647fb89a9b1621363dd9ca35d73bbf65e2dab57854d4f90e1555f0d66231e7f4

Analysis

max time kernel
98s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 06:16

Target

647fb89a9b1621363dd9ca35d73bbf65e2dab57854d4f90e1555f0d66231e7f4.dll
Size

1.1MB
MD5

063f68ad0710dc44b55f6afd1a8d9950
SHA1

bae52b5f8d1a6c677c062d9b5e21a31aaffeabb7
SHA256

647fb89a9b1621363dd9ca35d73bbf65e2dab57854d4f90e1555f0d66231e7f4
SHA512

dfade2e7bd0155589419d64defd9133e11c89ed1f5f076406fb7b7b49e8dd4a893273839f0d8d8a081eef649885023bd179ab9fb3e654cf44b807ad96d1235fb
SSDEEP

1536:tOGC0lvO/1jNOTyoIUqf6E1sFwXb+Pf6btjNjNn:tRCoCNCPYXb+qbtD

Score

1^/10

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

pid	Process
1620	ping.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 1052	4184	rundll32.exe	76
PID 4184 wrote to memory of 1052	4184	rundll32.exe	76
PID 4184 wrote to memory of 1052	4184	rundll32.exe	76
PID 1052 wrote to memory of 1620	1052	rundll32.exe	77
PID 1052 wrote to memory of 1620	1052	rundll32.exe	77
PID 1052 wrote to memory of 1620	1052	rundll32.exe	77

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\647fb89a9b1621363dd9ca35d73bbf65e2dab57854d4f90e1555f0d66231e7f4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\647fb89a9b1621363dd9ca35d73bbf65e2dab57854d4f90e1555f0d66231e7f4.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\ping.exe
    ping 127.0.0.1 -n 5 >nul&del /q /f rundll32.exe
    3⤵
    - Runs ping.exe
    PID:1620

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact