018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81

Analysis

Target

018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81.dll
Size

74KB
MD5

ab17f2b17c57b731cb930243589ab0cf
SHA1

5a5fafbc3fec8d36fd57b075ebf34119ba3bff04
SHA256

018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81
SHA512

62aac7869c47f89a545eadb2a150181771e1accfe454673d81e3899447e907aae030beea31cfc66820f665fa5060190a6c8823dd6356fbe34af99eae7e4067ce

Score

8^/10

persistence

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1288 wrote to memory of 1720	1288	rundll32.exe	rundll32.exe
PID 1288 wrote to memory of 1720	1288	rundll32.exe	rundll32.exe
PID 1288 wrote to memory of 1720	1288	rundll32.exe	rundll32.exe
PID 1288 wrote to memory of 1720	1288	rundll32.exe	rundll32.exe
PID 1288 wrote to memory of 1720	1288	rundll32.exe	rundll32.exe
PID 1288 wrote to memory of 1720	1288	rundll32.exe	rundll32.exe
PID 1288 wrote to memory of 1720	1288	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81.dll,#1
  2⤵
  PID:1720

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1720-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download