f4a29c49f51c7fbcd76718566d33ee9b6b0a43c0eff1e9e8396fa0f278b9d731

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4a29c49f51c7fbcd76718566d33ee9b6b0a43c0eff1e9e8396fa0f278b9d731N.dll
Size

56KB
MD5

3164b48da7b98c1acc2c2ff32bf25590
SHA1

d99a46a16214594ad6decbc22ef3002b53307443
SHA256

f4a29c49f51c7fbcd76718566d33ee9b6b0a43c0eff1e9e8396fa0f278b9d731
SHA512

4de4e788abbfd85671fae80e0f4861f72e55f11c895cdfb1b3904a1c08943d7d57ce5288804e2fa04a375d33ae6220ddc6bbad8a776c28baa4eab15d08eadf55
SSDEEP

1536:1mv1kzwz1Bp27GjV3P1YI3oyzfmgszyq1d:1Pcz1j4yzf9sWkd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2360	hrlA479.tmp
2416	gkmiuy.exe

Loads dropped DLL 3 IoCs

pid	Process
1952	rundll32.exe
1952	rundll32.exe
2416	gkmiuy.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gkmiuy.exe	hrlA479.tmp
File opened for modification	C:\WINDOWS\SysWOW64\GKMIUY.EXE	hrlA479.tmp
File opened for modification	C:\Windows\SysWOW64\gkmiuy.exe	hrlA479.tmp
File created	C:\Windows\SysWOW64\hra33.dll	gkmiuy.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hrlA479.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gkmiuy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2360	hrlA479.tmp

Suspicious behavior: MapViewOfSection 25 IoCs

pid	Process
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp
2360	hrlA479.tmp

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	hrlA479.tmp
Token: SeTakeOwnershipPrivilege	2360	hrlA479.tmp
Token: SeRestorePrivilege	2360	hrlA479.tmp
Token: SeBackupPrivilege	2360	hrlA479.tmp
Token: SeChangeNotifyPrivilege	2360	hrlA479.tmp
Token: SeTakeOwnershipPrivilege	2360	hrlA479.tmp
Token: SeRestorePrivilege	2360	hrlA479.tmp
Token: SeBackupPrivilege	2360	hrlA479.tmp
Token: SeChangeNotifyPrivilege	2360	hrlA479.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2360	hrlA479.tmp
2360	hrlA479.tmp
2416	gkmiuy.exe
2416	gkmiuy.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1952	1992	rundll32.exe	30
PID 1992 wrote to memory of 1952	1992	rundll32.exe	30
PID 1992 wrote to memory of 1952	1992	rundll32.exe	30
PID 1992 wrote to memory of 1952	1992	rundll32.exe	30
PID 1992 wrote to memory of 1952	1992	rundll32.exe	30
PID 1992 wrote to memory of 1952	1992	rundll32.exe	30
PID 1992 wrote to memory of 1952	1992	rundll32.exe	30
PID 1952 wrote to memory of 2360	1952	rundll32.exe	31
PID 1952 wrote to memory of 2360	1952	rundll32.exe	31
PID 1952 wrote to memory of 2360	1952	rundll32.exe	31
PID 1952 wrote to memory of 2360	1952	rundll32.exe	31
PID 2360 wrote to memory of 380	2360	hrlA479.tmp	3
PID 2360 wrote to memory of 380	2360	hrlA479.tmp	3
PID 2360 wrote to memory of 380	2360	hrlA479.tmp	3
PID 2360 wrote to memory of 380	2360	hrlA479.tmp	3
PID 2360 wrote to memory of 380	2360	hrlA479.tmp	3
PID 2360 wrote to memory of 388	2360	hrlA479.tmp	4
PID 2360 wrote to memory of 388	2360	hrlA479.tmp	4
PID 2360 wrote to memory of 388	2360	hrlA479.tmp	4
PID 2360 wrote to memory of 388	2360	hrlA479.tmp	4
PID 2360 wrote to memory of 388	2360	hrlA479.tmp	4
PID 2360 wrote to memory of 428	2360	hrlA479.tmp	5
PID 2360 wrote to memory of 428	2360	hrlA479.tmp	5
PID 2360 wrote to memory of 428	2360	hrlA479.tmp	5
PID 2360 wrote to memory of 428	2360	hrlA479.tmp	5
PID 2360 wrote to memory of 428	2360	hrlA479.tmp	5
PID 2360 wrote to memory of 472	2360	hrlA479.tmp	6
PID 2360 wrote to memory of 472	2360	hrlA479.tmp	6
PID 2360 wrote to memory of 472	2360	hrlA479.tmp	6
PID 2360 wrote to memory of 472	2360	hrlA479.tmp	6
PID 2360 wrote to memory of 472	2360	hrlA479.tmp	6
PID 2360 wrote to memory of 488	2360	hrlA479.tmp	7
PID 2360 wrote to memory of 488	2360	hrlA479.tmp	7
PID 2360 wrote to memory of 488	2360	hrlA479.tmp	7
PID 2360 wrote to memory of 488	2360	hrlA479.tmp	7
PID 2360 wrote to memory of 488	2360	hrlA479.tmp	7
PID 2360 wrote to memory of 496	2360	hrlA479.tmp	8
PID 2360 wrote to memory of 496	2360	hrlA479.tmp	8
PID 2360 wrote to memory of 496	2360	hrlA479.tmp	8
PID 2360 wrote to memory of 496	2360	hrlA479.tmp	8
PID 2360 wrote to memory of 496	2360	hrlA479.tmp	8
PID 2360 wrote to memory of 608	2360	hrlA479.tmp	9
PID 2360 wrote to memory of 608	2360	hrlA479.tmp	9
PID 2360 wrote to memory of 608	2360	hrlA479.tmp	9
PID 2360 wrote to memory of 608	2360	hrlA479.tmp	9
PID 2360 wrote to memory of 608	2360	hrlA479.tmp	9
PID 2360 wrote to memory of 688	2360	hrlA479.tmp	10
PID 2360 wrote to memory of 688	2360	hrlA479.tmp	10
PID 2360 wrote to memory of 688	2360	hrlA479.tmp	10
PID 2360 wrote to memory of 688	2360	hrlA479.tmp	10
PID 2360 wrote to memory of 688	2360	hrlA479.tmp	10
PID 2360 wrote to memory of 776	2360	hrlA479.tmp	11
PID 2360 wrote to memory of 776	2360	hrlA479.tmp	11
PID 2360 wrote to memory of 776	2360	hrlA479.tmp	11
PID 2360 wrote to memory of 776	2360	hrlA479.tmp	11
PID 2360 wrote to memory of 776	2360	hrlA479.tmp	11
PID 2360 wrote to memory of 824	2360	hrlA479.tmp	12
PID 2360 wrote to memory of 824	2360	hrlA479.tmp	12
PID 2360 wrote to memory of 824	2360	hrlA479.tmp	12
PID 2360 wrote to memory of 824	2360	hrlA479.tmp	12
PID 2360 wrote to memory of 824	2360	hrlA479.tmp	12
PID 2360 wrote to memory of 864	2360	hrlA479.tmp	13
PID 2360 wrote to memory of 864	2360	hrlA479.tmp	13
PID 2360 wrote to memory of 864	2360	hrlA479.tmp	13

