7e5d6b471e97176fd3df7f102d045d7c740e13fe08b260dbb8106521775f1079

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 09:46

Target

7e5d6b471e97176fd3df7f102d045d7c740e13fe08b260dbb8106521775f1079.dll
Size

37KB
MD5

8728fd583ebd5f8e493472bd9d3e8b8a
SHA1

cdf134f9ab3dcde85bcfaf686f45633933aea148
SHA256

7e5d6b471e97176fd3df7f102d045d7c740e13fe08b260dbb8106521775f1079
SHA512

21e1eb2991bebb800fdd981ffe3579ce32368a5e6045a0e04fd212294b22304e18b4a2b18145837aecff2077ee57e2d744e8bd47dcef4432fc1948ba2c7d861d
SSDEEP

768:z1raN5iQHRwYsBOETOUjet/Ijng2yLCXQMz:ZWN5iQHRkBFqb/IjP

Score

8^/10

persistence

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4112 wrote to memory of 2688	4112	rundll32.exe	rundll32.exe
PID 4112 wrote to memory of 2688	4112	rundll32.exe	rundll32.exe
PID 4112 wrote to memory of 2688	4112	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e5d6b471e97176fd3df7f102d045d7c740e13fe08b260dbb8106521775f1079.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e5d6b471e97176fd3df7f102d045d7c740e13fe08b260dbb8106521775f1079.dll,#1
2⤵
PID:2688

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2688-132-0x0000000000000000-mapping.dmp

Download
memory/2688-133-0x0000000000830000-0x0000000000859000-memory.dmp

Filesize
164KB

Download