8022038f7d3286f02c70800b2863314c8251065bb463428718f70f3f8f9d8443

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pkpm2007/dic32.dll
Size

524KB
MD5

2e89d8f9cf51b2275ca999ca18295441
SHA1

836f388aa254abf4ffa26df5cd4e7f4811a5af1b
SHA256

49988e093cb4fbeabf5ea3dcda0b93d508cfa7817f7c00070e7ae3946b90be15
SHA512

16374fc651a8030ace06244bf39dd2a60c3666cee090c1ddd85a25139c2748ad905b7ebe3b434a40ff8c9df188e36c0191b8a952e0a4aaf6146744bd0c945305
SSDEEP

6144:VwSSfS9aakkaoCj6MbJ+QxEE+K0aVwWL4XwNU+IT:VwSSa9aOy+EFpI

Score

7^/10

vmprotect

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rundll32.exe

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2204-0-0x00000000003A0000-0x00000000004AD000-memory.dmp	vmprotect
behavioral1/memory/2204-6-0x00000000003A0000-0x00000000004AD000-memory.dmp	vmprotect
behavioral1/memory/2204-8-0x00000000003A0000-0x00000000004AD000-memory.dmp	vmprotect
behavioral1/memory/2204-30-0x00000000003A0000-0x00000000004AD000-memory.dmp	vmprotect
behavioral1/memory/2204-13-0x00000000003A0000-0x00000000004AD000-memory.dmp	vmprotect
behavioral1/memory/2204-12-0x00000000003A0000-0x00000000004AD000-memory.dmp	vmprotect
behavioral1/memory/2204-11-0x00000000003A0000-0x00000000004AD000-memory.dmp	vmprotect
behavioral1/memory/2204-10-0x00000000003A0000-0x00000000004AD000-memory.dmp	vmprotect

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\ksddut = "TWVsnkzNEqhGF_PWyFYnmt]khJ"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DataFormats\GetSet\1	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\MiscStatus\ = "0"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DefaultExtension	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\MiscStatus	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Printable	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\LocalServer\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Version	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DataFormats\DefaultFile\ = "BIFF12"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DataFormats\GetSet\2	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DefaultIcon	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Typelib	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\WMvzSmuUjcfn = "rKKYEfn_CXwZ\\P"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\ = "Microsoft Excel Binary Worksheet"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\AuxUserType\3\ = "Microsoft Excel Binary 12"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Implemented Categories	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\matuz = "CGtZnU\x7fvnlMR\x7fYy@\\"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\IPersistStorageType = "2"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\AuxUserType	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Conversion\Readwritable	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\InprocHandler32\ = "ole32.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\bsGyngXofRhSn = "WobTeitGLrhNzVaxosKsa"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\WMvzSmuUjcfn = "rKWYEfn_\\GVoT@"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Conversion\Readwritable\Main	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DataFormats\GetSet	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\xlicons.exe,1"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Typelib\ = "{00020813-0000-0000-C000-000000000046}"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Verb\0\ = "&Edit,0,2"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\VersionIndependentProgID	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\VersionIndependentProgID\ = "Excel.SheetBinaryMacroEnabled"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DataFormats\GetSet\2\ = "1,1,1,1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DataFormats\GetSet\4	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\ProgID	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\LocalServer\LocalServer = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510000000000	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\fzebWhOamjJ = "uUtcrjhB}IfdecMw~r}D[\x7fuXRPxEm"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Conversion\Readable	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Conversion\Readable\Main\ = "Biff12,ExcelWorksheet,ExcelML12,ExcelODS12,Biff8"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\InprocHandler32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\MainPartContentType = "application/vnd.ms-excel.sheet.binary.macroEnabled.main"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DataFormats\GetSet\4\ = "NoteshNote,-1,1,1"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DataFormats\DefaultFile	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\ProgID\ = "Excel.SheetBinaryMacroEnabled.12"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Verb	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Conversion\Readable\Main	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DataFormats\GetSet\3	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\LocalServer	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DocObject	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510000000000	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\fzebWhOamjJ = "uUtcrjhB}IfdecMw~r}DX\x7fuXRPxEn"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Insertable	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\lobkoluMqr = "hCjaIFOmvJqpkFoTGmuEL{fnMUlD}LCr"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DPFe = "a]EQ}gorcHIjdup]jrG"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DataFormats	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DataFormats\GetSet\0	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DataFormats\GetSet\1\ = "2,1,16,1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Conversion	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\DataFormats\GetSet\0\ = "3,1,32,1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\OfficeCompliant	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\Verb\1	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\AuxUserType\2\ = "Binary Worksheet"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E24F574C-E94E-CB86-917E-AF16917EAF16}\AuxUserType\3	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2204	rundll32.exe
Token: SeIncBasePriorityPrivilege	2204	rundll32.exe
Token: 33	2204	rundll32.exe
Token: SeIncBasePriorityPrivilege	2204	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2204	2988	rundll32.exe	28
PID 2988 wrote to memory of 2204	2988	rundll32.exe	28
PID 2988 wrote to memory of 2204	2988	rundll32.exe	28
PID 2988 wrote to memory of 2204	2988	rundll32.exe	28
PID 2988 wrote to memory of 2204	2988	rundll32.exe	28
PID 2988 wrote to memory of 2204	2988	rundll32.exe	28
PID 2988 wrote to memory of 2204	2988	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Pkpm2007\dic32.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Pkpm2007\dic32.dll,#1
  2⤵
  - Checks BIOS information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2204-0-0x00000000003A0000-0x00000000004AD000-memory.dmp

