e13d23fddd46141f25842dfcbc95c3072897b07853113f1aa7492e251daf8129

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fe4ed6fb393e6daea00070c5e36a6e1.dll
Size

237KB
MD5

5fe4ed6fb393e6daea00070c5e36a6e1
SHA1

f6c6487d700954eb44f0f8ac97fe52824b4b6e7e
SHA256

e13d23fddd46141f25842dfcbc95c3072897b07853113f1aa7492e251daf8129
SHA512

9734fdcd15bbc36a67c3a210342778781f131b9d1e3d399bb0ee6d8968256d945277cf1cc6fa9d15718e1b6e0142cdbc05e476a1a5273c9782be51658f791f81
SSDEEP

1536:ojjcfvcIAuacgaHByoVzAHTPxJNCHVRkhAH4VhbLjgEiwW5bMFe4tvGcGnwk9+Z:4+kIAi4IzQJNURkZ7bwwkbMzOwk9u

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bwaux = "{f4009e9b-7c88-c1dd-8d99-7c881613dd8d}"	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
1716	rundll32.exe
1716	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\avztw.dll	rundll32.exe
File created	C:\Windows\SysWOW64\wrvps.dll	rundll32.exe
File created	C:\Windows\SysWOW64\ojnhk.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ojnhk.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4009e9b-7c88-c1dd-8d99-7c881613dd8d}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4009e9b-7c88-c1dd-8d99-7c881613dd8d}\InprocServer32\ = "C:\\Windows\\SysWow64\\wrvps.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4009e9b-7c88-c1dd-8d99-7c881613dd8d}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4009e9b-7c88-c1dd-8d99-7c881613dd8d}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f4009e9b-7c88-c1dd-8d99-7c881613dd8d}\	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1716	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1716	2268	rundll32.exe	14
PID 2268 wrote to memory of 1716	2268	rundll32.exe	14
PID 2268 wrote to memory of 1716	2268	rundll32.exe	14
PID 2268 wrote to memory of 1716	2268	rundll32.exe	14
PID 2268 wrote to memory of 1716	2268	rundll32.exe	14
PID 2268 wrote to memory of 1716	2268	rundll32.exe	14
PID 2268 wrote to memory of 1716	2268	rundll32.exe	14

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5fe4ed6fb393e6daea00070c5e36a6e1.dll,#1
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5fe4ed6fb393e6daea00070c5e36a6e1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1716-11-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1716-14-0x0000000074EC0000-0x0000000074F60000-memory.dmp

Filesize
640KB

Download
memory/1716-13-0x0000000075100000-0x0000000075210000-memory.dmp

Filesize
1.1MB

Download
memory/1716-12-0x0000000075100000-0x0000000075210000-memory.dmp

Filesize
1.1MB

Download
memory/1716-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads