6aac3f272eb5c624a17e86377b2b6b5f8ea2331c865c51c8de111e0b7be3d9a3

Analysis

Target

E2-20210112_173730.dll
Size

332KB
MD5

0c30c16d7223afd443251a117ffebd9b
SHA1

2708bdea5bf694974d92bb3843e6041061ed6ee7
SHA256

4aed7b3ade19e0e4ffabc13ad03713d2bafc003e9f489422f744eb3c463bf204
SHA512

b4676fcd5941387aee986d137780beba205ea830365ed3d3283aec811350f7234eb218a732f06a202d4abbe8e9f0eb4798c96e3658eb4f05056b5b271ce2370e

Score

8^/10

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

10 4316 rundll32.exe
14 4316 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Tcsgzs\fkjgc.avx rundll32.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rundll32.exe

pid process

4316 rundll32.exe
4316 rundll32.exe
4316 rundll32.exe
4316 rundll32.exe
4316 rundll32.exe
4316 rundll32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

rundll32.exe

pid process

4820 rundll32.exe

flow	pid	process
10	4316	rundll32.exe
14	4316	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Tcsgzs\fkjgc.avx	rundll32.exe

pid	process
4820	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4764 wrote to memory of 4820	4764	rundll32.exe	rundll32.exe
PID 4764 wrote to memory of 4820	4764	rundll32.exe	rundll32.exe
PID 4764 wrote to memory of 4820	4764	rundll32.exe	rundll32.exe
PID 4820 wrote to memory of 4316	4820	rundll32.exe	rundll32.exe
PID 4820 wrote to memory of 4316	4820	rundll32.exe	rundll32.exe
PID 4820 wrote to memory of 4316	4820	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\E2-20210112_173730.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\E2-20210112_173730.dll,#1
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Tcsgzs\fkjgc.avx",ShowDialogA
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:4316