e498b7a3b8c47519121d0f94bca46d9d4f4611a348377a1070cad78745e4f1b2

Analysis

max time kernel
7s
max time network
6s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2022 07:52

Target

resources/PIM.dll
Size

1.1MB
MD5

8a8d943c793fe03b7fc5d7b7119a966c
SHA1

1cb156d3eccec109b049bfe3acc815091080c62e
SHA256

48140a6d158c3da0e42bd745405360917241c5d52c779d97501e218c205042fa
SHA512

8de627fb8220c3e03879b7fb97ee829d87a73da6e3b05059d657848452410c5524d19553b1533cbb42410aa6835c1fc665140f6394577eb75c94e6327fddd640
SSDEEP

24576:2vHs74ORv0WoUvDvdpEoV4eta7QMFH8PqLirMAY1Y7z5wkIhDhTAZ4VU:qs74W0ADvYNnFOx5ChFTAZyU

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4896 wrote to memory of 2128	4896	rundll32.exe	rundll32.exe
PID 4896 wrote to memory of 2128	4896	rundll32.exe	rundll32.exe
PID 4896 wrote to memory of 2128	4896	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\PIM.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\resources\PIM.dll,#1
2⤵
PID:2128

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact