d036cf5fb0c134cc608d994cfd88e8eeb816ffc1bb4104265558fadaf418debb

Analysis

max time kernel
152s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 01:16

Target

d036cf5fb0c134cc608d994cfd88e8eeb816ffc1bb4104265558fadaf418debb.dll
Size

32KB
MD5

3e044f499e325c952f0b6fbeea60d478
SHA1

76780ed9abfe48af178db74be4f74c69758977e1
SHA256

d036cf5fb0c134cc608d994cfd88e8eeb816ffc1bb4104265558fadaf418debb
SHA512

cea9e8f8392536368d42c73c49cc007a84993df4c764a833a633125497c3ec4743496a5498550d2ece73a935d19fe163cf314501c1dd9a60f2ee8f78a09ac476
SSDEEP

768:t+XPVv7zSMlh6XUw1x/cTwL8NzN4m407QL:qtJ6Xh1x/CBx40sL

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
1436	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\lua.wkl	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\lua.wkl	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\mspxf.dll	rundll32.exe
File opened for modification	C:\Windows\mspxf.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "d036cf5fb0c134cc608d994cfd88e8eeb816ffc1bb4104265558fadaf418debb.dll,1295178649,408043380,-352895392"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 648	2056	rundll32.exe	82
PID 2056 wrote to memory of 648	2056	rundll32.exe	82
PID 2056 wrote to memory of 648	2056	rundll32.exe	82
PID 648 wrote to memory of 1436	648	rundll32.exe	83
PID 648 wrote to memory of 1436	648	rundll32.exe	83
PID 648 wrote to memory of 1436	648	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d036cf5fb0c134cc608d994cfd88e8eeb816ffc1bb4104265558fadaf418debb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d036cf5fb0c134cc608d994cfd88e8eeb816ffc1bb4104265558fadaf418debb.dll,#1
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Windows\mspxf.dll",_RunAs@16
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1436

C:\Windows\mspxf.dll

Filesize
32KB

MD5
3e044f499e325c952f0b6fbeea60d478

SHA1
76780ed9abfe48af178db74be4f74c69758977e1

SHA256
d036cf5fb0c134cc608d994cfd88e8eeb816ffc1bb4104265558fadaf418debb

SHA512
cea9e8f8392536368d42c73c49cc007a84993df4c764a833a633125497c3ec4743496a5498550d2ece73a935d19fe163cf314501c1dd9a60f2ee8f78a09ac476

Download Submit
C:\Windows\mspxf.dll

Filesize
32KB

MD5
3e044f499e325c952f0b6fbeea60d478

SHA1
76780ed9abfe48af178db74be4f74c69758977e1

SHA256
d036cf5fb0c134cc608d994cfd88e8eeb816ffc1bb4104265558fadaf418debb

SHA512
cea9e8f8392536368d42c73c49cc007a84993df4c764a833a633125497c3ec4743496a5498550d2ece73a935d19fe163cf314501c1dd9a60f2ee8f78a09ac476

Download Submit
memory/648-133-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/648-137-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1436-138-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download