Analysis
-
max time kernel
157s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2024 19:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d6f11dd1aa82f894f7b601c18e194329.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
d6f11dd1aa82f894f7b601c18e194329.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
d6f11dd1aa82f894f7b601c18e194329.exe
-
Size
30KB
-
MD5
d6f11dd1aa82f894f7b601c18e194329
-
SHA1
3333f953d23e7e1e86e9bb94ff4c55868a1cf325
-
SHA256
7defbdae55801fd6b55aea539ffabac92d196075ff39a071efc9a21313db919e
-
SHA512
8a6aba4ff5b479494e35c531620bac282bebf3470f7416797481e51614b8f2ceb730f10c1b79c7a2afb6feac481531270de5f5aac1dbfb15e38f611eec027e0c
-
SSDEEP
768:1yq2xyA5AFlT0OvYZoIfNsUFKyiVIZ7dq5S5Gc:wq2xLcNCZooNsIYIpd4c
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\acpiec.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\pcidump.sys d6f11dd1aa82f894f7b601c18e194329.exe File opened for modification C:\Windows\system32\drivers\etc\hosts d6f11dd1aa82f894f7b601c18e194329.exe -
Loads dropped DLL 2 IoCs
pid Process 5016 rundll32.exe 1492 d6f11dd1aa82f894f7b601c18e194329.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf d6f11dd1aa82f894f7b601c18e194329.exe File opened for modification C:\autorun.inf d6f11dd1aa82f894f7b601c18e194329.exe File created F:\autorun.inf d6f11dd1aa82f894f7b601c18e194329.exe File opened for modification F:\autorun.inf d6f11dd1aa82f894f7b601c18e194329.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\func.dll d6f11dd1aa82f894f7b601c18e194329.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\phpi.dll d6f11dd1aa82f894f7b601c18e194329.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4276 sc.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1292 ipconfig.exe -
Kills process with taskkill 3 IoCs
pid Process 3004 taskkill.exe 2760 taskkill.exe 1812 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2760 taskkill.exe Token: SeDebugPrivilege 3004 taskkill.exe Token: SeDebugPrivilege 1812 taskkill.exe Token: SeDebugPrivilege 5016 rundll32.exe Token: SeDebugPrivilege 5016 rundll32.exe Token: SeDebugPrivilege 5016 rundll32.exe Token: SeDebugPrivilege 5016 rundll32.exe Token: SeDebugPrivilege 5016 rundll32.exe Token: SeDebugPrivilege 5016 rundll32.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1492 wrote to memory of 3540 1492 d6f11dd1aa82f894f7b601c18e194329.exe 93 PID 1492 wrote to memory of 3540 1492 d6f11dd1aa82f894f7b601c18e194329.exe 93 PID 1492 wrote to memory of 3540 1492 d6f11dd1aa82f894f7b601c18e194329.exe 93 PID 1492 wrote to memory of 620 1492 d6f11dd1aa82f894f7b601c18e194329.exe 94 PID 1492 wrote to memory of 620 1492 d6f11dd1aa82f894f7b601c18e194329.exe 94 PID 1492 wrote to memory of 620 1492 d6f11dd1aa82f894f7b601c18e194329.exe 94 PID 1492 wrote to memory of 3040 1492 d6f11dd1aa82f894f7b601c18e194329.exe 95 PID 1492 wrote to memory of 3040 1492 d6f11dd1aa82f894f7b601c18e194329.exe 95 PID 1492 wrote to memory of 3040 1492 d6f11dd1aa82f894f7b601c18e194329.exe 95 PID 1492 wrote to memory of 2744 1492 d6f11dd1aa82f894f7b601c18e194329.exe 96 PID 1492 wrote to memory of 2744 1492 d6f11dd1aa82f894f7b601c18e194329.exe 96 PID 1492 wrote to memory of 2744 1492 d6f11dd1aa82f894f7b601c18e194329.exe 96 PID 1492 wrote to memory of 4584 1492 d6f11dd1aa82f894f7b601c18e194329.exe 97 PID 1492 wrote to memory of 4584 1492 d6f11dd1aa82f894f7b601c18e194329.exe 97 PID 1492 wrote to memory of 4584 1492 d6f11dd1aa82f894f7b601c18e194329.exe 97 PID 1492 wrote to memory of 3852 1492 d6f11dd1aa82f894f7b601c18e194329.exe 98 PID 1492 wrote to memory of 3852 1492 