Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 12:11

General

  • Target

    LYDLL.dll

  • Size

    424KB

  • MD5

    2265a498bf73383489dbd3541e7ac1fa

  • SHA1

    d47bac8ead1428289874cb3e53c62dddbefd28c7

  • SHA256

    a231bdcc7a1672c6cfdc159a08ba9db00b84e6222156deca575e6cb862209b67

  • SHA512

    bfa1cb7705794a808a8e0f3e031f700e977e7787a2adef167aa5e4453832c0ec238c247735a14e96c0fe717b0b3d31784a5502b0b9a1e72b3b6e9df80be78205

  • SSDEEP

    6144:luMheR3mrOkdefYxzenLTEudNI/zQ3Q5mvnr1hgs6NMLiIcb0IdYA0NguLnEf:tNRIfYSJL452npheMmIcb5+AnQnEf

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\LYDLL.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\LYDLL.dll,#1
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\svchost.exe
        C:\Windows\svchost.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1484

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\2.0.0.1\dmplayer.dll

          Filesize

          868KB

          MD5

          50a7707b174c8affe5dc8fa42ce9616e

          SHA1

          8e51db19f55590ba6109b6bf624b432be4c275d0

          SHA256

          200dc3f65a30cc5ab80bb8764f5d8c5525f2f0a6132295c4ee262abe4f53bf62

          SHA512

          346229f3168023b6b33bad6c9f5bef2e97d25063d119a0bef95ced063a4188335ec5a3c8c2a4257c002f7b5e94be825e8245d152751eb7f5492abed398b5f5f2

        • C:\Windows\dmshell.dll

          Filesize

          379KB

          MD5

          607ce5e3f197f37380660eb252f31366

          SHA1

          784b907bb3b2b4b42f86a200d99c9ba6a2638b58

          SHA256

          1b4b0ac73a1ea1167f91f87f5c901d920dd563b5288f869386a75eb694edb516

          SHA512

          0abcade5dcff4b609a33cb57a3130bb40f729e4a2293b6c50f8b5d84a526b054afdfc5c48239de2f190b2daa8302abef67cc077dfa80df1c20fbecd924c6d761

        • C:\Windows\svchost.exe

          Filesize

          20KB

          MD5

          09a94cb1a83cc9b0107aaca961a40300

          SHA1

          d205d12ef0170f184a32fc4a13270bc7db7253f2

          SHA256

          03ac787a19228ef4cfc5953d37b2e1839f7c1e0582a397562385f3bcc5bb20b5

          SHA512

          37faca7ac8d02a8b32d17db64b9da670be50a1c13246d223e84550cedcd62818fafd6851a6344a75a04a0c1e237de3755465ea75d13582e3971fb68c3e3832f4

        • memory/1484-11-0x0000000002B00000-0x0000000002BDC000-memory.dmp

          Filesize

          880KB

        • memory/1484-15-0x0000000010000000-0x00000000100FD000-memory.dmp

          Filesize

          1012KB

        • memory/1484-32-0x0000000010000000-0x00000000100FD000-memory.dmp

          Filesize

          1012KB