Analysis
-
max time kernel
4294214s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
20-03-2022 19:56
Static task
static1
Behavioral task
behavioral1
Sample
ab2a474c3fd276095d7db5d78df356a572b1eee397ef1977facd8df214db3db0.dll
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
ab2a474c3fd276095d7db5d78df356a572b1eee397ef1977facd8df214db3db0.dll
Resource
win10v2004-en-20220113
General
-
Target
ab2a474c3fd276095d7db5d78df356a572b1eee397ef1977facd8df214db3db0.dll
-
Size
20KB
-
MD5
a2dd642315f3cc6b44241c31ec964ea3
-
SHA1
6a2426de100f63c884a54ed12013e3094e6fe10b
-
SHA256
ab2a474c3fd276095d7db5d78df356a572b1eee397ef1977facd8df214db3db0
-
SHA512
843e056ea08680540f2338c2c73e71777e9b395273bb56480f121d2074f1bb7957f798c198bd1840b2fc2b74a756a6c7be621ee545e2aab3f1212f176d7f5bae
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 6 972 rundll32.exe 8 972 rundll32.exe 12 972 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exepid process 972 rundll32.exe 972 rundll32.exe 972 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2032 wrote to memory of 972 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 972 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 972 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 972 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 972 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 972 2032 rundll32.exe rundll32.exe PID 2032 wrote to memory of 972 2032 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ab2a474c3fd276095d7db5d78df356a572b1eee397ef1977facd8df214db3db0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ab2a474c3fd276095d7db5d78df356a572b1eee397ef1977facd8df214db3db0.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/972-54-0x0000000074C91000-0x0000000074C93000-memory.dmpFilesize
8KB