Analysis

  • max time kernel
    22s
  • max time network
    26s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2022, 02:12

General

  • Target

    03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255.dll

  • Size

    400KB

  • MD5

    4c4560da5b64cecdbbc7c1b7734e3000

  • SHA1

    66c5ac4a5e9a6907b934bbf30d6e99c2a36d3e42

  • SHA256

    03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255

  • SHA512

    1abb2fd04c52ea925bccdcf38bfe439bf10e62c31fa7415d27288f88752e3c69433558891770bb2589f434fa7764e3c8c2f79845555f298d584fb4822dbbee04

  • SSDEEP

    12288:2uiW+x87s5lXl2yU36PUVFp7Ws8WGYUAsw:biW3gNLU2Uss8

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:784
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255.dll,#1
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\03fe5a90843c9bf40d63f8614057175cb80edc0c9671b40a304869a9876d9255.dll,#1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4192
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe "C:\Users\Admin\AppData\Local\Temp\\~0E56E8AF.tmp"
          3⤵
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1124

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~0E56E8AF.tmp

      Filesize

      281KB

      MD5

      5fc0a35bb3de5e0a86ca37f6770cd002

      SHA1

      0b2e889a1df3c5264c129c8a062321dcfa34fcce

      SHA256

      6125bb16e35306ea1ed2160c8bfcb3edb2d90e50946b3993052b5aa1694ad467

      SHA512

      21c8bd24fc43e8fe95de75dca3529b51e053bd53149a67a294bf74c767a6b07c66fd6d1e31dbffe3a66e05a6d8c92970002445c82c3cef24cc5926170732f78f

    • C:\Users\Admin\AppData\Local\Temp\~0E56E8AF.tmp

      Filesize

      281KB

      MD5

      5fc0a35bb3de5e0a86ca37f6770cd002

      SHA1

      0b2e889a1df3c5264c129c8a062321dcfa34fcce

      SHA256

      6125bb16e35306ea1ed2160c8bfcb3edb2d90e50946b3993052b5aa1694ad467

      SHA512

      21c8bd24fc43e8fe95de75dca3529b51e053bd53149a67a294bf74c767a6b07c66fd6d1e31dbffe3a66e05a6d8c92970002445c82c3cef24cc5926170732f78f

    • memory/1124-141-0x0000000010000000-0x000000001003B000-memory.dmp

      Filesize

      236KB

    • memory/4192-133-0x0000000010000000-0x00000000100AA000-memory.dmp

      Filesize

      680KB

    • memory/4192-137-0x0000000010000000-0x000000001004B000-memory.dmp

      Filesize

      300KB