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:472
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:608
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1616
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:112
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:688
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:776
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:824
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1180
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:864
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:984
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:296
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:860
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1068
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1124
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1420
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2012
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\gkmiuy.exe
    C:\Windows\SysWOW64\gkmiuy.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2416
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:488
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4a29c49f51c7fbcd76718566d33ee9b6b0a43c0eff1e9e8396fa0f278b9d731N.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4a29c49f51c7fbcd76718566d33ee9b6b0a43c0eff1e9e8396fa0f278b9d731N.dll,#1
    3⤵
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\hrlA479.tmp
      C:\Users\Admin\AppData\Local\Temp\hrlA479.tmp
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrlA479.tmp

Filesize
49KB

MD5
0429f3eae2d5db826955e38a715d4c5e

SHA1
92017b72ec3af3758768022e7879ca2802b03a22

SHA256
fc501e0e0bb0ec3a21867ff5055db3b1a3b7347cf131451a760f2a2df264fa81

SHA512
bf9724969fc79e913e2390f1ae2a6c6606b465dede20b4cf6c2c3c4a5da48c2e2f9403a3152eaa4539f89cea0ea62184c1f79e1e83047a91774de31522c25338

Download Submit
\Windows\SysWOW64\hra33.dll

Filesize
7KB

MD5
7147ff24579a477a1a34696926e573f1

SHA1
9127ea8d813ecd5788b3f97777931ec79b7760e9

SHA256
fd08dcb016611316c849d48312ba6dc7d4de75d1a81c1d475a13bb5a1ba07267

SHA512
077b68376679c30d2dbae460ed59f5131c177bdd7574af1c2660ed97ae242b1401816d012af321c278be065b49bc9eab395e008b1b9a2447aa27b694bbed1d5d

Download Submit
memory/1952-2-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1952-25-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2360-9-0x0000000077050000-0x0000000077051000-memory.dmp

Filesize
4KB

Download
memory/2360-10-0x000000007704F000-0x0000000077050000-memory.dmp

Filesize
4KB

Download
memory/2360-15-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2416-26-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download