c22e1d14bd1f5f1306636ec0d6a78f3537780ca57e7143e95624b5ce58389d96

General

Target

c22e1d14bd1f5f1306636ec0d6a78f3537780ca57e7143e95624b5ce58389d96.dll
Size

5.7MB
MD5

514c2aa1d71decb732ddf579cd88356c
SHA1

d87dbb7e712a0a7ef6c6bea368b72c17a9f6ac59
SHA256

c22e1d14bd1f5f1306636ec0d6a78f3537780ca57e7143e95624b5ce58389d96
SHA512

af30d3b762893ed17a418d428c0b248cf1ea2db23993de0b50102d61cce5583a4f5748b285be1640eaab6d7d6fa303188139e7d834ffe6b89b3b75cebf66da8f
SSDEEP

49152:/0oL54cPedTLBzjP+ZVX+xIPbVZU2K7We7IRewFhu86RuY:/0VcgCNuIhZUwRR6Rn

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2128	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	test_wpf.exe

Loads dropped DLL 5 IoCs

pid	Process
2128	rundll32.exe
2128	rundll32.exe
2128	rundll32.exe
2128	rundll32.exe
2128	rundll32.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kbasnthasciateuhant98437uau	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\msvcr120.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\luminati\20241002_013443_perr_uuid_update.jslog	rundll32.exe
File created	C:\Windows\SysWOW64\luminati\lum_sdk_install_id	rundll32.exe
File created	C:\Windows\SysWOW64\lum_sdk32_clr.dll	rundll32.exe
File created	C:\Windows\SysWOW64\msvcr120.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\test_wpf.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\luminati\db\conf.json	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\kbasnthasciateuhant98437uau	rundll32.exe
File created	C:\Windows\SysWOW64\test_wpf.exe	rundll32.exe
File created	C:\Windows\SysWOW64\luminati\perr_13_supported_1.230.214.sent	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\luminati	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\lum_sdk32_clr.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\luminati\db	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test_wpf.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2128	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2128	2328	rundll32.exe	30
PID 2328 wrote to memory of 2128	2328	rundll32.exe	30
PID 2328 wrote to memory of 2128	2328	rundll32.exe	30
PID 2328 wrote to memory of 2128	2328	rundll32.exe	30
PID 2328 wrote to memory of 2128	2328	rundll32.exe	30
PID 2328 wrote to memory of 2128	2328	rundll32.exe	30
PID 2328 wrote to memory of 2128	2328	rundll32.exe	30
PID 2128 wrote to memory of 2728	2128	rundll32.exe	31
PID 2128 wrote to memory of 2728	2128	rundll32.exe	31
PID 2128 wrote to memory of 2728	2128	rundll32.exe	31
PID 2128 wrote to memory of 2728	2128	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c22e1d14bd1f5f1306636ec0d6a78f3537780ca57e7143e95624b5ce58389d96.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c22e1d14bd1f5f1306636ec0d6a78f3537780ca57e7143e95624b5ce58389d96.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\test_wpf.exe
    C:\Windows\SysWOW64\test_wpf.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\lum_sdk32_clr.dll

Filesize
2.0MB

MD5
8e5270544e36b46f8748d3f9a816f069

SHA1
638781e93ba17313a6b31e04a6800a4a1f4e5d0c

SHA256
59af2d55bc9f32eb3389c43f8b5f2edae02d71f6555e9fa1166b6569af3a4138

SHA512
873d76ca6e88d1be02018456435376c1449952d76e6438fa185f32ab88d8c54cbd45571a212ffc1fde7c9d1e01879b384b325f10a67d083a64ef0170db57d617

Download Submit
\Windows\SysWOW64\msvcr120.dll

Filesize
948KB

MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
\Windows\SysWOW64\test_wpf.exe

Filesize
25KB

MD5
0cfa5d7d82c83dce2742a67e6fd8d182

SHA1
530745dddc0a353fbe05735739c20fcc9df34f36

SHA256
1a1bcb662ecb30adebeb3876940c1fd93b9c2ff401881faa327b8d437dd0d5fd

SHA512
ac509a9c519fec170fee543ac5393c04656294e3d21f5c350ab1ac4fd9b54b5d125a176da744e1f96ee2b94a2eb62f32ca803a0807f295d21f0393df00941443

Download Submit
memory/2128-39-0x0000000005030000-0x0000000005116000-memory.dmp

Filesize
920KB

Download
memory/2128-38-0x0000000005440000-0x0000000005644000-memory.dmp

Filesize
2.0MB

Download
memory/2128-40-0x0000000002290000-0x00000000022F4000-memory.dmp

Filesize
400KB

Download
memory/2128-41-0x0000000005120000-0x00000000051D0000-memory.dmp

Filesize
704KB

Download
memory/2128-42-0x0000000002680000-0x000000000268C000-memory.dmp

Filesize
48KB

Download
memory/2128-43-0x00000000028E0000-0x00000000028EC000-memory.dmp

Filesize
48KB

Download
memory/2128-44-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/2728-13-0x00000000738D0000-0x0000000073FBE000-memory.dmp

Filesize
6.9MB

Download
memory/2728-12-0x00000000738D0000-0x0000000073FBE000-memory.dmp

Filesize
6.9MB

Download
memory/2728-11-0x0000000001210000-0x0000000001218000-memory.dmp

Filesize
32KB

Download
memory/2728-10-0x00000000738DE000-0x00000000738DF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing