462610c0b4912a4382b3cdf16e161b4e107e1b1688f0ca9abdede16fcef620c0

Analysis

max time kernel
153s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

462610c0b4912a4382b3cdf16e161b4e107e1b1688f0ca9abdede16fcef620c0.dll
Size

184KB
MD5

6ded2764a5ec08b082fd5a9ad0566d8a
SHA1

fa86e9731db2979e9d8edfb8a00675b780193e25
SHA256

462610c0b4912a4382b3cdf16e161b4e107e1b1688f0ca9abdede16fcef620c0
SHA512

67569c245f59923e016fa2f663ac71d58e77b5e9749f68f3d6b05596f30b9dac105c5d7cffe23d45776f55f8d3b79bac05e5c7500953238cbbd8703d487ac240
SSDEEP

3072:gOu9bIE1JFXr+BxK/+xltRQWJZ97XWfLztyxem8tPQ8M8WANSt6Q+pywpe79F37n:xE1nXMxK/ItRQu97Xeztyom8tPQ8M8Cm

Score

8^/10

evasion persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
57	5048	rundll32.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4436	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DNSR\Parameters\ServiceDll = "C:\\Windows\\system32\\ctfmon.dll"	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\lsass.dll	rundll32.exe
File created	C:\Windows\SysWOW64\ctfmon.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ctfmon.dll	rundll32.exe
File created	C:\Windows\SysWOW64\lsass.dll	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5048	rundll32.exe
5048	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	rundll32.exe
Token: SeShutdownPrivilege	5048	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 428	4048	rundll32.exe	82
PID 4048 wrote to memory of 428	4048	rundll32.exe	82
PID 4048 wrote to memory of 428	4048	rundll32.exe	82
PID 428 wrote to memory of 5048	428	rundll32.exe	83
PID 428 wrote to memory of 5048	428	rundll32.exe	83
PID 428 wrote to memory of 5048	428	rundll32.exe	83
PID 5048 wrote to memory of 4436	5048	rundll32.exe	94
PID 5048 wrote to memory of 4436	5048	rundll32.exe	94
PID 5048 wrote to memory of 4436	5048	rundll32.exe	94

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\462610c0b4912a4382b3cdf16e161b4e107e1b1688f0ca9abdede16fcef620c0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\462610c0b4912a4382b3cdf16e161b4e107e1b1688f0ca9abdede16fcef620c0.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\462610c0b4912a4382b3cdf16e161b4e107e1b1688f0ca9abdede16fcef620c0.dll,CTFInit
    3⤵
    - Blocklisted process makes network request
    - Sets DLL path for service in the registry
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Core Networking - IPHTTPSSL (TCP-In)" service=* dir=in protocol=tcp localport=300-400 action=allow
      4⤵
      Modifies Windows Firewall
      PID:4436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-133-0x0000000002DE0000-0x0000000002E07000-memory.dmp

Filesize
156KB

Download
memory/428-134-0x0000000002DE1000-0x0000000002DFE000-memory.dmp

Filesize
116KB

Download
memory/5048-137-0x0000000000EC1000-0x0000000000EDE000-memory.dmp

Filesize
116KB

Download
memory/5048-136-0x0000000000EC0000-0x0000000000EE7000-memory.dmp

Filesize
156KB

Download