Analysis
-
max time kernel
151s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 11:06
Static task
static1
Behavioral task
behavioral1
Sample
77fd0e849ed7c6e10387c4d8c5e174aa78a2a8e8b287ad0cebe9585d7343384b.dll
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
77fd0e849ed7c6e10387c4d8c5e174aa78a2a8e8b287ad0cebe9585d7343384b.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
77fd0e849ed7c6e10387c4d8c5e174aa78a2a8e8b287ad0cebe9585d7343384b.dll
-
Size
26KB
-
MD5
4b94aba146a79e43d4d8180259490569
-
SHA1
9faaf6780178702eccc2768444b96f2731b14484
-
SHA256
77fd0e849ed7c6e10387c4d8c5e174aa78a2a8e8b287ad0cebe9585d7343384b
-
SHA512
85113406596e91099535d31bbf92e8394cb729747dd957c762d8009edcf6f5ad42d1361ed1f31014957370346fde45925a5359b7ab3c553f8e2056123fd491b1
-
SSDEEP
768:mdhhwAOoLTOtZPyn22pFbhAIS7RFx8naSmju54FL:mzwAvYDWFbnGfx8naJju2FL
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\oficx.dll rundll32.exe File opened for modification C:\Windows\oficx.dll rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "77fd0e849ed7c6e10387c4d8c5e174aa78a2a8e8b287ad0cebe9585d7343384b.dll,1293806123,-770455586,-1814625877" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe 1144 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1388 wrote to memory of 1536 1388 rundll32.exe 26 PID 1388 wrote to memory of 1536 1388 rundll32.exe 26 PID 1388 wrote to memory of 1536 1388 rundll32.exe 26 PID 1388 wrote to memory of 1536 1388 rundll32.exe 26 PID 1388 wrote to memory of 1536 1388 rundll32.exe 26 PID 1388 wrote to memory of 1536 1388 rundll32.exe 26 PID 1388 wrote to memory of 1536 1388 rundll32.exe 26 PID 1536 wrote to memory of 1144 1536 rundll32.exe 27 PID 1536 wrote to memory of 1144 1536 rundll32.exe 27 PID 1536 wrote to memory of 1144 1536 rundll32.exe 27 PID 1536 wrote to memory of 1144 1536 rundll32.exe 27 PID 1536 wrote to memory of 1144 1536 rundll32.exe 27 PID 1536 wrote to memory of 1144 1536 rundll32.exe 27 PID 1536 wrote to memory of 1144 1536 rundll32.exe 27
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\77fd0e849ed7c6e10387c4d8c5e174aa78a2a8e8b287ad0cebe9585d7343384b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\77fd0e849ed7c6e10387c4d8c5e174aa78a2a8e8b287ad0cebe9585d7343384b.dll,#12⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\oficx.dll",_RunAs@163⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1144
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD54b94aba146a79e43d4d8180259490569
SHA19faaf6780178702eccc2768444b96f2731b14484
SHA25677fd0e849ed7c6e10387c4d8c5e174aa78a2a8e8b287ad0cebe9585d7343384b
SHA51285113406596e91099535d31bbf92e8394cb729747dd957c762d8009edcf6f5ad42d1361ed1f31014957370346fde45925a5359b7ab3c553f8e2056123fd491b1