bddc212ad99db3b5c9b67a014a76614a7239a19ec3d6764afeae3b5ceeb497c4

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18a425f00e8d1e1084a42e80b6ab7113.exe
Size

76KB
MD5

18a425f00e8d1e1084a42e80b6ab7113
SHA1

9c8ff0bc7935d50d669e31b3cb6623a23e7f443d
SHA256

bddc212ad99db3b5c9b67a014a76614a7239a19ec3d6764afeae3b5ceeb497c4
SHA512

449538087a36fd52fe5f349ebe2acdf15cd41d7a3736c13b513fec8924729e6b70cc5b179d6dc804a2794c32b24c7f1504821e9ed8ccbbccc1bd047c0c77bd72
SSDEEP

1536:5kp50xHYeGh8wD04WMvsJSDq+JlNkrAaDEIo2m28fUbBHtGmF0W:s0xHYeGh8ww4WMvmSDX3AmA88bBZ/

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1596	rundll32.exe
4116	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcukosucefu = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Wicocms.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 1596	3768	18a425f00e8d1e1084a42e80b6ab7113.exe	16
PID 3768 wrote to memory of 1596	3768	18a425f00e8d1e1084a42e80b6ab7113.exe	16
PID 3768 wrote to memory of 1596	3768	18a425f00e8d1e1084a42e80b6ab7113.exe	16
PID 1596 wrote to memory of 4116	1596	rundll32.exe	100
PID 1596 wrote to memory of 4116	1596	rundll32.exe	100
PID 1596 wrote to memory of 4116	1596	rundll32.exe	100

C:\Users\Admin\AppData\Local\Temp\18a425f00e8d1e1084a42e80b6ab7113.exe
"C:\Users\Admin\AppData\Local\Temp\18a425f00e8d1e1084a42e80b6ab7113.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Wicocms.dll",Startup
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Wicocms.dll",iep
    3⤵
    - Loads dropped DLL
    PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Wicocms.dll

Filesize
76KB

MD5
1bda70e5cb2b14465c56af28bf061845

SHA1
bd8c4cb2681ddba508ff375fecc8ea3f0fffa01c

SHA256
e13349dd9a62b2740088024cd7e1af19a643e0d04843563b83270a747519718f

SHA512
df22237a7148cd03e796940131e53a15986778cccceb5f587a30c3c16f91f286cd0cbe2584a58e591c89dcf56ed02dbf95a2e1e6e2e2c26c2b3441637f012fbd

Download Submit
memory/1596-13-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1596-19-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download
memory/1596-9-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1596-8-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1596-10-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download
memory/1596-11-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download
memory/1596-28-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1596-24-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1596-18-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download
memory/3768-3-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/3768-17-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/3768-16-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/3768-12-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/3768-0-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/3768-2-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/3768-1-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/4116-26-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/4116-25-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/4116-29-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/4116-32-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download