f5f6384c04ea332c3323986b7fa93fedf3fd7269251e4c262be6d949ead0682f

Analysis

max time kernel
152s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5f6384c04ea332c3323986b7fa93fedf3fd7269251e4c262be6d949ead0682f.dll
Size

76KB
MD5

a00e502af12b31fa57e256ce27138210
SHA1

21c05007caabc95c3cf3c7a7083febe08a3b10eb
SHA256

f5f6384c04ea332c3323986b7fa93fedf3fd7269251e4c262be6d949ead0682f
SHA512

6590b4bcbd6cfa1cfed1ca173dfcdb1a1bd924f15f2bae310a9bcdbfb78480cfc2d0201271bcab57e04b5edac914d24935bc9bfbe61f40466313f4e74082095d
SSDEEP

768:skSVofgGR8vBS5EmY22FPiY3eceWJT5/XstRFc+k41tdzD9W5bPTh7QL5o:skSV4gwyg2FJ38WJN/XstNXtvW5M

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{44357150-0F9D-4303-BB04-7DA296CA190A}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C4A6FDB1-6984-41D3-890A-4D0021FA3DA7}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 4952	1936	rundll32.exe	77
PID 1936 wrote to memory of 4952	1936	rundll32.exe	77
PID 1936 wrote to memory of 4952	1936	rundll32.exe	77

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5f6384c04ea332c3323986b7fa93fedf3fd7269251e4c262be6d949ead0682f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5f6384c04ea332c3323986b7fa93fedf3fd7269251e4c262be6d949ead0682f.dll,#1
  2⤵
  PID:4952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4952-133-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads