Overview

overview

7

Static

static

0f87cd4e62...0e.dll

windows7-x64

7

0f87cd4e62...0e.dll

windows10-2004-x64

7

Analysis

  • max time kernel
    160s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f87cd4e621163f8c59d0bd5023440a34ca25d63180ea6d5f700f3f84fde740e.dll

  • Size

    505KB

  • MD5

    0f68938e1640d999b2b5c7465c6568d0

  • SHA1

    ec28d4b465023055874472e715c800a4dc5799e1

  • SHA256

    0f87cd4e621163f8c59d0bd5023440a34ca25d63180ea6d5f700f3f84fde740e

  • SHA512

    abbe749f1d8f3462a69f2b56158dd594a300871e4c26a6bb70b03a0f6a418c30c335d6254802d6d589cf003620b67a3b1543aa219d5f49519ef48350eebe1dae

  • SSDEEP

    6144:SvkwugFljp/JNH1LcMah12soHDCoFaNEVscpqVpEHU/4Jgbcy:Svkwump/JNH1QPjvnNEVscsVOHU/Kfy

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Modifies Internet Explorer Protected Mode
    • Modifies Internet Explorer Protected Mode Banner
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1212
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f87cd4e621163f8c59d0bd5023440a34ca25d63180ea6d5f700f3f84fde740e.dll,#1
      2⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f87cd4e621163f8c59d0bd5023440a34ca25d63180ea6d5f700f3f84fde740e.dll,#1
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1128

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\plguxes.dat
    Filesize

    258KB

    MD5

    5cbb2c290bf6716db5c687846fdb035c

    SHA1

    bfc6673f63a5e55270225cbe89eb0ee2df05678e

    SHA256

    33b9a4b957e9f59dad7d477e327f0a5841a69e3a98d806617e9d0416c1ab5961

    SHA512

    0616ce8f0b3dd36823cc11ffcc16fb207fadacfb348ef631dc127186c32fc87005a1033ac7e9a5500be1dfe694f286a8c04d404d4f9e5e2c680481b371dcf163

    Download Submit

  • \ProgramData\plguxes.dat
    Filesize

    258KB

    MD5

    5cbb2c290bf6716db5c687846fdb035c

    SHA1

    bfc6673f63a5e55270225cbe89eb0ee2df05678e

    SHA256

    33b9a4b957e9f59dad7d477e327f0a5841a69e3a98d806617e9d0416c1ab5961

    SHA512

    0616ce8f0b3dd36823cc11ffcc16fb207fadacfb348ef631dc127186c32fc87005a1033ac7e9a5500be1dfe694f286a8c04d404d4f9e5e2c680481b371dcf163

    Download Submit

  • memory/1128-61-0x0000000010000000-0x000000001002F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1128-56-0x0000000074FF0000-0x0000000075072000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1128-59-0x00000000007D0000-0x0000000000845000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1128-60-0x0000000010000000-0x000000001004F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/1128-55-0x0000000075E31000-0x0000000075E33000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1128-73-0x0000000010000000-0x000000001002F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1128-74-0x0000000000980000-0x00000000009CE000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1128-75-0x0000000002A60000-0x0000000002AD8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1212-63-0x0000000002A80000-0x0000000002ACE000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1212-70-0x0000000002A80000-0x0000000002ACE000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1212-71-0x0000000002AD0000-0x0000000002B39000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1644-72-0x0000000001C40000-0x0000000001CA9000-memory.dmp

    Filesize

    420KB

    Download