6aac3f272eb5c624a17e86377b2b6b5f8ea2331c865c51c8de111e0b7be3d9a3

Analysis

Target

E3-20210112_221455.dll
Size

336KB
MD5

d929734ca14dd60e9ff5f00ddeccb714
SHA1

0527b4252950053b2d20d6b988812e1ccf6706ad
SHA256

25cfb875f3580ad86963bb531ec75f24dc13c9a9c215cb35afcf78b54e0c3de5
SHA512

4317a7f72081cf42734d36aae365206f00b740a687c088d51aeda4b008c60ed01ebc362386969dee74e9a35df382a8ffdab18de4100d3613c65924f9bfed942b

Score

8^/10

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

9 3444 rundll32.exe
14 3444 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Wnrmmkdac\zyuiqxcn.vva rundll32.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rundll32.exe

pid process

3444 rundll32.exe
3444 rundll32.exe
3444 rundll32.exe
3444 rundll32.exe
3444 rundll32.exe
3444 rundll32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

4792 rundll32.exe

flow	pid	process
9	3444	rundll32.exe
14	3444	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Wnrmmkdac\zyuiqxcn.vva	rundll32.exe

pid	process
4792	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4700 wrote to memory of 4792	4700	rundll32.exe	rundll32.exe
PID 4700 wrote to memory of 4792	4700	rundll32.exe	rundll32.exe
PID 4700 wrote to memory of 4792	4700	rundll32.exe	rundll32.exe
PID 4792 wrote to memory of 3444	4792	rundll32.exe	rundll32.exe
PID 4792 wrote to memory of 3444	4792	rundll32.exe	rundll32.exe
PID 4792 wrote to memory of 3444	4792	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\E3-20210112_221455.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\E3-20210112_221455.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Wnrmmkdac\zyuiqxcn.vva",ShowDialogA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:3444