Overview

overview

8

Static

static

4b274d8e85...04.dll

windows7-x64

8

4b274d8e85...04.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    108s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2022, 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b274d8e85fa0cf08bd8c24d029090183db9514fa24b2d181e030d77541b9d04.dll

  • Size

    400KB

  • MD5

    7529021780decda9b5fa20445f27d1a5

  • SHA1

    55a3d2791c9d02adecef9296990b1077a84fee6f

  • SHA256

    4b274d8e85fa0cf08bd8c24d029090183db9514fa24b2d181e030d77541b9d04

  • SHA512

    fdd8c5a93d727c94d3f7f3eb3a565a81b570f310ea708e7a4efb83faa27c4ff59e6b0e5f649a17b5a69612160791c7a1feafe1c473042620dc495094ffec1eec

  • SSDEEP

    12288:BttBEGXKSqEpGTIPdYT9tZeXFxJ9X9Ai5P3k:DjvKSqXTIP2ToXFxJ99ZPU

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b274d8e85fa0cf08bd8c24d029090183db9514fa24b2d181e030d77541b9d04.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b274d8e85fa0cf08bd8c24d029090183db9514fa24b2d181e030d77541b9d04.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1252
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2004
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1392
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
            PID:1720
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 228
          3⤵
          • Program crash
          PID:2044

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H3K0LATP.txt
      Filesize

      608B

      MD5

      0a89fd17a12a6933c654caaebde2a55c

      SHA1

      99052a7a1c96469fcca7fe8586bb1b240dc34405

      SHA256

      f95e392dd038757b055a652fbb059765090c193f4db9b2e3ef1510bd05f129d2

      SHA512

      a58bb2194ad283c385be9b1d43017d9ccf043715b03842cca78d8b3e972d8217a636164b1a103c6e4bdddf0a9a962bf4139b24ab69d20c67162a9dd8f6429f82

      Download Submit

    • C:\Windows\SysWOW64\rundll32mgr.exe
      Filesize

      153KB

      MD5

      6c6400ba9cf5a1d34fbbb3e2fe57ce3f

      SHA1

      a6f8636c626b47354407aae3ec592ba8a6ad57ef

      SHA256

      c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

      SHA512

      9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

      Download Submit

    • \Windows\SysWOW64\rundll32mgr.exe
      Filesize

      153KB

      MD5

      6c6400ba9cf5a1d34fbbb3e2fe57ce3f

      SHA1

      a6f8636c626b47354407aae3ec592ba8a6ad57ef

      SHA256

      c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

      SHA512

      9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

      Download Submit

    • \Windows\SysWOW64\rundll32mgr.exe
      Filesize

      153KB

      MD5

      6c6400ba9cf5a1d34fbbb3e2fe57ce3f

      SHA1

      a6f8636c626b47354407aae3ec592ba8a6ad57ef

      SHA256

      c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

      SHA512

      9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

      Download Submit

    • memory/1252-55-0x0000000076321000-0x0000000076323000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1252-61-0x0000000040000000-0x0000000040064000-memory.dmp

      Filesize

      400KB

      Download

    • memory/1252-62-0x00000000002C0000-0x0000000000322000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1748-63-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1748-64-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download