Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 04:06
Static task
static1
Behavioral task
behavioral1
Sample
10306702a13bfd1d9c8208394eaf42eddcbe49a03f039f7715ad31579db2b6dd.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
10306702a13bfd1d9c8208394eaf42eddcbe49a03f039f7715ad31579db2b6dd.dll
Resource
win10v2004-20240226-en
General
-
Target
10306702a13bfd1d9c8208394eaf42eddcbe49a03f039f7715ad31579db2b6dd.dll
-
Size
103KB
-
MD5
e9f6513c37debcce50e9633aefa757c0
-
SHA1
e7623d6cb0cf234b9f3e3f8b14f63e2077441a0f
-
SHA256
10306702a13bfd1d9c8208394eaf42eddcbe49a03f039f7715ad31579db2b6dd
-
SHA512
de6d502b6bb6d6b46d5b0170db2e3f22f376f5370b6fe6793efbe3ea2207e65033d0b3e0b195b90833ec305bd0decffb6264f2dc973160dbdc330646af242d74
-
SSDEEP
1536:QzICS4A30TY1kUS/U2ztdS1I6DdL9Ta1lx1411ey2NzPBmdy6h+/:vJ0TYyUS/U2RgGWL9+zx1c1eXNNmdA/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6C56.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation 6C56.tmp -
Deletes itself 1 IoCs
Processes:
6C56.tmppid process 4368 6C56.tmp -
Executes dropped EXE 1 IoCs
Processes:
6C56.tmppid process 4368 6C56.tmp -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
6C56.tmppid process 4368 6C56.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wkyNXZoXP rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wkyNXZoXP\ = "wkyNXZoXP" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\wkyNXZoXP\DefaultIcon\ = "C:\\ProgramData\\wkyNXZoXP.ico" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
6C56.tmppid process 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp 4368 6C56.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rundll32.exe6C56.tmpdescription pid process Token: SeAssignPrimaryTokenPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeDebugPrivilege 760 rundll32.exe Token: 36 760 rundll32.exe Token: SeImpersonatePrivilege 760 rundll32.exe Token: SeIncBasePriorityPrivilege 760 rundll32.exe Token: SeIncreaseQuotaPrivilege 760 rundll32.exe Token: 33 760 rundll32.exe Token: SeManageVolumePrivilege 760 rundll32.exe Token: SeProfSingleProcessPrivilege 760 rundll32.exe Token: SeRestorePrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeSystemProfilePrivilege 760 rundll32.exe Token: SeTakeOwnershipPrivilege 760 rundll32.exe Token: SeShutdownPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeDebugPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeAssignPrimaryTokenPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeDebugPrivilege 760 rundll32.exe Token: 36 760 rundll32.exe Token: SeImpersonatePrivilege 760 rundll32.exe Token: SeIncBasePriorityPrivilege 760 rundll32.exe Token: SeIncreaseQuotaPrivilege 760 rundll32.exe Token: 33 760 rundll32.exe Token: SeManageVolumePrivilege 760 rundll32.exe Token: SeProfSingleProcessPrivilege 760 rundll32.exe Token: SeRestorePrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeSystemProfilePrivilege 760 rundll32.exe Token: SeTakeOwnershipPrivilege 760 rundll32.exe Token: SeShutdownPrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeBackupPrivilege 760 rundll32.exe Token: SeSecurityPrivilege 760 rundll32.exe Token: SeBackupPrivilege 4368 6C56.tmp Token: SeRestorePrivilege 4368 6C56.tmp -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exe6C56.tmpdescription pid process target process PID 448 wrote to memory of 760 448 rundll32.exe rundll32.exe PID 448 wrote to memory of 760 448 rundll32.exe rundll32.exe PID 448 wrote to memory of 760 448 rundll32.exe rundll32.exe PID 760 wrote to memory of 4368 760 rundll32.exe 6C56.tmp PID 760 wrote to memory of 4368 760 rundll32.exe 6C56.tmp PID 760 wrote to memory of 4368 760 rundll32.exe 6C56.tmp PID 760 wrote to memory of 4368 760 rundll32.exe 6C56.tmp PID 4368 wrote to memory of 1728 4368 6C56.tmp cmd.exe PID 4368 wrote to memory of 1728 4368 6C56.tmp cmd.exe PID 4368 wrote to memory of 1728 4368 6C56.tmp cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10306702a13bfd1d9c8208394eaf42eddcbe49a03f039f7715ad31579db2b6dd.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10306702a13bfd1d9c8208394eaf42eddcbe49a03f039f7715ad31579db2b6dd.dll,#12⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\ProgramData\6C56.tmp"C:\ProgramData\6C56.tmp"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6C56.tmp >> NUL4⤵PID:1728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize103KB
MD5c28f828c1a26243b75a777be4f0170db
SHA1cc622f0b01e99c8061bd56966b4e5670c061db6e
SHA25682812c2d102f2aca8ab326cf7a7fad505b2aec5035649e5365eb72c6fd3fc75f
SHA512647ce5e9090706ff265e5be8fcd13d58d11ec0a0488b48833f41edd6e5ef23cf34b28e18b3246cf3a2084d3c79b8ef58edcbbb77d57c19c36ddd25b0d11c1b44