79e0a1621904be26d13be1430d67d16e4a0136d95f865ce954ffff65f870b338

General

Target

d5825203dd7c05568f207f9a131ea3ad.exe
Size

373KB
MD5

d5825203dd7c05568f207f9a131ea3ad
SHA1

b91088a189e987705b83ff683a43e1c1750d5b67
SHA256

79e0a1621904be26d13be1430d67d16e4a0136d95f865ce954ffff65f870b338
SHA512

27f5abd181ab1183d00c9a3287bcca2c8abbdf90962c62256a6ec6e59c5c634a6cf0553cefe605bd88b481a8dfb147cdcc5dac0a241e31759d93328102f0d7f2
SSDEEP

6144:QBwy/i6pBR923Z6gXWJ6bGCPf+1JrwjtLyEtqMfzEbF56N/g:UP/5RqZbWJqiwqMrYF5KY

Score

8^/10

evasion persistence

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
2928	system.exe
1588	d5825203dd7c05568f207f9a131ea3ad.exe

Loads dropped DLL 12 IoCs

pid	Process
1392	d5825203dd7c05568f207f9a131ea3ad.exe
1392	d5825203dd7c05568f207f9a131ea3ad.exe
2556	Rundll32.exe
2556	Rundll32.exe
2556	Rundll32.exe
2556	Rundll32.exe
1392	d5825203dd7c05568f207f9a131ea3ad.exe
2532	Rundll32.exe
2532	Rundll32.exe
2532	Rundll32.exe
2532	Rundll32.exe
2532	Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Rundll32.exe
File opened (read-only)	\??\F:	Rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	d5825203dd7c05568f207f9a131ea3ad.exe
File created	C:\Windows\SysWOW64\jkdfwctb.dll	system.exe
File created	C:\Windows\SysWOW64\gkkfwctb.dll	system.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\KAV\CDriver.sys	Rundll32.exe
File opened for modification	C:\Program Files\KAV\CDriver.Inf	Rundll32.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2860	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2556	Rundll32.exe
2556	Rundll32.exe
2556	Rundll32.exe
2556	Rundll32.exe
2556	Rundll32.exe
2532	Rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1392	d5825203dd7c05568f207f9a131ea3ad.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2556	Rundll32.exe
Token: SeRestorePrivilege	2556	Rundll32.exe
Token: SeRestorePrivilege	2556	Rundll32.exe
Token: SeRestorePrivilege	2556	Rundll32.exe
Token: SeRestorePrivilege	2556	Rundll32.exe
Token: SeRestorePrivilege	2556	Rundll32.exe
Token: SeRestorePrivilege	2556	Rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1588	d5825203dd7c05568f207f9a131ea3ad.exe
1588	d5825203dd7c05568f207f9a131ea3ad.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 2928	1392	d5825203dd7c05568f207f9a131ea3ad.exe	28
PID 1392 wrote to memory of 2928	1392	d5825203dd7c05568f207f9a131ea3ad.exe	28
PID 1392 wrote to memory of 2928	1392	d5825203dd7c05568f207f9a131ea3ad.exe	28
PID 1392 wrote to memory of 2928	1392	d5825203dd7c05568f207f9a131ea3ad.exe	28
PID 2928 wrote to memory of 2556	2928	system.exe	29
PID 2928 wrote to memory of 2556	2928	system.exe	29
PID 2928 wrote to memory of 2556	2928	system.exe	29
PID 2928 wrote to memory of 2556	2928	system.exe	29
PID 2928 wrote to memory of 2556	2928	system.exe	29
PID 2928 wrote to memory of 2556	2928	system.exe	29
PID 2928 wrote to memory of 2556	2928	system.exe	29
PID 2556 wrote to memory of 2860	2556	Rundll32.exe	30
PID 2556 wrote to memory of 2860	2556	Rundll32.exe	30
PID 2556 wrote to memory of 2860	2556	Rundll32.exe	30
PID 2556 wrote to memory of 2860	2556	Rundll32.exe	30
PID 2928 wrote to memory of 2532	2928	system.exe	32
PID 2928 wrote to memory of 2532	2928	system.exe	32
PID 2928 wrote to memory of 2532	2928	system.exe	32
PID 2928 wrote to memory of 2532	2928	system.exe	32
PID 2928 wrote to memory of 2532	2928	system.exe	32
PID 2928 wrote to memory of 2532	2928	system.exe	32
PID 2928 wrote to memory of 2532	2928	system.exe	32
PID 1392 wrote to memory of 1588	1392	d5825203dd7c05568f207f9a131ea3ad.exe	33
PID 1392 wrote to memory of 1588	1392	d5825203dd7c05568f207f9a131ea3ad.exe	33
PID 1392 wrote to memory of 1588	1392	d5825203dd7c05568f207f9a131ea3ad.exe	33
PID 1392 wrote to memory of 1588	1392	d5825203dd7c05568f207f9a131ea3ad.exe	33

C:\Users\Admin\AppData\Local\Temp\d5825203dd7c05568f207f9a131ea3ad.exe
"C:\Users\Admin\AppData\Local\Temp\d5825203dd7c05568f207f9a131ea3ad.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\jkdfwctb.dll Exucute
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" stop PolicyAgent
      4⤵
      Launches sc.exe
      PID:2860
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\gkkfwctb.dll Exucute
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    PID:2532
- C:\Users\Admin\AppData\Local\Temp\d5825203dd7c05568f207f9a131ea3ad.exe
  C:\Users\Admin\AppData\Local\Temp\d5825203dd7c05568f207f9a131ea3ad.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d5825203dd7c05568f207f9a131ea3ad.exe

Filesize
281KB

MD5
c694a965518422bb881d69d57f65e65c

SHA1
9eaf0b429ce12f68565c871a7fc36b8c85b9fa76

SHA256
5cf1eb62c3c53133795e2618f3b3ab53ef6e7e78f809de4953ea82cc4e4d498f

SHA512
d52d46dfb8347ca1367938c3bb101c206d8879b92ea0de39c5360d7b29f2c4e69ce3d8f4603721c7cbee6e37d8c39c64d0d02a7418d04083375e7711545f8f85

Download Submit
C:\Windows\SysWOW64\jkdfwctb.dll

Filesize
57KB

MD5
5262d59511f16ef632031b1617adfcaa

SHA1
127b3db1847362d5bff244861be660bd466640d9

SHA256
55fa0e2d8d66fe4d174f65926efa72e640589efbfea2a2c6dbc415d2d0579512

SHA512
8c0ff962046af11a05222af3d2593d658bc6a7efc9074af38e4f6b4186ee26ea290363eb7e529cd5958db6ba10c72e74f5f8a006666349febdfadc728b788d55

Download Submit
\Users\Admin\AppData\Local\Temp\7723.tmp

Filesize
1.7MB

MD5
b5eb5bd3066959611e1f7a80fd6cc172

SHA1
6fb1532059212c840737b3f923a9c0b152c0887a

SHA256
1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

SHA512
6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

Download Submit
\Windows\SysWOW64\gkkfwctb.dll

Filesize
19KB

MD5
36af770caba8139ca711f9779592a82c

SHA1
8dce0f0a197b7a92064ecbb51c2c962225b8fcfa

SHA256
01465fd82da8516d48e9fb9490c05fb87e3651e7a9e5aabf439ead91ee196238

SHA512
2c9808c660d3e24362de33e7b06e95bad4accd1f8f2f5cfce684aaace8e30abfa4827862a5a14e6467d591e08fcd83c1ede8af91292436c070820791a498e8c9

Download Submit
\Windows\SysWOW64\system.exe

Filesize
82KB

MD5
ad16ca7765c4b426506ea02eef8487e0

SHA1
c180e6ea7000564f041b0293a70bca50a033b357

SHA256
0ca1f1bb175059c3dcd38ffded784c82440d47868024792d8bcd398811f34f5a

SHA512
fa6b46fb3b7896a06800f0e308da6a15688e259a595f3997e94918997955f08d5758c763fd8cd235684a0d7688c5fa597c0bd3f77e4b9cc5fea3995cc8987391

Download Submit
memory/1392-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1392-37-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads