76e838fcc3bee359645efd41a1b05362cb6d787f9c5008966517351fed2cb228

Analysis

max time kernel
94s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 17:17

Target

76e838fcc3bee359645efd41a1b05362cb6d787f9c5008966517351fed2cb228.dll
Size

854KB
MD5

4436b2975cfea99a1b73ba9b87cd71e4
SHA1

35fba2952470d46bd6a580f8029fa624749c17fd
SHA256

76e838fcc3bee359645efd41a1b05362cb6d787f9c5008966517351fed2cb228
SHA512

58bf4c71d3c53a170a13058cc9d0e662457044de311d87fde4748965bdd031cb54aa3377dbde52d1a68cd27e0a2ef567c29f03ca815dbc0c0c67c65dd872b47b
SSDEEP

768:HV1cEy9lm1s503mEP6Q9htGnTED4iT3vyR0ZMeSNCTD/6kpLRmNMjxW7lDETcT:11nZWEP6QjmTiuQSNCnTpLsMEd+c

Score

7^/10

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	ahnlab.exe

Executes dropped EXE 1 IoCs

pid	Process
2568	ahnlab.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mismyou = "C:\\ProgramData\\ahnlab.exe"	ahnlab.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ahnlab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2568	ahnlab.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2568	ahnlab.exe
2568	ahnlab.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 1528	3576	rundll32.exe	83
PID 3576 wrote to memory of 1528	3576	rundll32.exe	83
PID 3576 wrote to memory of 1528	3576	rundll32.exe	83
PID 1528 wrote to memory of 2568	1528	rundll32.exe	95
PID 1528 wrote to memory of 2568	1528	rundll32.exe	95
PID 1528 wrote to memory of 2568	1528	rundll32.exe	95
PID 2568 wrote to memory of 1692	2568	ahnlab.exe	96
PID 2568 wrote to memory of 1692	2568	ahnlab.exe	96
PID 2568 wrote to memory of 1692	2568	ahnlab.exe	96

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\76e838fcc3bee359645efd41a1b05362cb6d787f9c5008966517351fed2cb228.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\76e838fcc3bee359645efd41a1b05362cb6d787f9c5008966517351fed2cb228.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\ProgramData\ahnlab.exe
    C:\ProgramData\ahnlab.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\PROGRA~3\ahnlab.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1692