Malware Analysis Report

2024-09-23 07:06

Sample ID 220412-gv8f5sahc4
Target 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033.dll
SHA256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033
Tags
wiper isaacwiper bootkit persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033

Threat Level: Known bad

The file 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033.dll was found to be: Known bad.

Malicious Activity Summary

wiper isaacwiper bootkit persistence

Detect IsaacWiper

Isaacwiper family

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Drops desktop.ini file(s)

Drops file in Program Files directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-04-12 06:08

Signatures

Detect IsaacWiper

wiper
Description Indicator Process Target
N/A N/A N/A N/A

Isaacwiper family

isaacwiper

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-12 06:08

Reported

2022-04-12 06:11

Platform

win7-20220331-en

Max time kernel

79s

Max time network

49s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033.dll,#1

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-594401021-1341801952-2355885667-1000\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\System\ado\Tmf2981.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\descript.ion C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\Tmf2740.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Tmf27AD.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\Tmf2962.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\Tmf2981.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip32.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fa.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\de-DE\Tmf2972.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\SecretST.TTF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\Tmf2962.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\Tmf2BC3.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\Tmf2981.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado27.tlb C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\Tmf2740.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ta.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Tmf2BD2.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\System\ja-JP\Tmf2981.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mshwLatin.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 1896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033.dll,#1

Network

N/A

Files

memory/1896-54-0x0000000000000000-mapping.dmp

memory/1896-55-0x0000000075D51000-0x0000000075D53000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-12 06:08

Reported

2022-04-12 06:11

Platform

win10v2004-20220331-en

Max time kernel

134s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033.dll,#1

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1082102374-1487407228-1886994731-1000\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\System\Ole DB\sqloledb.rll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msadox28.tlb C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\micaut.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\it-IT\Tmf9B94.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\th.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msadco.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fa.pak C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\yo.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ro.pak C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hr.pak C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\Tmf9D0B.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\it.pak C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hr-HR\Tmf924D.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\libEGL.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\co.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_200_percent.pak C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hr.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\Tmf788B.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Services\verisign.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\resources.pak C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\nacl_irt_x86_64.nexe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Internet Explorer\IEShims.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sl.pak C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ky.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\Tmf92CA.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\lt.pak C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 1092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4764 wrote to memory of 1092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4764 wrote to memory of 1092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033.dll,#1

Network

Country Destination Domain Proto
FI 62.115.252.112:80 tcp
US 52.152.108.96:443 tcp
US 104.208.16.88:443 tcp
SE 178.79.212.129:80 tcp
SE 178.79.212.129:80 tcp
SE 178.79.212.129:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
US 8.8.8.8:53 7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 crl4.digicert.com udp
US 93.184.220.29:80 crl4.digicert.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp

Files

memory/1092-124-0x0000000000000000-mapping.dmp