6aac3f272eb5c624a17e86377b2b6b5f8ea2331c865c51c8de111e0b7be3d9a3

Analysis

Target

E1-20210112_211120.dll
Size

329KB
MD5

f0f010b670c71181195f94d189ec8b53
SHA1

1ca5b0b9cc00bc4a764b5ee00ca5aaf4a981a903
SHA256

55eeb041b6efeb4fba80c2cc36f16266d2d83040a780b04cdc836952099d8e3f
SHA512

3049eea8509b27378d94e2f66b2397358fcc1f1e017f56a8280b81b70ef6cfb89a35e1ddda9e20bf315ed3a6ed56a38d74b3b8d9d228171d575a43c2f1865bb6

Score

8^/10

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

10 708 rundll32.exe
13 708 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Hfljgsjckp\omghrbhfd.cuw rundll32.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rundll32.exe

pid process

708 rundll32.exe
708 rundll32.exe
708 rundll32.exe
708 rundll32.exe
708 rundll32.exe
708 rundll32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

1388 rundll32.exe

flow	pid	process
10	708	rundll32.exe
13	708	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Hfljgsjckp\omghrbhfd.cuw	rundll32.exe

pid	process
1388	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1180 wrote to memory of 1388	1180	rundll32.exe	rundll32.exe
PID 1180 wrote to memory of 1388	1180	rundll32.exe	rundll32.exe
PID 1180 wrote to memory of 1388	1180	rundll32.exe	rundll32.exe
PID 1388 wrote to memory of 212	1388	rundll32.exe	rundll32.exe
PID 1388 wrote to memory of 212	1388	rundll32.exe	rundll32.exe
PID 1388 wrote to memory of 212	1388	rundll32.exe	rundll32.exe
PID 212 wrote to memory of 708	212	rundll32.exe	rundll32.exe
PID 212 wrote to memory of 708	212	rundll32.exe	rundll32.exe
PID 212 wrote to memory of 708	212	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\E1-20210112_211120.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\E1-20210112_211120.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hfljgsjckp\omghrbhfd.cuw",JsSnu
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Hfljgsjckp\omghrbhfd.cuw",#1
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:708