Analysis
-
max time kernel
152s -
max time network
2s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 06:31
Behavioral task
behavioral1
Sample
c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8.dll
-
Size
36KB
-
MD5
728f41a607312a9f97f23acbda0e739b
-
SHA1
55db1562bd60e87111b6d77663d265a8ba0c012f
-
SHA256
c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8
-
SHA512
17c16c204b8ca3d5ad4e4a7bba606e036c3e7758c3f85f13930586c5aac31798f5d07c351ae94be915a7b4cdd7bf1f8d3d77a368958f9c8edfb28fd60340fdbe
-
SSDEEP
768:FJknmkhqRyryjM9ny0nmgkaZHrvkXl8Y9h/nTvueHb2pVnbcuyD7UECd:F3kAY/nmoZH4XF9h/TT72pVnouy8jd
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000a000000022f5d-135.dat acprotect behavioral2/files/0x000a000000022f5d-136.dat acprotect -
resource yara_rule behavioral2/memory/3272-133-0x0000000010000000-0x0000000010021000-memory.dmp upx behavioral2/files/0x000a000000022f5d-135.dat upx behavioral2/files/0x000a000000022f5d-136.dat upx behavioral2/memory/836-137-0x0000000010000000-0x0000000010021000-memory.dmp upx behavioral2/memory/3272-138-0x0000000010000000-0x0000000010021000-memory.dmp upx behavioral2/memory/836-139-0x0000000010000000-0x0000000010021000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 836 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\msisse.dll rundll32.exe File opened for modification C:\Windows\msisse.dll rundll32.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B3AC3FA-B695-41b6-BAA0-860EB5EB6FD6}\{F69EB73C-700A-42c9-8F9D-E8C4ABC27EF3} = "c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8.dll,1313243789,1925935503,-1814625877" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32 rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe 836 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1936 wrote to memory of 3272 1936 rundll32.exe 77 PID 1936 wrote to memory of 3272 1936 rundll32.exe 77 PID 1936 wrote to memory of 3272 1936 rundll32.exe 77 PID 3272 wrote to memory of 836 3272 rundll32.exe 78 PID 3272 wrote to memory of 836 3272 rundll32.exe 78 PID 3272 wrote to memory of 836 3272 rundll32.exe 78
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8.dll,#12⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\msisse.dll",_RunAs@163⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:836
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5728f41a607312a9f97f23acbda0e739b
SHA155db1562bd60e87111b6d77663d265a8ba0c012f
SHA256c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8
SHA51217c16c204b8ca3d5ad4e4a7bba606e036c3e7758c3f85f13930586c5aac31798f5d07c351ae94be915a7b4cdd7bf1f8d3d77a368958f9c8edfb28fd60340fdbe
-
Filesize
36KB
MD5728f41a607312a9f97f23acbda0e739b
SHA155db1562bd60e87111b6d77663d265a8ba0c012f
SHA256c4f7bfba05ac4ac900ae38a6a60d5d0b4f6d568250216050ceae1d99c220c2b8
SHA51217c16c204b8ca3d5ad4e4a7bba606e036c3e7758c3f85f13930586c5aac31798f5d07c351ae94be915a7b4cdd7bf1f8d3d77a368958f9c8edfb28fd60340fdbe