03dbd7e7306a8bf50b6423d1df0bf259177f32380e48a147ec0e842487c0bfb6

Analysis

Target

03dbd7e7306a8bf50b6423d1df0bf259177f32380e48a147ec0e842487c0bfb6.dll
Size

25KB
MD5

c86d3b39a9c0f72513f4aae8327fd0e8
SHA1

8d6fd0696111777073e1e891dcf5654de89a8d21
SHA256

03dbd7e7306a8bf50b6423d1df0bf259177f32380e48a147ec0e842487c0bfb6
SHA512

987a089db0a32522a8fbd537193a08e88455646076968700c2b58edb1a6056021ee288fb17ca8402b40e71c575a0ee5f66e4803c7437d905b423762e1ca48379

Score

8^/10

Blocklisted process makes network request 3 IoCs

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1124	rundll32.exe
1124	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1124	1484	rundll32.exe	27
PID 1484 wrote to memory of 1124	1484	rundll32.exe	27
PID 1484 wrote to memory of 1124	1484	rundll32.exe	27
PID 1484 wrote to memory of 1124	1484	rundll32.exe	27
PID 1484 wrote to memory of 1124	1484	rundll32.exe	27
PID 1484 wrote to memory of 1124	1484	rundll32.exe	27
PID 1484 wrote to memory of 1124	1484	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\03dbd7e7306a8bf50b6423d1df0bf259177f32380e48a147ec0e842487c0bfb6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\03dbd7e7306a8bf50b6423d1df0bf259177f32380e48a147ec0e842487c0bfb6.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:1124

memory/1124-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download