5ab271cc667ae6ad14b2281756ede5281d5647bced1caf7dfbe17c8e1056f1ec

Analysis

max time kernel
166s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b58a817339a6fa0b80a8e4822c43725.dll
Size

32KB
MD5

6b58a817339a6fa0b80a8e4822c43725
SHA1

f55acd3f0539046a33e78e8e407fdc49ff9113fa
SHA256

5ab271cc667ae6ad14b2281756ede5281d5647bced1caf7dfbe17c8e1056f1ec
SHA512

74d725b4d5310dba96aa8d849e218f5ea6fa2171105a5626df2874b58ee3370f49b9f91bc24c8f3874c77f3f913d2cce46ac9a6b581424dc85890f6efe211bc9
SSDEEP

768:2kXiFC+MQtmj5UUdF8a54xM5feT3TSPxdv4G:85jtmF58a4OeT8L

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
4576	rundll32.exe
4576	rundll32.exe
3616	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\urqPfDUN.dll,#1"	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\urqPfDUN.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\urqPfDUN.dll	rundll32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{224933BF-1890-44F7-96FA-0A41B1F55F76}\InprocServer32\ = "C:\\Windows\\SysWow64\\urqPfDUN.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{224933BF-1890-44F7-96FA-0A41B1F55F76}\InprocServer32\ThreadingModel = "Both"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{224933BF-1890-44F7-96FA-0A41B1F55F76}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{224933BF-1890-44F7-96FA-0A41B1F55F76}\InprocServer32	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4576	rundll32.exe
4576	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe
3616	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4576	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4576	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4576	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 4576	3740	rundll32.exe	88
PID 3740 wrote to memory of 4576	3740	rundll32.exe	88
PID 3740 wrote to memory of 4576	3740	rundll32.exe	88
PID 4576 wrote to memory of 616	4576	rundll32.exe	4
PID 4576 wrote to memory of 3616	4576	rundll32.exe	102
PID 4576 wrote to memory of 3616	4576	rundll32.exe	102
PID 4576 wrote to memory of 3616	4576	rundll32.exe	102

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b58a817339a6fa0b80a8e4822c43725.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b58a817339a6fa0b80a8e4822c43725.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Windows\system32\urqPfDUN.dll,a
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\urqPfDUN.dll

Filesize
32KB

MD5
6b58a817339a6fa0b80a8e4822c43725

SHA1
f55acd3f0539046a33e78e8e407fdc49ff9113fa

SHA256
5ab271cc667ae6ad14b2281756ede5281d5647bced1caf7dfbe17c8e1056f1ec

SHA512
74d725b4d5310dba96aa8d849e218f5ea6fa2171105a5626df2874b58ee3370f49b9f91bc24c8f3874c77f3f913d2cce46ac9a6b581424dc85890f6efe211bc9

Download Submit
C:\Windows\SysWOW64\urqPfDUN.dll

Filesize
20KB

MD5
bf942395497d80232bcda699f9de45d5

SHA1
b47c8d1321e2ca8a6b4deee91a81996a19b4b051

SHA256
264b06abe5b26e4451708a95a8a4c95c0c0c1351e58b97c05be2b4dc8e0c93d2

SHA512
4122361ffc3ca44da3630c28fbed586c56ab1cc9c123ca2c763d7478fbd1af6b3ba36c18e13381d56748deecf5bcca52866631f0e57d44e53a5dfd669bdb3328

Download Submit
C:\Windows\SysWOW64\urqPfDUN.dll

Filesize
14KB

MD5
404da2beea388395233b130502acb5f7

SHA1
fccb60c55bec1bcfff385747aca33a34856f253b

SHA256
dc0bd9f295d00bf73bad0fc496e8510a2206579b2dddca496a2221c39c40c9fb

SHA512
8895333fc42502d0f63c60513e5701c4c23dd737ce7939c6a8207b2aca1c4a9cf0aa9fedff131c91a437ced2e0ddbb8ca4375fe9a5652895b97d60d973d1eb32

Download Submit
memory/3616-17-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3616-18-0x0000000000B00000-0x0000000000B05000-memory.dmp

Filesize
20KB

Download
memory/3616-19-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4576-1-0x0000000000B10000-0x0000000000B15000-memory.dmp

Filesize
20KB

Download
memory/4576-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4576-9-0x0000000002710000-0x0000000002715000-memory.dmp

Filesize
20KB

Download
memory/4576-8-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/4576-10-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4576-14-0x0000000000B10000-0x0000000000B15000-memory.dmp

Filesize
20KB

Download