Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 13:35
Static task
static1
Behavioral task
behavioral1
Sample
177f2296527466017c3984a48973a57b3e967c7c74196576309eae416c1d7f18.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
177f2296527466017c3984a48973a57b3e967c7c74196576309eae416c1d7f18.dll
Resource
win10v2004-20240508-en
General
-
Target
177f2296527466017c3984a48973a57b3e967c7c74196576309eae416c1d7f18.dll
-
Size
309KB
-
MD5
2ba13939bb7b14586052e73f4c81efb4
-
SHA1
e2c9db7071cc5f1fcb4e9a55c4723d3e735fbc6a
-
SHA256
177f2296527466017c3984a48973a57b3e967c7c74196576309eae416c1d7f18
-
SHA512
6c1e9b44e94fbc9c2cdd12a691f9ca18b31ad46cb94cd5bf12b15d0df374db7874a9bc8642b750f7f94e9d4e078dca4dd03235f5772c3d440b44de74463c77cc
-
SSDEEP
6144:qCj61q03fA/yyjyjFwtS4Y52nWzDv6Lyt01St7nEpFJb2j9J:+YbWqttqTM20wRwF52z
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
494D.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 494D.tmp -
Deletes itself 1 IoCs
Processes:
494D.tmppid Process 1388 494D.tmp -
Executes dropped EXE 1 IoCs
Processes:
494D.tmppid Process 1388 494D.tmp -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
rundll32.exe494D.tmppid Process 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1388 494D.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.AKEVizErI\ = "AKEVizErI" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AKEVizErI\DefaultIcon rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AKEVizErI rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AKEVizErI\DefaultIcon\ = "C:\\ProgramData\\AKEVizErI.ico" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.AKEVizErI rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid Process 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
494D.tmppid Process 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp 1388 494D.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rundll32.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeDebugPrivilege 1256 rundll32.exe Token: 36 1256 rundll32.exe Token: SeImpersonatePrivilege 1256 rundll32.exe Token: SeIncBasePriorityPrivilege 1256 rundll32.exe Token: SeIncreaseQuotaPrivilege 1256 rundll32.exe Token: 33 1256 rundll32.exe Token: SeManageVolumePrivilege 1256 rundll32.exe Token: SeProfSingleProcessPrivilege 1256 rundll32.exe Token: SeRestorePrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeSystemProfilePrivilege 1256 rundll32.exe Token: SeTakeOwnershipPrivilege 1256 rundll32.exe Token: SeShutdownPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeDebugPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeBackupPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe Token: SeSecurityPrivilege 1256 rundll32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exe494D.tmpdescription pid Process procid_target PID 3004 wrote to memory of 1256 3004 rundll32.exe 82 PID 3004 wrote to memory of 1256 3004 rundll32.exe 82 PID 3004 wrote to memory of 1256 3004 rundll32.exe 82 PID 1256 wrote to memory of 1388 1256 rundll32.exe 84 PID 1256 wrote to memory of 1388 1256 rundll32.exe 84 PID 1256 wrote to memory of 1388 1256 rundll32.exe 84 PID 1256 wrote to memory of 1388 1256 rundll32.exe 84 PID 1388 wrote to memory of 1988 1388 494D.tmp 85 PID 1388 wrote to memory of 1988 1388 494D.tmp 85 PID 1388 wrote to memory of 1988 1388 494D.tmp 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\177f2296527466017c3984a48973a57b3e967c7c74196576309eae416c1d7f18.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\177f2296527466017c3984a48973a57b3e967c7c74196576309eae416c1d7f18.dll,#12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\ProgramData\494D.tmp"C:\ProgramData\494D.tmp"3⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\494D.tmp >> NUL4⤵PID:1988
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
Filesize309KB
MD5b135c5c666a6ed47cb9b41ab9a65d017
SHA169196f0d56ef9362b0bc39229326434193661f09
SHA25687d54c646badcc3cfb0fab9e6ed1c21d9dae351134963e24d29d4c786cea3af4
SHA5125ee933fa4189b972eda1a4092d2c3c6f7bd1c7af4777fdc36d5eb04784ce31a4936ba7635c046074ae483edfe78d6211ed00f17129f9933a36b467b760f05fcd