647fb89a9b1621363dd9ca35d73bbf65e2dab57854d4f90e1555f0d66231e7f4

Analysis

max time kernel
38s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 06:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

647fb89a9b1621363dd9ca35d73bbf65e2dab57854d4f90e1555f0d66231e7f4.dll
Size

1.1MB
MD5

063f68ad0710dc44b55f6afd1a8d9950
SHA1

bae52b5f8d1a6c677c062d9b5e21a31aaffeabb7
SHA256

647fb89a9b1621363dd9ca35d73bbf65e2dab57854d4f90e1555f0d66231e7f4
SHA512

dfade2e7bd0155589419d64defd9133e11c89ed1f5f076406fb7b7b49e8dd4a893273839f0d8d8a081eef649885023bd179ab9fb3e654cf44b807ad96d1235fb
SSDEEP

1536:tOGC0lvO/1jNOTyoIUqf6E1sFwXb+Pf6btjNjNn:tRCoCNCPYXb+qbtD

Score

1^/10

Malware Config

Signatures

Modifies registry class 23 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\DefaultIcon	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\ShellFolder	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\ShellFolder	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\InprocServer32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\InProcServer32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\DefaultIcon	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4A19-985D-11309D1AC8AE}\VersionIndependentProgID	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4A19-985D-11309D1AC8AE}\Programmable	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4A19-985D-11309D1AC8AE}\InprocServer32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InprocServer32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\VersionIndependentProgID	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ProgID	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\ShellFolder	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\InProcServer32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4A19-985D-11309D1AC8AE}\ShellFolder	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4A19-985D-11309D1AC8AE}\ProgID	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\DefaultIcon	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4A19-985D-11309D1AC8AE}	rundll32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1088	ping.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2028	1872	rundll32.exe	27
PID 1872 wrote to memory of 2028	1872	rundll32.exe	27
PID 1872 wrote to memory of 2028	1872	rundll32.exe	27
PID 1872 wrote to memory of 2028	1872	rundll32.exe	27
PID 1872 wrote to memory of 2028	1872	rundll32.exe	27
PID 1872 wrote to memory of 2028	1872	rundll32.exe	27
PID 1872 wrote to memory of 2028	1872	rundll32.exe	27
PID 2028 wrote to memory of 1088	2028	rundll32.exe	28
PID 2028 wrote to memory of 1088	2028	rundll32.exe	28
PID 2028 wrote to memory of 1088	2028	rundll32.exe	28
PID 2028 wrote to memory of 1088	2028	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\647fb89a9b1621363dd9ca35d73bbf65e2dab57854d4f90e1555f0d66231e7f4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\647fb89a9b1621363dd9ca35d73bbf65e2dab57854d4f90e1555f0d66231e7f4.dll,#1
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\ping.exe
    ping 127.0.0.1 -n 5 >nul&del /q /f rundll32.exe
    3⤵
    - Runs ping.exe
    PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-55-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download