b4445471a4ad2a5efec7996f448f963cca58f15c12315a44afbdd4cc36f81fac

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4445471a4ad2a5efec7996f448f963cca58f15c12315a44afbdd4cc36f81fac.exe
Size

77KB
MD5

0d7f30b58adbe01970701d404ae03a81
SHA1

3db549b559de9c8f3e7859415466fc3a7aaeeac6
SHA256

b4445471a4ad2a5efec7996f448f963cca58f15c12315a44afbdd4cc36f81fac
SHA512

deee13f77058675d88ee3e906643edfb4e62f0485e139a28c71751ee165ef6f8366650707bb8b6eda0e5952ec2072542150dbbd4b9f67369efb4cd8bc7868f83
SSDEEP

1536:mOOK+dCTZQuwRMeFZ9sC7UzQp2bwoMCckLQ+l+vYXGFjFn5H4yeUK:1OKLwRR3s7QMbiC3Q+l+ZFjz7hK

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1856	rundll32.exe
1856	rundll32.exe
1856	rundll32.exe
1856	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetIDS = "RUNDLL32.EXE \"C:\\Users\\Admin\\AppData\\Local\\netids.dll\",Init1"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1856	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1856	1476	b4445471a4ad2a5efec7996f448f963cca58f15c12315a44afbdd4cc36f81fac.exe	27
PID 1476 wrote to memory of 1856	1476	b4445471a4ad2a5efec7996f448f963cca58f15c12315a44afbdd4cc36f81fac.exe	27
PID 1476 wrote to memory of 1856	1476	b4445471a4ad2a5efec7996f448f963cca58f15c12315a44afbdd4cc36f81fac.exe	27
PID 1476 wrote to memory of 1856	1476	b4445471a4ad2a5efec7996f448f963cca58f15c12315a44afbdd4cc36f81fac.exe	27
PID 1476 wrote to memory of 1856	1476	b4445471a4ad2a5efec7996f448f963cca58f15c12315a44afbdd4cc36f81fac.exe	27
PID 1476 wrote to memory of 1856	1476	b4445471a4ad2a5efec7996f448f963cca58f15c12315a44afbdd4cc36f81fac.exe	27
PID 1476 wrote to memory of 1856	1476	b4445471a4ad2a5efec7996f448f963cca58f15c12315a44afbdd4cc36f81fac.exe	27

C:\Users\Admin\AppData\Local\Temp\b4445471a4ad2a5efec7996f448f963cca58f15c12315a44afbdd4cc36f81fac.exe
"C:\Users\Admin\AppData\Local\Temp\b4445471a4ad2a5efec7996f448f963cca58f15c12315a44afbdd4cc36f81fac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\mss32.dll",Start
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mss32.dll

Filesize
49KB

MD5
e226b0d6f18e827c9bfadb93cc17c1c5

SHA1
d43be7937992bf284ce7d9a1d45f65fdb9959689

SHA256
75a4db4a79550caefc7cfcd1b53400e214208379db6f10778d04482a8e644e01

SHA512
dd8e721e830186692f2160765af78081ee25e7d4c08ff535fb1ff341beb0c174bc5338acf1e263926415590db2fb11da9a08a418aab0fd5ca2aad61868aaf432

Download Submit
\Users\Admin\AppData\Local\Temp\mss32.dll

Filesize
49KB

MD5
e226b0d6f18e827c9bfadb93cc17c1c5

SHA1
d43be7937992bf284ce7d9a1d45f65fdb9959689

SHA256
75a4db4a79550caefc7cfcd1b53400e214208379db6f10778d04482a8e644e01

SHA512
dd8e721e830186692f2160765af78081ee25e7d4c08ff535fb1ff341beb0c174bc5338acf1e263926415590db2fb11da9a08a418aab0fd5ca2aad61868aaf432

Download Submit
\Users\Admin\AppData\Local\Temp\mss32.dll

Filesize
49KB

MD5
e226b0d6f18e827c9bfadb93cc17c1c5

SHA1
d43be7937992bf284ce7d9a1d45f65fdb9959689

SHA256
75a4db4a79550caefc7cfcd1b53400e214208379db6f10778d04482a8e644e01

SHA512
dd8e721e830186692f2160765af78081ee25e7d4c08ff535fb1ff341beb0c174bc5338acf1e263926415590db2fb11da9a08a418aab0fd5ca2aad61868aaf432

Download Submit
\Users\Admin\AppData\Local\Temp\mss32.dll

Filesize
49KB

MD5
e226b0d6f18e827c9bfadb93cc17c1c5

SHA1
d43be7937992bf284ce7d9a1d45f65fdb9959689

SHA256
75a4db4a79550caefc7cfcd1b53400e214208379db6f10778d04482a8e644e01

SHA512
dd8e721e830186692f2160765af78081ee25e7d4c08ff535fb1ff341beb0c174bc5338acf1e263926415590db2fb11da9a08a418aab0fd5ca2aad61868aaf432

Download Submit
\Users\Admin\AppData\Local\Temp\mss32.dll

Filesize
49KB

MD5
e226b0d6f18e827c9bfadb93cc17c1c5

SHA1
d43be7937992bf284ce7d9a1d45f65fdb9959689

SHA256
75a4db4a79550caefc7cfcd1b53400e214208379db6f10778d04482a8e644e01

SHA512
dd8e721e830186692f2160765af78081ee25e7d4c08ff535fb1ff341beb0c174bc5338acf1e263926415590db2fb11da9a08a418aab0fd5ca2aad61868aaf432

Download Submit
memory/1856-55-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download