c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8

Analysis

max time kernel
152s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 06:31

Target

c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8.dll
Size

36KB
MD5

728f41a607312a9f97f23acbda0e739b
SHA1

55db1562bd60e87111b6d77663d265a8ba0c012f
SHA256

c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8
SHA512

17c16c204b8ca3d5ad4e4a7bba606e036c3e7758c3f85f13930586c5aac31798f5d07c351ae94be915a7b4cdd7bf1f8d3d77a368958f9c8edfb28fd60340fdbe
SSDEEP

768:FJknmkhqRyryjM9ny0nmgkaZHrvkXl8Y9h/nTvueHb2pVnbcuyD7UECd:F3kAY/nmoZH4XF9h/TT72pVnouy8jd

Score

9^/10

upx

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000000b2d2-59.dat	acprotect

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1812-56-0x0000000010000000-0x0000000010021000-memory.dmp	upx
behavioral1/files/0x000500000000b2d2-59.dat	upx
behavioral1/memory/896-60-0x0000000010000000-0x0000000010021000-memory.dmp	upx
behavioral1/memory/1812-61-0x0000000010000000-0x0000000010021000-memory.dmp	upx
behavioral1/memory/896-62-0x0000000010000000-0x0000000010021000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\msisse.dll	rundll32.exe
File opened for modification	C:\Windows\msisse.dll	rundll32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8.dll,1313243789,1925935503,-1814625877"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1812	1600	rundll32.exe	27
PID 1600 wrote to memory of 1812	1600	rundll32.exe	27
PID 1600 wrote to memory of 1812	1600	rundll32.exe	27
PID 1600 wrote to memory of 1812	1600	rundll32.exe	27
PID 1600 wrote to memory of 1812	1600	rundll32.exe	27
PID 1600 wrote to memory of 1812	1600	rundll32.exe	27
PID 1600 wrote to memory of 1812	1600	rundll32.exe	27
PID 1812 wrote to memory of 896	1812	rundll32.exe	28
PID 1812 wrote to memory of 896	1812	rundll32.exe	28
PID 1812 wrote to memory of 896	1812	rundll32.exe	28
PID 1812 wrote to memory of 896	1812	rundll32.exe	28
PID 1812 wrote to memory of 896	1812	rundll32.exe	28
PID 1812 wrote to memory of 896	1812	rundll32.exe	28
PID 1812 wrote to memory of 896	1812	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8.dll,#1
  2⤵
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 "C:\Windows\msisse.dll",_RunAs@16
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:896

C:\Windows\msisse.dll

Filesize
36KB

MD5
728f41a607312a9f97f23acbda0e739b

SHA1
55db1562bd60e87111b6d77663d265a8ba0c012f

SHA256
c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8

SHA512
17c16c204b8ca3d5ad4e4a7bba606e036c3e7758c3f85f13930586c5aac31798f5d07c351ae94be915a7b4cdd7bf1f8d3d77a368958f9c8edfb28fd60340fdbe

Download Submit
memory/896-60-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/896-62-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1812-55-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1812-56-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1812-61-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download