3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d

Analysis

max time kernel
170s
max time network
212s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe
Size

79KB
MD5

75281c6808facd9b45f479e7e5f05418
SHA1

603debb0a07ce2ec2234b970c7aa52ae64cfcf19
SHA256

3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d
SHA512

4ec30433443dd2570d1f60477862159c108c1dc8efdbeb11c70458724c148088a0a924908508e2db848a51d1ae3031719b0030d2e5e101b3194d96fea6b94761
SSDEEP

1536:r+HxFEoBl0JZ1vEibGDB/SN/Aec3iuDbAUehHG6dYTFUmtEbz:r4FEBvdEiCD8WNyGbAsTFmbz

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

10 1260 rundll32.exe
11 1260 rundll32.exe
12 1260 rundll32.exe
13 1260 rundll32.exe
16 1260 rundll32.exe
17 1260 rundll32.exe
18 1260 rundll32.exe
Loads dropped DLL 8 IoCs

Processes:

rundll32.exerundll32.exe

pid process

856 rundll32.exe
856 rundll32.exe
856 rundll32.exe
856 rundll32.exe
1260 rundll32.exe
1260 rundll32.exe
1260 rundll32.exe
1260 rundll32.exe

flow	pid	process
10	1260	rundll32.exe
11	1260	rundll32.exe
12	1260	rundll32.exe
13	1260	rundll32.exe
16	1260	rundll32.exe
17	1260	rundll32.exe
18	1260	rundll32.exe

pid	process
856	rundll32.exe
856	rundll32.exe
856	rundll32.exe
856	rundll32.exe
1260	rundll32.exe
1260	rundll32.exe
1260	rundll32.exe
1260	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wsasumeja = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\sLVDat32.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

rundll32.exe

pid process

856 rundll32.exe
856 rundll32.exe
856 rundll32.exe
856 rundll32.exe
856 rundll32.exe

pid	process
856	rundll32.exe
856	rundll32.exe
856	rundll32.exe
856	rundll32.exe
856	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exerundll32.exe

description	pid	process	target process
PID 2044 wrote to memory of 856	2044	3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe	rundll32.exe
PID 2044 wrote to memory of 856	2044	3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe	rundll32.exe
PID 2044 wrote to memory of 856	2044	3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe	rundll32.exe
PID 2044 wrote to memory of 856	2044	3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe	rundll32.exe
PID 2044 wrote to memory of 856	2044	3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe	rundll32.exe
PID 2044 wrote to memory of 856	2044	3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe	rundll32.exe
PID 2044 wrote to memory of 856	2044	3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe	rundll32.exe
PID 856 wrote to memory of 1260	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 1260	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 1260	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 1260	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 1260	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 1260	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 1260	856	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe
"C:\Users\Admin\AppData\Local\Temp\3c1f0b9fbe4130b43df2a5004928cbd18d99b7878fc3ea8561e4ea63a786ba6d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\sLVDat32.dll",Startup
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\sLVDat32.dll",iep
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\sLVDat32.dll
Filesize
79KB

MD5
555e2a27897b0b816bbcc753d3f146fe

SHA1
55965ff65e16305dd2b36a0a5ae95f0366b177d0

SHA256
f3589bbd7d6c64fb330dea8041ec276375b5981aa521a87081f2f27c1d84ed1f

SHA512
03c9c143d9cc3091d4890b3735b0516ae284a6a5a8cc8db4553e4dfde67b61dc600577bc2457f675af81093efc3998247b1467ac3b8db19ee7f8d6e97b7971aa

Download Submit
\Users\Admin\AppData\Local\sLVDat32.dll
Filesize
79KB

MD5
555e2a27897b0b816bbcc753d3f146fe

SHA1
55965ff65e16305dd2b36a0a5ae95f0366b177d0

SHA256
f3589bbd7d6c64fb330dea8041ec276375b5981aa521a87081f2f27c1d84ed1f

SHA512
03c9c143d9cc3091d4890b3735b0516ae284a6a5a8cc8db4553e4dfde67b61dc600577bc2457f675af81093efc3998247b1467ac3b8db19ee7f8d6e97b7971aa

Download Submit
\Users\Admin\AppData\Local\sLVDat32.dll
Filesize
79KB

MD5
555e2a27897b0b816bbcc753d3f146fe

SHA1
55965ff65e16305dd2b36a0a5ae95f0366b177d0

SHA256
f3589bbd7d6c64fb330dea8041ec276375b5981aa521a87081f2f27c1d84ed1f

SHA512
03c9c143d9cc3091d4890b3735b0516ae284a6a5a8cc8db4553e4dfde67b61dc600577bc2457f675af81093efc3998247b1467ac3b8db19ee7f8d6e97b7971aa

