Overview

overview

8

Static

static

3

0f5069dff5...ed.exe

windows7-x64

1

0f5069dff5...ed.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 04:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0f5069dff53423ea4e5f591a4fe819ed.exe

  • Size

    260KB

  • MD5

    0f5069dff53423ea4e5f591a4fe819ed

  • SHA1

    25e1f42b707a59da2b5d549f3ee123d32bc85895

  • SHA256

    b6854965fab46c51a0350a8d9fb21f0797f872ae3e96198829306373d594dd71

  • SHA512

    a59517cc900299cd352c281263780fc7126577b83b8600aac8af0cd99d1ee987dc6080c0a84a9d5b75cc92dc7446e2eba68a34b735b6d92d8c61684fc1f7951c

  • SSDEEP

    3072:N1SIY9MlJpd157vzjjhy3SzSygCQjQqyH8GSI7jOExlUBgFqPQrXjA61u2+TKa69:GIUMLzLjI6OC3cPI7BqofNrfr/ncW

Score
8/10
persistence

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 17 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f5069dff53423ea4e5f591a4fe819ed.exe
    "C:\Users\Admin\AppData\Local\Temp\0f5069dff53423ea4e5f591a4fe819ed.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Windows\SysWOW64\rundll2kxp.exe
      "C:\Windows\system32\rundll2kxp.exe" "C:\Windows\system32\wbem\jedik.dll",Export @install
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:3852
    • C:\Windows\SysWOW64\rundll2kxp.exe
      "C:\Windows\system32\rundll2kxp.exe" "C:\Windows\system32\wbem\jedik.dll",Export @start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:3344
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\kubtz.dll",ExportFunc 1001
      2⤵
      • Sets DLL path for service in the registry
      • Loads dropped DLL
      PID:2064
  • C:\WINDOWS\SysWOW64\RUNDLL2KXP.EXE
    C:\WINDOWS\SysWOW64\RUNDLL2KXP.EXE C:\WINDOWS\SYSTEM32\WBEM\JEDIK.DLL,Export 1087
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:4084

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\SysWOW64\WBEM\ocmor.dll
          Filesize

          6KB

          MD5

          2c9c3948edbbdb7015054eda23d1cca0

          SHA1

          14a6aa1d75dfdfc2fd213545f150c034b0f7286f

          SHA256

          b75790e97df65e074970d9347148d60860328b91c6e0be08deacdc204b076fea

          SHA512

          75c70cb432107b43e20f6df8dc9484deb60d0a4dd2bf7182686a56bc533aaf44862015f40a62d867224502a5a505611b4d90b5638cf86721fcca378098fa9e9b

          Download Submit

        • C:\Windows\SysWOW64\kubtz.dll
          Filesize

          236KB

          MD5

          728a36ea9080184e99b828c93a86781d

          SHA1

          25a71da5eeaf5d60a537b02620ce7a7a69773d81

          SHA256

          6f55db12adb84c01dfae3f5357ed977a94c691850d0e171c45be6780220da677

          SHA512

          3e7b1d97ee4eb8dcf9bfc4bc15d2405286ba4c709cb16870567caddeb6588f65bf977f15f1472b685fbbcf6c8c2906f75e60af1e3f02e04769567db865060618

          Download Submit

        • C:\Windows\SysWOW64\rundll2kxp.exe
          Filesize

          10KB

          MD5

          4936a6954ed59700a3c706f9094685ee

          SHA1

          124edd171bfc8a5c7f5fcf2147f6ff43b705bb79

          SHA256

          e598bcf79618ab6ab58b29b7a7f3e5fc01ce6c7dbefcaa308565d3d9168249fe

          SHA512

          1ef09ed6a9b22d761981e759fa2089e9c461fda4a46cba66431817bc7b75451d4639e63cd3872a71c3bf123831983590075fc924424833adf0ef491056de32ea

          Download Submit

        • C:\Windows\SysWOW64\wbem\jedik.dll
          Filesize

          212KB

          MD5

          38c6fb661d99afc350099ec1282d7744

          SHA1

          326f13d2ffc77214a3178f7d0246d73903a756ac

          SHA256

          c3f362ce59f793eb7d55f407678bc6a883eb68932a513ad3bd6221f05800f2ad

          SHA512

          61a8fbd5599c53371e33f6b3861c3e94cc7de553e1f640e25b1dc011b0a44250dd389ebe71d5880b9f10d06974bb89456283fce1d030ae15fda2b3777d014c89

          Download Submit

        • memory/3344-26-0x0000000001000000-0x0000000001004000-memory.dmp

          Filesize

          16KB

          Download

        • memory/3852-13-0x0000000001000000-0x0000000001004000-memory.dmp

          Filesize

          16KB

          Download

        • memory/3852-17-0x0000000001000000-0x0000000001004000-memory.dmp

          Filesize

          16KB

          Download

        • memory/5100-0-0x0000000000400000-0x0000000000441180-memory.dmp

          Filesize

          260KB

          Download

        • memory/5100-10-0x0000000000400000-0x0000000000441180-memory.dmp

          Filesize

          260KB

          Download

        • memory/5100-31-0x0000000000400000-0x0000000000441180-memory.dmp

          Filesize

          260KB

          Download

        • memory/5100-34-0x0000000000400000-0x0000000000441180-memory.dmp

          Filesize

          260KB

          Download