e893c237c02949b8e1b06a0e20e4f4f9608662aa3e991475e556ee917f668316

Analysis

max time kernel
135s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

038b65c8699c5c577df4ba74c8d99fa3.dll
Size

237KB
MD5

038b65c8699c5c577df4ba74c8d99fa3
SHA1

69a544a3a53694c690a99b2ff2ee91742e24f47d
SHA256

e893c237c02949b8e1b06a0e20e4f4f9608662aa3e991475e556ee917f668316
SHA512

62faf329b399435c09fcee35f646541d4029201d8b0485047d158646684efbe13a923f3469d56d1acb5822ab40f0a79973de4b90715bd74646fe5bff1586f5e4
SSDEEP

3072:GTKVV9fgel8gGbVaPIaGD6qSb+/haryvre06VEwkz:GTKVHIfhawad+/h/rLYm

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ezbivxl = "{4774777e-cffc-1441-d00d-cffcfff63dc9}"	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	rundll32.exe
2656	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dyahuwk.dll	rundll32.exe
File created	C:\Windows\SysWOW64\zuwdqsg.dll	rundll32.exe
File created	C:\Windows\SysWOW64\rmoviky.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\rmoviky.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4774777e-cffc-1441-d00d-cffcfff63dc9}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4774777e-cffc-1441-d00d-cffcfff63dc9}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4774777e-cffc-1441-d00d-cffcfff63dc9}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4774777e-cffc-1441-d00d-cffcfff63dc9}\InprocServer32\ = "C:\\Windows\\SysWow64\\zuwdqsg.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4774777e-cffc-1441-d00d-cffcfff63dc9}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2656	rundll32.exe
2656	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2656	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2656	2184	rundll32.exe	88
PID 2184 wrote to memory of 2656	2184	rundll32.exe	88
PID 2184 wrote to memory of 2656	2184	rundll32.exe	88

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\038b65c8699c5c577df4ba74c8d99fa3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\038b65c8699c5c577df4ba74c8d99fa3.dll,#1
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dyahuwk.dll

Filesize
464KB

MD5
56642931b7bd98fa02ff1f8bf51aa1d4

SHA1
af56f5610649a62baa732e01b02d534d8333d9af

SHA256
b6b778bddcfb1cab485742e75ed1477f49ff05feecb190acdfc2877349c60738

SHA512
54bc9c7788efcb8b6f37bea80382191225842650fcde10da8a5e3a4c3b4b99a149f4b870b5d6714fd601fd67263c32b5577723fd13eb17acb8726b7a3a681a57

Download Submit
C:\Windows\SysWOW64\rmoviky.dll

Filesize
329KB

MD5
d9bf3cf3bd6ec9e5a100ecb18d571a00

SHA1
5c76b66d66f30e3a4a53c72fe6273412ba627b17

SHA256
25032ef4465e47b79d57d71c57ce453e21804e4437da9c28aa5aa1e06a84db87

SHA512
dc7c9bb15af3a6070544e94a57ff919cfb010bf8f40194cb5af1a64dda84eb39be5a3c111df0ab58d188baab866ef8df26b9de229547061e4289d9e962c7cc98

Download Submit
C:\Windows\SysWOW64\rmoviky.dll

Filesize
391KB

MD5
6fe3bf4987102870cbfea3a423359c09

SHA1
791856d24fdb753c8a47cf0fd6010743a8dc41b9

SHA256
fc081b508ba97fdd1fe6561f987aefdd92c0ed848d2b0c387a62ff422b45bf4e

SHA512
6f38902db2b1afab2cc6ae6e57f7870015c03d13a58efa4e3ac89d7a00512656f2a92199445dfe1ed97475e41fe4a17f9c9f7c353bda2fd31550cfe12c65dbd0

Download Submit
memory/2656-0-0x0000000002070000-0x00000000020B4000-memory.dmp

Filesize
272KB

Download
memory/2656-2-0x0000000002070000-0x00000000020B4000-memory.dmp

Filesize
272KB

Download
memory/2656-13-0x0000000076D60000-0x0000000076DDA000-memory.dmp

Filesize
488KB

Download
memory/2656-15-0x0000000075AF0000-0x0000000075BE0000-memory.dmp

Filesize
960KB

Download
memory/2656-16-0x0000000075AF0000-0x0000000075BE0000-memory.dmp

Filesize
960KB

Download
memory/2656-17-0x0000000075AF0000-0x0000000075BE0000-memory.dmp

Filesize
960KB

Download
memory/2656-18-0x0000000002070000-0x00000000020B4000-memory.dmp

Filesize
272KB

Download
memory/2656-19-0x0000000076D60000-0x0000000076DDA000-memory.dmp

Filesize
488KB

Download
memory/2656-20-0x0000000075AF0000-0x0000000075BE0000-memory.dmp

Filesize
960KB

Download