Download Submit
\Users\Admin\AppData\Local\sLVDat32.dll
Filesize
79KB

MD5
555e2a27897b0b816bbcc753d3f146fe

SHA1
55965ff65e16305dd2b36a0a5ae95f0366b177d0

SHA256
f3589bbd7d6c64fb330dea8041ec276375b5981aa521a87081f2f27c1d84ed1f

SHA512
03c9c143d9cc3091d4890b3735b0516ae284a6a5a8cc8db4553e4dfde67b61dc600577bc2457f675af81093efc3998247b1467ac3b8db19ee7f8d6e97b7971aa

Download Submit
\Users\Admin\AppData\Local\sLVDat32.dll
Filesize
79KB

MD5
555e2a27897b0b816bbcc753d3f146fe

SHA1
55965ff65e16305dd2b36a0a5ae95f0366b177d0

SHA256
f3589bbd7d6c64fb330dea8041ec276375b5981aa521a87081f2f27c1d84ed1f

SHA512
03c9c143d9cc3091d4890b3735b0516ae284a6a5a8cc8db4553e4dfde67b61dc600577bc2457f675af81093efc3998247b1467ac3b8db19ee7f8d6e97b7971aa

Download Submit
\Users\Admin\AppData\Local\sLVDat32.dll
Filesize
79KB

MD5
555e2a27897b0b816bbcc753d3f146fe

SHA1
55965ff65e16305dd2b36a0a5ae95f0366b177d0

SHA256
f3589bbd7d6c64fb330dea8041ec276375b5981aa521a87081f2f27c1d84ed1f

SHA512
03c9c143d9cc3091d4890b3735b0516ae284a6a5a8cc8db4553e4dfde67b61dc600577bc2457f675af81093efc3998247b1467ac3b8db19ee7f8d6e97b7971aa

Download Submit
\Users\Admin\AppData\Local\sLVDat32.dll
Filesize
79KB

MD5
555e2a27897b0b816bbcc753d3f146fe

SHA1
55965ff65e16305dd2b36a0a5ae95f0366b177d0

SHA256
f3589bbd7d6c64fb330dea8041ec276375b5981aa521a87081f2f27c1d84ed1f

SHA512
03c9c143d9cc3091d4890b3735b0516ae284a6a5a8cc8db4553e4dfde67b61dc600577bc2457f675af81093efc3998247b1467ac3b8db19ee7f8d6e97b7971aa

Download Submit
\Users\Admin\AppData\Local\sLVDat32.dll
Filesize
79KB

MD5
555e2a27897b0b816bbcc753d3f146fe

SHA1
55965ff65e16305dd2b36a0a5ae95f0366b177d0

SHA256
f3589bbd7d6c64fb330dea8041ec276375b5981aa521a87081f2f27c1d84ed1f

SHA512
03c9c143d9cc3091d4890b3735b0516ae284a6a5a8cc8db4553e4dfde67b61dc600577bc2457f675af81093efc3998247b1467ac3b8db19ee7f8d6e97b7971aa

Download Submit
\Users\Admin\AppData\Local\sLVDat32.dll
Filesize
79KB

MD5
555e2a27897b0b816bbcc753d3f146fe

SHA1
55965ff65e16305dd2b36a0a5ae95f0366b177d0

SHA256
f3589bbd7d6c64fb330dea8041ec276375b5981aa521a87081f2f27c1d84ed1f

SHA512
03c9c143d9cc3091d4890b3735b0516ae284a6a5a8cc8db4553e4dfde67b61dc600577bc2457f675af81093efc3998247b1467ac3b8db19ee7f8d6e97b7971aa

Download Submit
memory/856-59-0x0000000000000000-mapping.dmp

Download
memory/856-66-0x0000000010001000-0x000000001000D000-memory.dmp

Filesize
48KB

Download
memory/856-67-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/856-70-0x0000000001DA1000-0x0000000001DAE000-memory.dmp

Filesize
52KB

Download
memory/1260-71-0x0000000000000000-mapping.dmp

Download
memory/1260-81-0x0000000001FE1000-0x0000000001FEE000-memory.dmp

Filesize
52KB

Download
memory/2044-54-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/2044-58-0x0000000002071000-0x000000000207E000-memory.dmp

Filesize
52KB

Download
memory/2044-56-0x0000000010001000-0x000000001000D000-memory.dmp

Filesize
48KB

Download
memory/2044-55-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download