e1444c59fbf814dc03b41d8fa6412f81996b18658012fbe9573bb6026fc46387

General

Target

06a31ca8642179cc69be9901f4e07cdf.dll
Size

241KB
MD5

06a31ca8642179cc69be9901f4e07cdf
SHA1

0e5ead02c924b656a17ef62fef8a922f8137fa8e
SHA256

e1444c59fbf814dc03b41d8fa6412f81996b18658012fbe9573bb6026fc46387
SHA512

cc056aec3f87ddf0c825840c9dbcb0bc5d83f91a1e1159e81530c9dcc6871902d69baada13107408f8b0a3537cea04507fca9164f30153666cedfe04a317d4e3
SSDEEP

1536:f64nc42nBVhe6ythK0hj4QUc/lIoviS0hC2pyOd31YspvaO5PWWs0wGkG77rWkdp:fHCVk9Rhjd/4NGS3DacqO7rWkdl

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\roxlqli = "{3c75a106-b4fd-0942-c50e-b4fd298e6cbb}"	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
4256	rundll32.exe
4256	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ebkydyv.dll	rundll32.exe
File created	C:\Windows\SysWOW64\qnwkpkh.dll	rundll32.exe
File created	C:\Windows\SysWOW64\mjsglgd.dll	rundll32.exe
File created	C:\Windows\SysWOW64\ebkydyv.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c75a106-b4fd-0942-c50e-b4fd298e6cbb}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c75a106-b4fd-0942-c50e-b4fd298e6cbb}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c75a106-b4fd-0942-c50e-b4fd298e6cbb}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c75a106-b4fd-0942-c50e-b4fd298e6cbb}\InprocServer32\ = "C:\\Windows\\SysWow64\\mjsglgd.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c75a106-b4fd-0942-c50e-b4fd298e6cbb}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4256	rundll32.exe
4256	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4256	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4256	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4256	4748	rundll32.exe	26
PID 4748 wrote to memory of 4256	4748	rundll32.exe	26
PID 4748 wrote to memory of 4256	4748	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\06a31ca8642179cc69be9901f4e07cdf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\06a31ca8642179cc69be9901f4e07cdf.dll,#1
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ebkydyv.dll

Filesize
42KB

MD5
516df4c7d25de37fc5ca95a70a0afc58

SHA1
a639ff4214b0413f4a5a98227e735dee27bf7042

SHA256
650f49c0fd083dcb18798fd8d178084204be0c13e50cb8bcd7246621f7917a79

SHA512
1bb1a567a798c52c5bc238bfeeea566458e0433915d8609d25c8a1a2811c7150f27b7561a072d633673d1483e9a20f753cce2aa0ca08a3bdbdd6b23bee4f5d03

Download Submit
C:\Windows\SysWOW64\ebkydyv.dll

Filesize
57KB

MD5
63d2b7bc2736e418d90859264da8a03b

SHA1
e4a952be5efba68f5e9af3c1e1c1d92ac23db383

SHA256
6af8653648cb460cfb35a287e9f1d69370c2849ff8b243887e3730dce5b72eea

SHA512
6230a24f7453117a2a7cabf105655378609244cd95f24e227959c3ac8444ed27f164c343e1eee3f9bc01d429b27a40a419adf2d0bda9ed62e9be8c6ce1433918

Download Submit
C:\Windows\SysWOW64\qnwkpkh.dll

Filesize
20KB

MD5
f08ca2beeeaf9d85ab8233fdc6141b62

SHA1
5ae79d2528cb936d4b69820afceecbdccb0ac247

SHA256
d0d156d9c49ded0b511ee76ba5d7af5a26d1a3ac0bce33242a3062fc488f8712

SHA512
86256ee5d5d70e01cc7017989b6e62ba208f5a742456b535807bdafeb431da3050f8c211cf677e6ba2ae2bf33d62bb5d9ee9a642650729e34d8cd6b0637eba43

Download Submit
memory/4256-14-0x00000000758E0000-0x00000000759D0000-memory.dmp

Filesize
960KB

Download
memory/4256-13-0x00000000758E0000-0x00000000759D0000-memory.dmp

Filesize
960KB

Download
memory/4256-6-0x00000000770B0000-0x000000007712A000-memory.dmp

Filesize
488KB

Download
memory/4256-15-0x00000000770B0000-0x000000007712A000-memory.dmp

Filesize
488KB

Download
memory/4256-12-0x00000000758E0000-0x00000000759D0000-memory.dmp

Filesize
960KB

Download
memory/4256-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4256-19-0x00000000770B0000-0x000000007712A000-memory.dmp

Filesize
488KB

Download
memory/4256-20-0x00000000758E0000-0x00000000759D0000-memory.dmp

Filesize
960KB

Download
memory/4256-22-0x00000000758E0000-0x00000000759D0000-memory.dmp

Filesize
960KB

Download
memory/4256-21-0x00000000758E0000-0x00000000759D0000-memory.dmp

Filesize
960KB

Download
memory/4256-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads