e020c3519cb3b892fb4907a8211c9eabeb1281faa2bb504203e87a6a1d823b17

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e020c3519cb3b892fb4907a8211c9eabeb1281faa2bb504203e87a6a1d823b17.dll
Size

442KB
MD5

91e9ab27344dd9829fbacf8cef428498
SHA1

85c0dedf53c6e7bef27ceea8989f91f40e417876
SHA256

e020c3519cb3b892fb4907a8211c9eabeb1281faa2bb504203e87a6a1d823b17
SHA512

352ad79a65528e4009fa74fbef28ae1a13a17e44611830f7cd16ac85497c093ebf5ce4b309df47d64ceed01655fcf03ba17f9d9b0419a68165aba1ecb3ab0d04
SSDEEP

6144:ZLQcyTXrowF8/u3q1Ao6+O+Rtzito2jbOcSBkThtcXQMDsHT3TyrZ/q+:9QpTXJknASRt2toiOVEfDM4HT3qq+

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\{D96B0BADCE8DDD178C723E58716C9CBC}\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\713C.tmp"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1496	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1892	2004	rundll32.exe	28
PID 2004 wrote to memory of 1892	2004	rundll32.exe	28
PID 2004 wrote to memory of 1892	2004	rundll32.exe	28
PID 2004 wrote to memory of 1892	2004	rundll32.exe	28
PID 2004 wrote to memory of 1892	2004	rundll32.exe	28
PID 2004 wrote to memory of 1892	2004	rundll32.exe	28
PID 2004 wrote to memory of 1892	2004	rundll32.exe	28
PID 1892 wrote to memory of 1496	1892	rundll32.exe	29
PID 1892 wrote to memory of 1496	1892	rundll32.exe	29
PID 1892 wrote to memory of 1496	1892	rundll32.exe	29
PID 1892 wrote to memory of 1496	1892	rundll32.exe	29
PID 1892 wrote to memory of 1496	1892	rundll32.exe	29
PID 1892 wrote to memory of 1496	1892	rundll32.exe	29
PID 1892 wrote to memory of 1496	1892	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e020c3519cb3b892fb4907a8211c9eabeb1281faa2bb504203e87a6a1d823b17.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e020c3519cb3b892fb4907a8211c9eabeb1281faa2bb504203e87a6a1d823b17.dll,#1
  2⤵
  - Sets service image path in registry
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5FEC.tmp
    3⤵
    - Loads dropped DLL
    PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5FEC.tmp

Filesize
374KB

MD5
ddd26fc1949d0feae735c495a3f01b3e

SHA1
8323e78ea26abfaf3aaf327b0ea5bb2e88871d21

SHA256
94e1d9f9efc254c4898d5fec3f91ed619ee7595ef45841af94d8a6d1ea022b0a

SHA512
e0ad3d1abbbd724ffebafce02755e2a58a20a53302d08ba4c78500d71ba84f2c5f843f4400e952065fcf657874dae37ac7affd080d292b5c41bbfc5ec7633da5

Download Submit
\Users\Admin\AppData\Local\Temp\5FEC.tmp

Filesize
374KB

MD5
ddd26fc1949d0feae735c495a3f01b3e

SHA1
8323e78ea26abfaf3aaf327b0ea5bb2e88871d21

SHA256
94e1d9f9efc254c4898d5fec3f91ed619ee7595ef45841af94d8a6d1ea022b0a

SHA512
e0ad3d1abbbd724ffebafce02755e2a58a20a53302d08ba4c78500d71ba84f2c5f843f4400e952065fcf657874dae37ac7affd080d292b5c41bbfc5ec7633da5

Download Submit
memory/1496-64-0x00000000002A0000-0x00000000002F5000-memory.dmp

Filesize
340KB

Download
memory/1892-55-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1892-56-0x0000000000210000-0x0000000000281000-memory.dmp

Filesize
452KB

Download
memory/1892-59-0x0000000000210000-0x0000000000281000-memory.dmp

Filesize
452KB

Download