dca116a1a294fa4b8207a51efc8f35d2a329af93315fe659a17d6befb3c3542d

Analysis

max time kernel
145s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0201c921f55007a203c12d7571f5b720.dll
Size

236KB
MD5

0201c921f55007a203c12d7571f5b720
SHA1

ad134f2ae7442d828bf000ca4b19c806f2dd935a
SHA256

dca116a1a294fa4b8207a51efc8f35d2a329af93315fe659a17d6befb3c3542d
SHA512

545457b5cf49fbba4d740e5d639c3ce1eb91cdcb7d6c21d2328adea65fb644a737684fac1c6cb39ab609b2317770010a05e0accbe2b674687cdf101a862ab631
SSDEEP

1536:1dKaTHN2ymZ0ofa5uQm4V7HG8ldINh+RhFtFftCgpcGO5lPf/XG8GmGwktbe:1Y4tIQG8XAmbFfaGc1fawk1e

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\fmtlxdcpy = "{9c979f2b-141f-6964-2520-141f17a3e385}"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4004	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ahogsyxkt.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ahogsyxkt.dll	rundll32.exe
File created	C:\Windows\SysWOW64\szgykqpcl.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\szgykqpcl.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9c979f2b-141f-6964-2520-141f17a3e385}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9c979f2b-141f-6964-2520-141f17a3e385}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9c979f2b-141f-6964-2520-141f17a3e385}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9c979f2b-141f-6964-2520-141f17a3e385}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9c979f2b-141f-6964-2520-141f17a3e385}\InprocServer32\ = "C:\\Windows\\SysWow64\\ahogsyxkt.dll"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4004	rundll32.exe
4004	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4004	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4004	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 4004	1220	rundll32.exe	14
PID 1220 wrote to memory of 4004	1220	rundll32.exe	14
PID 1220 wrote to memory of 4004	1220	rundll32.exe	14

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0201c921f55007a203c12d7571f5b720.dll,#1
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4004

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0201c921f55007a203c12d7571f5b720.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\szgykqpcl.dll

Filesize
15KB

MD5
650319d3409769fef6be11e957179f47

SHA1
c3514163c854b384f9167ec1bfd58ae149d97380

SHA256
b413c7513a9fc0e17c041fd465988ee506f0f85b5a2e0f44f346236fb37dfa81

SHA512
eeec90390f355b506f044e192de5204ce212655b99af86f7b44125fc709a86a9934b017572428710d7baafa706f465fd090d7951701ce1de3c6f6b9dbf5a7a13

Download Submit
C:\Windows\SysWOW64\szgykqpcl.dll

Filesize
5KB

MD5
2f986ac158a4eb7749053cf52c805b24

SHA1
316451913a543af442374414208575d45d8fda83

SHA256
0c1fcf50aa1a70ee7b7de785cb31e3cfd5ffc1c53558cbddb57ba8a532041f84

SHA512
b4cb593b76cad1f6694f084d08b45e86391767183af498f1f6326b1cb8d90b4b5bce48ee492c39e662c1383725a89a5d88409348a32b2ad1bfbcc880d6ad97e5

Download Submit
memory/4004-7-0x00000000767C0000-0x000000007683A000-memory.dmp

Filesize
488KB

Download
memory/4004-10-0x00000000767C0000-0x000000007683A000-memory.dmp

Filesize
488KB

Download
memory/4004-6-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4004-12-0x00000000767C0000-0x000000007683A000-memory.dmp

Filesize
488KB

Download
memory/4004-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download