a7fa2c542de02d19b54a9f03e43e6d228cb9cfe555fa8650ec4fab33ed523c7c

Analysis

max time kernel
139s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 13:59

Target

aoqics/lpk.dll
Size

46KB
MD5

d678a9bbbeeeacdafcc538171ab5dd8f
SHA1

fd511a172eb91d35dd71ba37cdfcc6870bb4df22
SHA256

1ca2927f7e0478c41f94823bb99b74928b36b618ac29a21aeeb95d632089e8d1
SHA512

eb60111a8d826f3e5aacdb6755de6e9dd952199419c62349f4ac22c896dcccfca8ca4fd3b923de431ce9b5ad1bb5de6e1a62fe71ee681ade6ab39089801f4ca2
SSDEEP

768:hojY9PKqxdonOp+IKDDCgEeJ9nmJKLVWrVzD5fc5yzOojY9Po:0myqx6nOp+I5kmJKRWbc5yzvmg

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
4500	hrl4B80.tmp
1204	kfzqls.exe

Loads dropped DLL 1 IoCs

pid	Process
1204	kfzqls.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kfzqls.exe	hrl4B80.tmp
File opened for modification	C:\Windows\SysWOW64\kfzqls.exe	hrl4B80.tmp
File created	C:\Windows\SysWOW64\hra33.dll	kfzqls.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 1728	212	rundll32.exe	83
PID 212 wrote to memory of 1728	212	rundll32.exe	83
PID 212 wrote to memory of 1728	212	rundll32.exe	83
PID 1728 wrote to memory of 4500	1728	rundll32.exe	84
PID 1728 wrote to memory of 4500	1728	rundll32.exe	84
PID 1728 wrote to memory of 4500	1728	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aoqics\lpk.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\aoqics\lpk.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\hrl4B80.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl4B80.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:4500

C:\Users\Admin\AppData\Local\Temp\hrl4B80.tmp

Filesize
38KB

MD5
9207aff9be07ce6a7c809fc935ac8f63

SHA1
3cac8e650e83f17eefe4098cdd8236c645e19368

SHA256
a9dbc1a151bba11b32da044da91f019e9d8220065845e7ed402ad8181e58ce5c

SHA512
570f0b92f30246dfeef48466f0ba23f546234aec8e579d4f6c34f483268ab849f7c7e9f2cb364243392b8fae298303a06bfddcf043fb11c1b1efb9f78d81e7ef

Download Submit
C:\Windows\SysWOW64\hra33.dll

Filesize
7KB

MD5
7147ff24579a477a1a34696926e573f1

SHA1
9127ea8d813ecd5788b3f97777931ec79b7760e9

SHA256
fd08dcb016611316c849d48312ba6dc7d4de75d1a81c1d475a13bb5a1ba07267

SHA512
077b68376679c30d2dbae460ed59f5131c177bdd7574af1c2660ed97ae242b1401816d012af321c278be065b49bc9eab395e008b1b9a2447aa27b694bbed1d5d

Download Submit
memory/4500-7-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download