e70ab63d5fab6a7ae63a7e72b2fe2f51ba3bc3bbeb1733c0b99938cfdeedf755

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2024, 14:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0cce74747e1632d47a517f1c6fad9958.dll
Size

237KB
MD5

0cce74747e1632d47a517f1c6fad9958
SHA1

cc8d9abf88f5c6a73af778c31e794b8eea4e6964
SHA256

e70ab63d5fab6a7ae63a7e72b2fe2f51ba3bc3bbeb1733c0b99938cfdeedf755
SHA512

2ecbce9b644177b5036d2fa29f14719fe769882f3c85b5c8d3ebc07b533a2f23488623d94037c0600a63d860dac6dd6dcb753f89f89b50e3553d16b6f353d0fc
SSDEEP

1536:ijy9ktfHe9/CN9dolcEnTTXxpStslzthoH4u2eNjg6I915KfW5PG8GJwkN3A:ZefHeMN9doGeBpSuztRlee9PQW4wka

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gqkvyabks = "{0609c49c-8e81-d3d6-9f92-8e814c14a4ea}"	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
1132	rundll32.exe
1132	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tdxilnoxf.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\tdxilnoxf.dll	rundll32.exe
File created	C:\Windows\SysWOW64\fpjuxzajr.dll	rundll32.exe
File created	C:\Windows\SysWOW64\blfqtvwfn.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0609c49c-8e81-d3d6-9f92-8e814c14a4ea}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0609c49c-8e81-d3d6-9f92-8e814c14a4ea}\	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0609c49c-8e81-d3d6-9f92-8e814c14a4ea}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0609c49c-8e81-d3d6-9f92-8e814c14a4ea}\InprocServer32\ = "C:\\Windows\\SysWow64\\blfqtvwfn.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0609c49c-8e81-d3d6-9f92-8e814c14a4ea}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1132	rundll32.exe
1132	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1132	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1132	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 1132	4928	rundll32.exe	14
PID 4928 wrote to memory of 1132	4928	rundll32.exe	14
PID 4928 wrote to memory of 1132	4928	rundll32.exe	14

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0cce74747e1632d47a517f1c6fad9958.dll,#1
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1132

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0cce74747e1632d47a517f1c6fad9958.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\tdxilnoxf.dll

Filesize
92KB

MD5
121674b001365103f7b987a96ad91020

SHA1
53cb271ee591d90bf0453fce57638a69effdcfd2

SHA256
a89f7c48097eeb8cf5dfa0839894a657422987b0e7002c765dcbd00793f78ff9

SHA512
998fdd3b8357d8bf29712b2116a13ba8ca12a32f53ba5e8c0876e9f4289c03c133266c0b61350aaea7d2097d6036f70f68878c06d4e11be2c6ffff7e3ec51fc0

Download Submit
memory/1132-17-0x0000000076A70000-0x0000000076B60000-memory.dmp

Filesize
960KB

Download
memory/1132-15-0x0000000076A70000-0x0000000076B60000-memory.dmp

Filesize
960KB

Download
memory/1132-14-0x0000000076A70000-0x0000000076B60000-memory.dmp

Filesize
960KB

Download
memory/1132-13-0x0000000076B60000-0x0000000076BDA000-memory.dmp

Filesize
488KB

Download
memory/1132-2-0x00000000005B0000-0x00000000005F5000-memory.dmp

Filesize
276KB

Download
memory/1132-0-0x00000000005B0000-0x00000000005F5000-memory.dmp

Filesize
276KB

Download
memory/1132-20-0x0000000076A70000-0x0000000076B60000-memory.dmp

Filesize
960KB

Download
memory/1132-19-0x0000000076B60000-0x0000000076BDA000-memory.dmp

Filesize
488KB

Download
memory/1132-18-0x00000000005B0000-0x00000000005F5000-memory.dmp

Filesize
276KB

Download