b725fb87ef8abbb92e2154ca170a1b9c38e3d492df293409e6723f760d13eef5

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2024, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e54b5d8a1d2c804719afa367b0bdee6.exe
Size

50KB
MD5

3e54b5d8a1d2c804719afa367b0bdee6
SHA1

097d8eb13247f94f95e3dc1afc7f91cd5ad746a6
SHA256

b725fb87ef8abbb92e2154ca170a1b9c38e3d492df293409e6723f760d13eef5
SHA512

808eb1af5dc6aa9d8aa814fc2be2dd5fb161ba6d2500397321641d94f468eb4b3e9ae033f2413e822d60d7462d74c2c709e8698d455f3f166d9641992f4ddf8e
SSDEEP

768:QTNR6FnXxqNdOX3/FULW0xxx/VL4A7Du7Eb3iLrBefrZm3XtjSopJ15WxR7hbNPR:QTL6FXIfQ/K/xKAPurlnNLNoHhbNrzB

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2560	rundll32.exe

Loads dropped DLL 7 IoCs

pid	Process
4696	rundll32.exe
2560	rundll32.exe
1164	rundll32.exe
4696	rundll32.exe
4696	rundll32.exe
1164	rundll32.exe
1164	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2844-0-0x0000000000400000-0x0000000000621000-memory.dmp	upx
behavioral2/memory/2844-7-0x0000000000400000-0x0000000000621000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\whhfd008.ocx	3e54b5d8a1d2c804719afa367b0bdee6.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\whh11009.ocx	3e54b5d8a1d2c804719afa367b0bdee6.exe
File opened for modification	C:\Program Files\Common Files\whh11009.ocx	3e54b5d8a1d2c804719afa367b0bdee6.exe
File created	C:\Program Files\Common Files\0E5769C6ce.dll	3e54b5d8a1d2c804719afa367b0bdee6.exe
File opened for modification	C:\Program Files\Common Files\0E5769C6ce.dll	3e54b5d8a1d2c804719afa367b0bdee6.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
4696	rundll32.exe
676	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4696	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1164	2844	3e54b5d8a1d2c804719afa367b0bdee6.exe	88
PID 2844 wrote to memory of 1164	2844	3e54b5d8a1d2c804719afa367b0bdee6.exe	88
PID 2844 wrote to memory of 1164	2844	3e54b5d8a1d2c804719afa367b0bdee6.exe	88
PID 2844 wrote to memory of 4696	2844	3e54b5d8a1d2c804719afa367b0bdee6.exe	89
PID 2844 wrote to memory of 4696	2844	3e54b5d8a1d2c804719afa367b0bdee6.exe	89
PID 2844 wrote to memory of 4696	2844	3e54b5d8a1d2c804719afa367b0bdee6.exe	89
PID 2844 wrote to memory of 2560	2844	3e54b5d8a1d2c804719afa367b0bdee6.exe	90
PID 2844 wrote to memory of 2560	2844	3e54b5d8a1d2c804719afa367b0bdee6.exe	90
PID 2844 wrote to memory of 2560	2844	3e54b5d8a1d2c804719afa367b0bdee6.exe	90

C:\Users\Admin\AppData\Local\Temp\3e54b5d8a1d2c804719afa367b0bdee6.exe
"C:\Users\Admin\AppData\Local\Temp\3e54b5d8a1d2c804719afa367b0bdee6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Windows\system32\whhfd008.ocx" pfjieaoidjglkajd
  2⤵
  - Loads dropped DLL
  PID:1164
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\0E5769C6ce.dll" m3
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files\Common Files\whh11009.ocx" pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\3e54b5d8a1d2c804719afa367b0bdee6.exe
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\0E5769C6ce.dll

Filesize
10KB

MD5
f1f49fb85ab029ad86c02ebecb892b12

SHA1
664a602f8e843218c1158571714cd0adee1da939

SHA256
f8f3abcf8d43377b49d1edce23a667c9efd9cde86e9afee228e8c3b093013f13

SHA512
600810f5a23067afb483b2fb5cd980c817d1b79da7fd7c5183a2d76f3546c514256f5536791abd4ed4b949518c63ab7c55df3e9b9109df2681fd3df10dbd2673

Download Submit
C:\Program Files\Common Files\whh11009.ocx

Filesize
73KB

MD5
65250c62cbeea8c00b497c499c405ec5

SHA1
87310e829c830225b32905d64027321cd49b2d46

SHA256
87e379ab7ec37ff1513014828c630a4491e229158d4b5d52dac77dabc22f0a9b

SHA512
a7a38baf9bdd8531dad07d60fd858552eeb5d875e263492f52f426b0b500755233514ab8369d3bd5456f82379e83fe948146560b24da2bceb5a9f1829f2730aa

Download Submit
C:\Windows\SysWOW64\whhfd008.ocx

Filesize
14KB

MD5
731659d09654891912ac223e20cd10ab

SHA1
13cee04adc7b09ef1c0c6b9abc02d0c7bc02a071

SHA256
672639ce00081bdd6b6ee69e1bc816d0b353ed9713b5a21bac6009907daf3d3b

SHA512
e2b63a180ff6a9ef523f21a9afe9f71f612f617fbab5b791f763c8bccab14d8cb1986729fadba4bc5f29fe9813766bcb88168018f8c6571ec72efc69639f1116

Download Submit
memory/1164-19-0x0000000002BA0000-0x0000000002DB8000-memory.dmp

Filesize
2.1MB

Download
memory/1164-21-0x0000000010000000-0x0000000010208000-memory.dmp

Filesize
2.0MB

Download
memory/1164-23-0x0000000002BA0000-0x0000000002DB8000-memory.dmp

Filesize
2.1MB

Download
memory/2560-22-0x0000000010000000-0x0000000010218000-memory.dmp

Filesize
2.1MB

Download
memory/2844-0-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/2844-7-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4696-20-0x0000000010000000-0x0000000010206000-memory.dmp

Filesize
2.0MB

Download
memory/4696-16-0x00000000029B0000-0x0000000002BC8000-memory.dmp

Filesize
2.1MB

Download
memory/4696-24-0x00000000029B0000-0x0000000002BC8000-memory.dmp

Filesize
2.1MB

Download