734444487ecda2415875052f39dc1ab186040390a038a410bb804880d6545cb5

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 06:18

Target

歌曲排序工具/lpk.dll
Size

70KB
MD5

c55c8aff84d53ecd128dd5ac442d0313
SHA1

fcf5768c1225f933609f9f945ebcf2062428d151
SHA256

50a5f3fc40cbdf5fc0e890b65f52d96eed6512cf8f2b58b3442423dad243f548
SHA512

65ec5c270efa5c37d28b9f1585f1b38eacb51992f475025ba443ecb13dedf8321641308e3346cfc8b1e8186072a7533babeb48734434692732f862126fbd3596
SSDEEP

1536:b0qfWT5MJhKENBnfblrmON0XwzfspwF0qfWT5M:4wWT5MNBhtKwopwSwWT5

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
2076	hrl27EB.tmp
2676	kkaaya.exe

Loads dropped DLL 3 IoCs

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kkaaya.exe	hrl27EB.tmp
File opened for modification	C:\Windows\SysWOW64\kkaaya.exe	hrl27EB.tmp
File created	C:\Windows\SysWOW64\gei33.dll	kkaaya.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2072	2236	rundll32.exe	28
PID 2236 wrote to memory of 2072	2236	rundll32.exe	28
PID 2236 wrote to memory of 2072	2236	rundll32.exe	28
PID 2236 wrote to memory of 2072	2236	rundll32.exe	28
PID 2236 wrote to memory of 2072	2236	rundll32.exe	28
PID 2236 wrote to memory of 2072	2236	rundll32.exe	28
PID 2236 wrote to memory of 2072	2236	rundll32.exe	28
PID 2072 wrote to memory of 2076	2072	rundll32.exe	29
PID 2072 wrote to memory of 2076	2072	rundll32.exe	29
PID 2072 wrote to memory of 2076	2072	rundll32.exe	29
PID 2072 wrote to memory of 2076	2072	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\歌曲排序工具\lpk.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\歌曲排序工具\lpk.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\hrl27EB.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl27EB.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2076

C:\Windows\SysWOW64\gei33.dll

Filesize
12KB

MD5
de61de242b5500304af17e4661100ea5

SHA1
ed6c1fce0696ce100a93f2d3cea83a0475947e4f

SHA256
3c373fde7222d1e3c5a13339d37f3b5752374210ae09974b4f17baa261c3b9a5

SHA512
b393464bfd694bb314cf9c8f3d19ab6750cc65d9e3506c1b91a8658a227e9f8614b1f65b8eaa7b7e844d7308b450e690627e3eb1a8101ca80917c62233d1473f

Download Submit
\Users\Admin\AppData\Local\Temp\hrl27EB.tmp

Filesize
58KB

MD5
7099e637f315a0400cb827ce574e369b

SHA1
0cc92d846d2dc9199f1c27f5809240dabf52dcf9

SHA256
86871e30782311c4e8d867cd12601709c7a99ce55d063ab0c819a2ec6e649707

SHA512
05718f831547e5e344b5c0fad317a50f8b0de32c8185ab6713a9caf7f6621daa5f418902dc0dc2549bd2481e94c7ff82da10a5effc73ccccdff564e96e834595

Download Submit
memory/2076-11-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download