Overview

overview

8

Static

static

12afc88c65...ee.dll

windows7-x64

8

12afc88c65...ee.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    108s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 12:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12afc88c6568f07bc63b2f6a7b84d42d5222b6d0d83156bced1a19c559d56dee.dll

  • Size

    113KB

  • MD5

    2bbb1c2bcb43c09f62c793b87ceee67d

  • SHA1

    854a7ef6c76992ef986a26ae1fd1ea942abac659

  • SHA256

    12afc88c6568f07bc63b2f6a7b84d42d5222b6d0d83156bced1a19c559d56dee

  • SHA512

    4b35d3466429077e34587c37c0ab90ff41b9be4bac8e6bfcaf6a2ad29afccc49a4f2b0121ea8a0fa30f852e9a7eefc25f9c7147b7f37283e3d23d6ec9a6086a5

  • SSDEEP

    3072:dwUfOBjVrYMgjXzzABvnrrUMyTc1ZvDNVQprMx95tMLdXqZLYW:dBWBjKDXzzAN8MyTc1ZvDNVQprMx95tJ

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\12afc88c6568f07bc63b2f6a7b84d42d5222b6d0d83156bced1a19c559d56dee.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\12afc88c6568f07bc63b2f6a7b84d42d5222b6d0d83156bced1a19c559d56dee.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:792
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1444
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1748
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1768

Network

  • flag-us
    DNS
    api.bing.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    api.bing.com
    IN A
    Response
    api.bing.com
    IN CNAME
    api-bing-com.e-0001.e-msedge.net
    api-bing-com.e-0001.e-msedge.net
    IN CNAME
    e-0001.e-msedge.net
    e-0001.e-msedge.net
    IN A
    13.107.5.80
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls
    iexplore.exe
    707 B
     7.6kB
     8
    11
  • 8.8.8.8:53
    api.bing.com
    dns
    iexplore.exe
    58 B
     134 B
     1
    1

    DNS Request

    api.bing.com

    DNS Response

    13.107.5.80

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{ED2A7DB1-499F-11ED-8B2C-72E6D75F6BEB}.dat
    Filesize

    3KB

    MD5

    56c7fe4f30e1d0fbdf9bdc942ca5ed71

    SHA1

    f10df27ae9404a52efc1c9b55ccf4d8b8734b457

    SHA256

    6301d13305b759738832a545079c45241286c17a321b01fb335fc72a056d134a

    SHA512

    c6a0cc3f4a0e564586e89f562c3bf7768a255bbb5ecd278227094f6fc13e2f6d64064085838f5b0551f32fb02f2a87908d79a5af53aad3a1650bf48eda299d03

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{ED2B19F1-499F-11ED-8B2C-72E6D75F6BEB}.dat
    Filesize

    3KB

    MD5

    98b531b23b17574bdaa898a319f71a4e

    SHA1

    15000f231f8148053d7cfff33550febcc4de4e9c

    SHA256

    3225c3d789990f15d8fdfe1e17e0874f0af5ed765082f66056f2a6095478126a

    SHA512

    c553fcf9f0e074697f8136a3a4b982dc1eb70097be32235f71399232cf26a97a95585be93e3a512136856eb63b0fa23478b5ef138e58074992e572edee886ffc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7DN3SLVO.txt
    Filesize

    608B

    MD5

    613cdf4627b6795dc4aa21053e50f5ee

    SHA1

    fee00f128ed5e165dbe21a97f2e752c6facb8a56

    SHA256

    cea8c6a7acb96c8dfe64691edd3b483d7fde33b60fb596c01acdcb7dbbaf3740

    SHA512

    16c74ddb36e3d51080dd1feae9e52e4cb9e6606e4ad1bf981ff68323ebab64ce235a4b601154f016c780f3b8ee959da8d6e74525649f2bed2891e49e81b08955

    Download Submit

  • C:\Windows\SysWOW64\rundll32mgr.exe
    Filesize

    105KB

    MD5

    9b49fec7e03c33277f188a2819b8d726

    SHA1

    a7b6b4a0ecbeab9075c3e36ec2586ce8debbbc4f

    SHA256

    9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad

    SHA512

    049a0971913562ca8a134ac889d4750c71d89fe070fadcb06dfc49401f1b9b508275921e55f3f27a31f34d520e96784d4a50959fa1aab6bad878e9e5ea61755d

    Download Submit

  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    105KB

    MD5

    9b49fec7e03c33277f188a2819b8d726

    SHA1

    a7b6b4a0ecbeab9075c3e36ec2586ce8debbbc4f

    SHA256

    9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad

    SHA512

    049a0971913562ca8a134ac889d4750c71d89fe070fadcb06dfc49401f1b9b508275921e55f3f27a31f34d520e96784d4a50959fa1aab6bad878e9e5ea61755d

    Download Submit

  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    105KB

    MD5

    9b49fec7e03c33277f188a2819b8d726

    SHA1

    a7b6b4a0ecbeab9075c3e36ec2586ce8debbbc4f

    SHA256

    9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad

    SHA512

    049a0971913562ca8a134ac889d4750c71d89fe070fadcb06dfc49401f1b9b508275921e55f3f27a31f34d520e96784d4a50959fa1aab6bad878e9e5ea61755d

    Download Submit

  • memory/792-60-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/792-63-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1628-55-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.