cf907323f4893e56447a67c119c18cb0b4cb1a90cdc86df5ff39f83f0fa73728

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70e89c0076ccca008e24d7fb1db1e9f3.exe
Size

49KB
MD5

70e89c0076ccca008e24d7fb1db1e9f3
SHA1

883020089b449567b770a89686f500479ff84590
SHA256

cf907323f4893e56447a67c119c18cb0b4cb1a90cdc86df5ff39f83f0fa73728
SHA512

b6a28d81c5a4e4270a9115799943e670559a53040125006573aecafcc92cedbdf7645e777c5ea974a5f3b9f8675b4a3a1e978a4c438bdcc4fc24646a2d99aba3
SSDEEP

1536:vnEkah9FisULYtapaO4IWzLhhHRCRuT/IdYU:vEr1ULYWaOQL/H4QzU

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1140	70e89c0076ccca008e24d7fb1db1e9f3.exe
536	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\pmnnMcDU.dll,#1"	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\pmnnMcDU.dll	70e89c0076ccca008e24d7fb1db1e9f3.exe
File created	C:\Windows\SysWOW64\pmnnMcDU.dll	70e89c0076ccca008e24d7fb1db1e9f3.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ = "C:\\Windows\\SysWow64\\pmnnMcDU.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ThreadingModel = "Both"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1140	70e89c0076ccca008e24d7fb1db1e9f3.exe
1140	70e89c0076ccca008e24d7fb1db1e9f3.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe
536	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1140	70e89c0076ccca008e24d7fb1db1e9f3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1140	70e89c0076ccca008e24d7fb1db1e9f3.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 612	1140	70e89c0076ccca008e24d7fb1db1e9f3.exe	3
PID 1140 wrote to memory of 536	1140	70e89c0076ccca008e24d7fb1db1e9f3.exe	100
PID 1140 wrote to memory of 536	1140	70e89c0076ccca008e24d7fb1db1e9f3.exe	100
PID 1140 wrote to memory of 536	1140	70e89c0076ccca008e24d7fb1db1e9f3.exe	100
PID 1140 wrote to memory of 3888	1140	70e89c0076ccca008e24d7fb1db1e9f3.exe	101
PID 1140 wrote to memory of 3888	1140	70e89c0076ccca008e24d7fb1db1e9f3.exe	101
PID 1140 wrote to memory of 3888	1140	70e89c0076ccca008e24d7fb1db1e9f3.exe	101

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\70e89c0076ccca008e24d7fb1db1e9f3.exe
"C:\Users\Admin\AppData\Local\Temp\70e89c0076ccca008e24d7fb1db1e9f3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\pmnnMcDU.dll,a
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qoMgghGw.bat "C:\Users\Admin\AppData\Local\Temp\70e89c0076ccca008e24d7fb1db1e9f3.exe"
  2⤵
  PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qoMgghGw.bat

Filesize
103B

MD5
b0ff9235e0ccbd04894c4845619b9fdf

SHA1
d8604176251de5c206f32a9cb175295d5f6f1348

SHA256
577d14234d53b2211177d0acc9365a1435346a9c364063260b79a4dc00462ac9

SHA512
f150fa5ab3961954a317b031d4eb87e5443cd7f7cbd1f1ef0f246de9c5264dcea0a1ea1b1126f7210af9cd6b491d6d270d6bff4d4932a3cd575a5ad7ff487b4a

Download Submit
C:\Windows\SysWOW64\pmnnMcDU.dll

Filesize
36KB

MD5
9257a066636d03ac16714844061f1846

SHA1
4ea9f4bd23af4f3a9cae22fcc7c0908d36269b33

SHA256
2e981a1d941b8f3b26d0ef97ccec1b8c5d3f24e39e6dec863fec2b1c944039f3

SHA512
65446bc72118b49ff87c9725599fa2bc131a21d8407d42536cbae9b9dd5aebd7905addadf206c088066b89e3cbfd5bf303e4ca0e41f6fbbaabded13b5cff2602

Download Submit
memory/536-20-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/536-21-0x0000000000930000-0x0000000000935000-memory.dmp

Filesize
20KB

Download
memory/536-22-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/536-27-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1140-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1140-8-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1140-9-0x0000000002340000-0x0000000002345000-memory.dmp

Filesize
20KB

Download
memory/1140-10-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1140-13-0x00000000004A0000-0x00000000004A5000-memory.dmp

Filesize
20KB

Download
memory/1140-16-0x0000000002340000-0x0000000002345000-memory.dmp

Filesize
20KB

Download
memory/1140-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1140-1-0x00000000004A0000-0x00000000004A5000-memory.dmp

Filesize
20KB

Download