630b5cd5260bc6449a77177835af0a0523bfe8eba6e0b5447a456c5f8d4685d7

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gametool/lpk.dll
Size

46KB
MD5

d678a9bbbeeeacdafcc538171ab5dd8f
SHA1

fd511a172eb91d35dd71ba37cdfcc6870bb4df22
SHA256

1ca2927f7e0478c41f94823bb99b74928b36b618ac29a21aeeb95d632089e8d1
SHA512

eb60111a8d826f3e5aacdb6755de6e9dd952199419c62349f4ac22c896dcccfca8ca4fd3b923de431ce9b5ad1bb5de6e1a62fe71ee681ade6ab39089801f4ca2
SSDEEP

768:hojY9PKqxdonOp+IKDDCgEeJ9nmJKLVWrVzD5fc5yzOojY9Po:0myqx6nOp+I5kmJKRWbc5yzvmg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1312	hrl733C.tmp
804	dlxejw.exe

Loads dropped DLL 1 IoCs

pid	Process
804	dlxejw.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dlxejw.exe	hrl733C.tmp
File opened for modification	C:\Windows\SysWOW64\dlxejw.exe	hrl733C.tmp
File created	C:\Windows\SysWOW64\hra33.dll	dlxejw.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hrl733C.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlxejw.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1312	hrl733C.tmp
1312	hrl733C.tmp
804	dlxejw.exe
804	dlxejw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 2252	1776	rundll32.exe	83
PID 1776 wrote to memory of 2252	1776	rundll32.exe	83
PID 1776 wrote to memory of 2252	1776	rundll32.exe	83
PID 2252 wrote to memory of 1312	2252	rundll32.exe	84
PID 2252 wrote to memory of 1312	2252	rundll32.exe	84
PID 2252 wrote to memory of 1312	2252	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\gametool\lpk.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\gametool\lpk.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\hrl733C.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl733C.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1312

C:\Windows\SysWOW64\dlxejw.exe
C:\Windows\SysWOW64\dlxejw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrl733C.tmp

Filesize
38KB

MD5
9207aff9be07ce6a7c809fc935ac8f63

SHA1
3cac8e650e83f17eefe4098cdd8236c645e19368

SHA256
a9dbc1a151bba11b32da044da91f019e9d8220065845e7ed402ad8181e58ce5c

SHA512
570f0b92f30246dfeef48466f0ba23f546234aec8e579d4f6c34f483268ab849f7c7e9f2cb364243392b8fae298303a06bfddcf043fb11c1b1efb9f78d81e7ef

Download Submit
C:\Windows\SysWOW64\hra33.dll

Filesize
46KB

MD5
d678a9bbbeeeacdafcc538171ab5dd8f

SHA1
fd511a172eb91d35dd71ba37cdfcc6870bb4df22

SHA256
1ca2927f7e0478c41f94823bb99b74928b36b618ac29a21aeeb95d632089e8d1

SHA512
eb60111a8d826f3e5aacdb6755de6e9dd952199419c62349f4ac22c896dcccfca8ca4fd3b923de431ce9b5ad1bb5de6e1a62fe71ee681ade6ab39089801f4ca2

Download Submit
memory/1312-7-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download