Filesize
1.1MB

Download
memory/2204-7-0x00000000001E0000-0x0000000000244000-memory.dmp

Filesize
400KB

Download
memory/2204-6-0x00000000003A0000-0x00000000004AD000-memory.dmp

Filesize
1.1MB

Download
memory/2204-1-0x00000000001E0000-0x0000000000244000-memory.dmp

Filesize
400KB

Download
memory/2204-8-0x00000000003A0000-0x00000000004AD000-memory.dmp

Filesize
1.1MB

Download
memory/2204-14-0x00000000001E0000-0x0000000000244000-memory.dmp

Filesize
400KB

Download
memory/2204-24-0x00000000007E0000-0x0000000000844000-memory.dmp

Filesize
400KB

Download
memory/2204-25-0x00000000007E0000-0x0000000000844000-memory.dmp

Filesize
400KB

Download
memory/2204-27-0x0000000010000000-0x00000000100CA000-memory.dmp

Filesize
808KB

Download
memory/2204-30-0x00000000003A0000-0x00000000004AD000-memory.dmp

Filesize
1.1MB

Download
memory/2204-29-0x00000000001E0000-0x0000000000244000-memory.dmp

Filesize
400KB

Download
memory/2204-21-0x0000000010000000-0x00000000100CA000-memory.dmp

Filesize
808KB

Download
memory/2204-20-0x0000000010000000-0x00000000100CA000-memory.dmp

Filesize
808KB

Download
memory/2204-13-0x00000000003A0000-0x00000000004AD000-memory.dmp

Filesize
1.1MB

Download
memory/2204-12-0x00000000003A0000-0x00000000004AD000-memory.dmp

Filesize
1.1MB

Download
memory/2204-11-0x00000000003A0000-0x00000000004AD000-memory.dmp

Filesize
1.1MB

Download
memory/2204-15-0x00000000007E0000-0x0000000000844000-memory.dmp

Filesize
400KB

Download
memory/2204-10-0x00000000003A0000-0x00000000004AD000-memory.dmp

Filesize
1.1MB

Download
memory/2204-22-0x0000000010000000-0x00000000100CA000-memory.dmp

Filesize
808KB

Download