cf219e229b96338e660fff7921bde744316e865382207d895c84a75d6a8113cf

Analysis

max time kernel
38s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 05:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cf219e229b96338e660fff7921bde744316e865382207d895c84a75d6a8113cf.dll
Size

5KB
MD5

565849fbdf5f5aa9a1d825ecc6bcc47c
SHA1

01853b998bea1b35844b1c44376dd64e65762b4e
SHA256

cf219e229b96338e660fff7921bde744316e865382207d895c84a75d6a8113cf
SHA512

79f7f31e2a3eb882c0d5a754316370e63ba44291df20b39f3e1b74ea390d98d34020031bb4bff4aac0c9633bf4a574624fcca3100bab4d73476351112f80aa93
SSDEEP

96:cJt0nEwcdfvkNmtB7/Kpbx03hrconXL/b1:cknVcd3tVWFurcIb

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	rundll32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/832-56-0x0000000010000000-0x0000000010008000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://cashsearch.biz/redir1.php"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://cashsearch.biz/redir1.php"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://cashsearch.biz/redir1.php"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://cashsearch.biz/redir1.php"	rundll32.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://cashsearch.biz/redir1.php"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://cashsearch.biz/redir1.php"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe
832	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 832	576	rundll32.exe	26
PID 576 wrote to memory of 832	576	rundll32.exe	26
PID 576 wrote to memory of 832	576	rundll32.exe	26
PID 576 wrote to memory of 832	576	rundll32.exe	26
PID 576 wrote to memory of 832	576	rundll32.exe	26
PID 576 wrote to memory of 832	576	rundll32.exe	26
PID 576 wrote to memory of 832	576	rundll32.exe	26

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf219e229b96338e660fff7921bde744316e865382207d895c84a75d6a8113cf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf219e229b96338e660fff7921bde744316e865382207d895c84a75d6a8113cf.dll,#1
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/832-55-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/832-56-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download