f2-ffbe-eead18fb2b0a}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66259073-eead-33f2-ffbe-eead18fb2b0a}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66259073-eead-33f2-ffbe-eead18fb2b0a}\InprocServer32\ = "C:\\Windows\\SysWow64\\fdpuwjmgx.dll"	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1720	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1720	1960	rundll32.exe	16
PID 1960 wrote to memory of 1720	1960	rundll32.exe	16
PID 1960 wrote to memory of 1720	1960	rundll32.exe	16
PID 1960 wrote to memory of 1720	1960	rundll32.exe	16
PID 1960 wrote to memory of 1720	1960	rundll32.exe	16
PID 1960 wrote to memory of 1720	1960	rundll32.exe	16
PID 1960 wrote to memory of 1720	1960	rundll32.exe	16

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\006575179789887d62d2ee8b5ba820b5.dll,#1
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\006575179789887d62d2ee8b5ba820b5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\jhtyanqkb.dll

Filesize
1.1MB

MD5
9b98d47916ead4f69ef51b56b0c2323c

SHA1
290a80b4ded0efc0fd00816f373fcea81a521330

SHA256
96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

SHA512
68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

Download Submit
\Windows\SysWOW64\xvhmobeyp.dll

Filesize
481KB

MD5
74ba8f0f14126ec33945c0fd4c343424

SHA1
6eb88759b415bf2e908a114879f4397517da5939

SHA256
ad4c62e2482c6e79234f60bd431c9e641ffe940dc42301d7316fb039168afd35

SHA512
b1aae954ba602ca8e067276683a408406741af78746bd3cec691cb5b7779a2a9effcf9b2bf3a85e9e1c52f1142fd44a33f716598f4bd164b46acf63e89fcbd93

Download Submit
memory/1720-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1720-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1720-14-0x0000000076090000-0x0000000076130000-memory.dmp

Filesize
640KB

Download
memory/1720-13-0x0000000076BB0000-0x0000000076CC0000-memory.dmp

Filesize
1.1MB

Download
memory/1720-12-0x0000000076BB0000-0x0000000076CC0000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads