4264447073a3838bbdf7181ea26a61e28f5ed251c5f6fd1135176c140fd8e246

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4264447073a3838bbdf7181ea26a61e28f5ed251c5f6fd1135176c140fd8e246.dll
Size

425KB
MD5

93907e292afbc54e94303def563a2395
SHA1

335366512ac527f7139a3d8f493c26caf13296c3
SHA256

4264447073a3838bbdf7181ea26a61e28f5ed251c5f6fd1135176c140fd8e246
SHA512

1f5bf0a27d3cdc89adb70e9e0e8b7318dac68407628ee90973efa419c7f4e3fc53199c1ff5fde7abfb3fa78216e00c3a216c271746c57d759d5704c7f9e0fdba
SSDEEP

12288:lFkOioC24MGjxPCNc25crwKQCSRo2gT4qkpB:8M4x4NrXK1SRIMqk

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\{2F37C36E8718D6FDFD46E63C7ACAB809}\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\B740.tmp"	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1148	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4964	5080	rundll32.exe	83
PID 5080 wrote to memory of 4964	5080	rundll32.exe	83
PID 5080 wrote to memory of 4964	5080	rundll32.exe	83
PID 4964 wrote to memory of 1148	4964	rundll32.exe	84
PID 4964 wrote to memory of 1148	4964	rundll32.exe	84
PID 4964 wrote to memory of 1148	4964	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4264447073a3838bbdf7181ea26a61e28f5ed251c5f6fd1135176c140fd8e246.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4264447073a3838bbdf7181ea26a61e28f5ed251c5f6fd1135176c140fd8e246.dll,#1
  2⤵
  - Sets service image path in registry
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AA6E.tmp
    3⤵
    - Loads dropped DLL
    PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AA6E.tmp

Filesize
353KB

MD5
72d8a9f7f130d3cce5e8db1e7bcf3ed6

SHA1
a673793376030c2f097ffe36752db159de859809

SHA256
177549ee792c376bc2b48904ac6ece445fe34451af219ff60a73c6183e445ac7

SHA512
784a0e49820e7ada1bfc45d566fb5296be260ddb1bc8e73ecbcc022c8d32c7769ad11e2e9cfa36ebfe86677021fb8a2767aa273a8b62cda555fb066ef1bafce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA6E.tmp

Filesize
353KB

MD5
72d8a9f7f130d3cce5e8db1e7bcf3ed6

SHA1
a673793376030c2f097ffe36752db159de859809

SHA256
177549ee792c376bc2b48904ac6ece445fe34451af219ff60a73c6183e445ac7

SHA512
784a0e49820e7ada1bfc45d566fb5296be260ddb1bc8e73ecbcc022c8d32c7769ad11e2e9cfa36ebfe86677021fb8a2767aa273a8b62cda555fb066ef1bafce9

Download Submit
memory/1148-139-0x0000000000560000-0x00000000005B6000-memory.dmp

Filesize
344KB

Download
memory/4964-133-0x0000000002AA0000-0x0000000002B0B000-memory.dmp

Filesize
428KB

Download