776cc10efd4684db5615933031cf8879d882429f5175bb18ce3f84493e2a7e21

Analysis

Target

776cc10efd4684db5615933031cf8879d882429f5175bb18ce3f84493e2a7e21.dll
Size

55KB
MD5

91790a088f4b19c2b1f46dc0b7ffdf10
SHA1

30c1df818dbd511dcff4d5a2ca8d66ea53e12941
SHA256

776cc10efd4684db5615933031cf8879d882429f5175bb18ce3f84493e2a7e21
SHA512

b6a15a8a0434c6ca82b1ef8fb5369e59218f9f187f8a105f129c2d0f59bbc683e06b6628c0c5884ce12dd4c6660cfedc724fce00151b031ad108b735e55ed7bc

Score

8^/10

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	944	rundll32.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
944	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 944	1632	rundll32.exe	27
PID 1632 wrote to memory of 944	1632	rundll32.exe	27
PID 1632 wrote to memory of 944	1632	rundll32.exe	27
PID 1632 wrote to memory of 944	1632	rundll32.exe	27
PID 1632 wrote to memory of 944	1632	rundll32.exe	27
PID 1632 wrote to memory of 944	1632	rundll32.exe	27
PID 1632 wrote to memory of 944	1632	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\776cc10efd4684db5615933031cf8879d882429f5175bb18ce3f84493e2a7e21.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\776cc10efd4684db5615933031cf8879d882429f5175bb18ce3f84493e2a7e21.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:944

memory/944-56-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download