Overview

overview

8

Static

static

9a78c58d51...d2.dll

windows7-x64

8

9a78c58d51...d2.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    68s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    19-10-2022 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a78c58d515e501abd5f93d196f8452c1a62736454b7313e8ee26d1fbd20b0d2.dll

  • Size

    497KB

  • MD5

    91e468a26d3874218232010daf7242fe

  • SHA1

    99d849b7b1949ce57d08baa46873aecb5cc6f304

  • SHA256

    9a78c58d515e501abd5f93d196f8452c1a62736454b7313e8ee26d1fbd20b0d2

  • SHA512

    baf343f5e5f74179450071521e56eb0fbefff00c815ca01626185442e5b16438334eef44f59f3846a880658ca3af65df45b39353e8e3fbcc8bd41aa581e49c77

  • SSDEEP

    12288:xNrMi/MhNrcnzlElRcsUhOsyG3s1AsEOO:/D/MhNgyRc5sJYns

Score
8/10
discoveryexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Drops file in System32 directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9a78c58d515e501abd5f93d196f8452c1a62736454b7313e8ee26d1fbd20b0d2.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9a78c58d515e501abd5f93d196f8452c1a62736454b7313e8ee26d1fbd20b0d2.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c takeown /f "C:\Windows\system32\msimg64.dll" && icacls "C:\Windows\system32\msimg64.dll" /grant administrators:F
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1548
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f "C:\Windows\system32\msimg64.dll"
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:896
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Windows\system32\msimg64.dll" /grant administrators:F
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:592
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" www.google.com
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1352
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1352 CREDAT:275457 /prefetch:2
          4⤵
          • Loads dropped DLL
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1
T1222

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    f4ad42187647f9247c23128b89f11ab0

    SHA1

    12c6dd4f1ea665c20b1ee1024fff3bedef9d8140

    SHA256

    3973d1717ec0b533fa0c5cffefba466b6483dfbfb0dadebd8b6983eac194226b

    SHA512

    b1c9542f1fe82b7559633f4bafa94e1c2c4bfa6d30449dea8e6df18aa812275f3994d9d9b37024233ff1e30bc4f2df5afedc02ede0431d9e90720e0b0314b458

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
    Filesize

    9KB

    MD5

    5d6e31c2f8fdb54a6d2c6f5918fa356b

    SHA1

    d49e223d145048793819f2e00694923c9705c5b2

    SHA256

    d9127655f8cd3400cb8c7ff7c6eda1bf28c0d9af14922ddc1269c98074f29082

    SHA512

    fbdbd767b780eaf45c4209e28eca4b2d1ddd7c12836ca3ba932185c863dde836402629f8a8c6f2646ee60652f956a5e1a5767156789abf36c35f37d50f19eb6d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MQM0YDBZ.txt
    Filesize

    608B

    MD5

    88e1ce85e061a260afd2b7db8027df37

    SHA1

    8ca865719e7ea999d81116a360b7ae2c6593e542

    SHA256

    27020eefd2fd5ffcb1458c36975eb97c5c67a6f40c0605f83e13d9c588013583

    SHA512

    080c8351ceac3003a860ac81e09eaf303149e5398851e5c883893a5d9afd0be8c67d048338f27d4c753a048f0c27da7e88d724eaaa7dfdf24b66b0f965cdeae6

    Download Submit
  • C:\Windows\SysWOW64\msimg64.dll
    Filesize

    178KB

    MD5

    81cfde0d21674039ba098ac02b541d5e

    SHA1

    49b09c5afd5b7292030e8bc7f12be160f1e17c88

    SHA256

    8ffc41824530337e072481d3dbf091be3065facd95749775b205768c2d91e33d

    SHA512

    03c1dd0c2b059f81911d3d6c790d640ec01be3c40ac5c38b1d491ef75a4b73d4fe8df3da9803aa7db4a3bd0ba93c95950b6cc82d765db224cfe1cada69fad2f4

    Download Submit
  • \Windows\SysWOW64\msimg64.dll
    Filesize

    178KB

    MD5

    81cfde0d21674039ba098ac02b541d5e

    SHA1

    49b09c5afd5b7292030e8bc7f12be160f1e17c88

    SHA256

    8ffc41824530337e072481d3dbf091be3065facd95749775b205768c2d91e33d

    SHA512

    03c1dd0c2b059f81911d3d6c790d640ec01be3c40ac5c38b1d491ef75a4b73d4fe8df3da9803aa7db4a3bd0ba93c95950b6cc82d765db224cfe1cada69fad2f4

    Download Submit
  • \Windows\SysWOW64\msimg64.dll
    Filesize

    178KB

    MD5

    81cfde0d21674039ba098ac02b541d5e

    SHA1

    49b09c5afd5b7292030e8bc7f12be160f1e17c88

    SHA256

    8ffc41824530337e072481d3dbf091be3065facd95749775b205768c2d91e33d

    SHA512

    03c1dd0c2b059f81911d3d6c790d640ec01be3c40ac5c38b1d491ef75a4b73d4fe8df3da9803aa7db4a3bd0ba93c95950b6cc82d765db224cfe1cada69fad2f4

    Download Submit
  • memory/592-59-0x0000000000000000-mapping.dmp
    Download
  • memory/896-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1548-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1612-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1612-55-0x0000000075681000-0x0000000075683000-memory.dmp
    Filesize

    8KB

    Download