5f1d5ab62e8a5ed2d6fdf36c7a12126b7f438f5186ff7509dd13f9c20dd516d7

Analysis

max time kernel
122s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f1d5ab62e8a5ed2d6fdf36c7a12126b7f438f5186ff7509dd13f9c20dd516d7.dll
Size

28KB
MD5

a2a3af5ba3c5570cfc7d47839e580130
SHA1

d77042246de28f636250e9d80a4e408d26a86918
SHA256

5f1d5ab62e8a5ed2d6fdf36c7a12126b7f438f5186ff7509dd13f9c20dd516d7
SHA512

671f9a98139f68a93ca225d15c5eeb749d1b2b8db7ee100ca70517409a6b6808331bf491b01ff47ed087e09c2890ade082d2c5c678d8bc61acfa7f6125d6a8ca
SSDEEP

384:rqFVDz6bErWuw8ZJxFWsvkLrQkQT5YM/BVQdVDxfNPHPPsNFOhYe8pHWM4+lD9Zy:rqFR6uBkrrwKM/BVQJBsNFAWFzvqI

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Office = "C:\\Windows\\system32\\msoff.exe"	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 1188	1060	rundll32.exe	27
PID 1060 wrote to memory of 1188	1060	rundll32.exe	27
PID 1060 wrote to memory of 1188	1060	rundll32.exe	27
PID 1060 wrote to memory of 1188	1060	rundll32.exe	27
PID 1060 wrote to memory of 1188	1060	rundll32.exe	27
PID 1060 wrote to memory of 1188	1060	rundll32.exe	27
PID 1060 wrote to memory of 1188	1060	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f1d5ab62e8a5ed2d6fdf36c7a12126b7f438f5186ff7509dd13f9c20dd516d7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f1d5ab62e8a5ed2d6fdf36c7a12126b7f438f5186ff7509dd13f9c20dd516d7.dll,#1
  2⤵
  - Adds Run key to start application
  PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1188-54-0x0000000000000000-mapping.dmp

Download
memory/1188-55-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download