d6f11dd1aa82f894f7b601c18e194329.exe 98 PID 1492 wrote to memory of 3852 1492 d6f11dd1aa82f894f7b601c18e194329.exe 98 PID 620 wrote to memory of 3212 620 cmd.exe 105 PID 620 wrote to memory of 3212 620 cmd.exe 105 PID 620 wrote to memory of 3212 620 cmd.exe 105 PID 3852 wrote to memory of 3004 3852 cmd.exe 106 PID 3852 wrote to memory of 3004 3852 cmd.exe 106 PID 3852 wrote to memory of 3004 3852 cmd.exe 106 PID 3540 wrote to memory of 2912 3540 cmd.exe 107 PID 3540 wrote to memory of 2912 3540 cmd.exe 107 PID 3540 wrote to memory of 2912 3540 cmd.exe 107 PID 4584 wrote to memory of 1812 4584 cmd.exe 108 PID 4584 wrote to memory of 1812 4584 cmd.exe 108 PID 4584 wrote to memory of 1812 4584 cmd.exe 108 PID 2744 wrote to memory of 2760 2744 cmd.exe 109 PID 2744 wrote to memory of 2760 2744 cmd.exe 109 PID 2744 wrote to memory of 2760 2744 cmd.exe 109 PID 3040 wrote to memory of 4276 3040 cmd.exe 110 PID 3040 wrote to memory of 4276 3040 cmd.exe 110 PID 3040 wrote to memory of 4276 3040 cmd.exe 110 PID 1492 wrote to memory of 5016 1492 d6f11dd1aa82f894f7b601c18e194329.exe 115 PID 1492 wrote to memory of 5016 1492 d6f11dd1aa82f894f7b601c18e194329.exe 115 PID 1492 wrote to memory of 5016 1492 d6f11dd1aa82f894f7b601c18e194329.exe 115 PID 1492 wrote to memory of 1292 1492 d6f11dd1aa82f894f7b601c18e194329.exe 125 PID 1492 wrote to memory of 1292 1492 d6f11dd1aa82f894f7b601c18e194329.exe 125 PID 1492 wrote to memory of 1292 1492 d6f11dd1aa82f894f7b601c18e194329.exe 125
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6f11dd1aa82f894f7b601c18e194329.exe"C:\Users\Admin\AppData\Local\Temp\d6f11dd1aa82f894f7b601c18e194329.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\cmd.execmd /c cacls C:\Windows /e /p everyone:f2⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\cacls.execacls C:\Windows /e /p everyone:f3⤵PID:2912
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f2⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\cacls.execacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f3⤵PID:3212
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc config ekrn start= disabled2⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\sc.exesc config ekrn start= disabled3⤵
- Launches sc.exe
PID:4276
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ekrn.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im ekrn.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im egui.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im egui.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /im ScanFrm.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im ScanFrm.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe func.dll, droqp2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all2⤵
- Gathers network information
PID:1292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2284,i,2771196087253062161,8107167670425198948,262144 --variations-seed-version /prefetch:81⤵PID:3936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5468efb776946a11b5ef892a9d2758e32
SHA1932e2f59c6592b3bf16ef616b47700507e930ba8
SHA256bff366c0d665b85a616884950cd1306f9aa961953b312c6cf8593b5c8dc1964a
SHA512a42ed1699c221969726cfdc198e9554144c1a0771148eb7a285f188f7310103b5c5b1f022b87c25f1092f3cc5c9cb10bf09770c95ce1a4628fc087727aee39db
-
Filesize
44KB
MD5a4d43e3f6c95d6972ac1c7b667576f13
SHA118db31786773cc0fd22a89cb65a4d17522778088
SHA25654982eb802a2fd35f0b9707a38c7add15a2ae4f93fab7526ecf53dd0dc0b2c53
SHA512aa36cee0fe9934aa586d48ac843f0b31a87b624cb2530f0c63c8d81d6318611cea3614b699e65bd2c2da3da630a3635eaafff8377e04569fba3004200f6ce78e