3479e7ee256673ba85659b732500c026cd218f3d79e5596e1605660208d7faa0

General

Target

3479e7ee256673ba85659b732500c026cd218f3d79e5596e1605660208d7faa0.dll
Size

2.6MB
MD5

c032571b2c494c02194f05e7f476e997
SHA1

0b524906ed83ec66969257393f0feaeb52048544
SHA256

3479e7ee256673ba85659b732500c026cd218f3d79e5596e1605660208d7faa0
SHA512

84df1b59e895b7127d398b7b96034821bc33d8247e7f7d4731815473a1463708be71ff2be5a292f62298ad46540c463e39e541762fb1569e19a1c82ead9b2197
SSDEEP

49152:PRP/ddeBQy1lPe22pKpUmmWmFekXPyZ7wlX7zSLxC2X6MYhRcdVhlC4JX4:J/ddeBQy1l2cUmmpFPPy+lrzSLU2X6bW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4172	kss.ini

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe
4392	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4392	rundll32.exe
Token: SeIncBasePriorityPrivilege	4392	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4392	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4392	4504	rundll32.exe	14
PID 4504 wrote to memory of 4392	4504	rundll32.exe	14
PID 4504 wrote to memory of 4392	4504	rundll32.exe	14
PID 4392 wrote to memory of 4172	4392	rundll32.exe	18
PID 4392 wrote to memory of 4172	4392	rundll32.exe	18
PID 4392 wrote to memory of 4172	4392	rundll32.exe	18

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3479e7ee256673ba85659b732500c026cd218f3d79e5596e1605660208d7faa0.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4392
- \??\c:\kss.ini
  c:\kss.ini
  2⤵
  - Executes dropped EXE
  PID:4172
- - C:\Program Files\QQExternal.exe
    "C:\Program Files\QQExternal.exe"
    3⤵
    PID:2236

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3479e7ee256673ba85659b732500c026cd218f3d79e5596e1605660208d7faa0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\kss.ini

Filesize
893KB

MD5
eb6513ed5c48d62364a6aba2e13e426b

SHA1
d928b7f951ca8ecdf8191ed19f875931b0b911fb

SHA256
154477aef1036ee457834d5f09eb601360eb71859cc5f766778953b9c1bcfe6f

SHA512
675a41d79bebd129c0e539455482c7cc41a675de9c8b5f6927f28dfb6deb60af9e7202c908778cdcc09ab12fdaa80a9e4ac4e77074dd046a6a1322e0e8c34b82

Download Submit
\??\c:\kss.ini

Filesize
1.1MB

MD5
04df61b9ecb2049a4396a40825834427

SHA1
9f43a1f20819f018e6081ac4603acc6d516f1e99

SHA256
f5873b29d8de18320424e98ecfe93dd7eb8026abedd3165e9e1440ff5c6b1aad

SHA512
40bb21e25f8901dca9164ff8af31e5c667c9bb66d3d3e06150f3d132689838084c5f5c8f698a91ac0c3d19aa186b531a7a88c91b8e362520c287cc8b03403ef3

Download Submit
memory/2236-26163-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2236-13087-0x0000000076030000-0x0000000076245000-memory.dmp

Filesize
2.1MB

Download
memory/2236-26167-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2236-26165-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2236-26155-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2236-16961-0x0000000076960000-0x0000000076B00000-memory.dmp

Filesize
1.6MB

Download
memory/2236-26162-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2236-18970-0x00000000768E0000-0x000000007695A000-memory.dmp

Filesize
488KB

Download
memory/2236-26157-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2236-13086-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2236-26160-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2236-26158-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2236-26156-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4172-26161-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4172-5-0x0000000076030000-0x0000000076245000-memory.dmp

Filesize
2.1MB

Download
memory/4172-13073-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4172-13080-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/4172-13079-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4172-13075-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4172-4-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4172-13078-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4172-26164-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4172-13076-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4172-13074-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4172-5888-0x00000000768E0000-0x000000007695A000-memory.dmp

Filesize
488KB

Download
memory/4172-3879-0x0000000076960000-0x0000000076B00000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing