0369d7a411b78495bed17e54c373d02352c079181d436dc2ac36c09cc0738605

Analysis

max time kernel
189s
max time network
229s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0369d7a411b78495bed17e54c373d02352c079181d436dc2ac36c09cc0738605.exe
Size

51KB
MD5

01caa442f800f3c574cb2e25f7a48b80
SHA1

be85110a37b933ec71e1455b05d62d33c7cf84dc
SHA256

0369d7a411b78495bed17e54c373d02352c079181d436dc2ac36c09cc0738605
SHA512

772be69bbc62d78ab8011f92fb187f2067bd346b5e1037ecf306ac7afcbd0d168556e5085b638e7b32be4c96fb1fd4dbd6137998cdc7cb7b4753880f6cab39c5
SSDEEP

1536:lQUOL6kmbIickwI0SiMJggRC6V2NKkFm5i2d:+Ua6NckwhSiMHRB2c/B

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3316 rundll32.exe
4484 rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rvefuqa = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\imfcendo.dll\",Startup"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rundll32.exe

pid	process
3316	rundll32.exe
3316	rundll32.exe
3316	rundll32.exe
3316	rundll32.exe
3316	rundll32.exe
3316	rundll32.exe
3316	rundll32.exe
3316	rundll32.exe
3316	rundll32.exe
3316	rundll32.exe
3316	rundll32.exe
3316	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0369d7a411b78495bed17e54c373d02352c079181d436dc2ac36c09cc0738605.exerundll32.exe

description	pid	process	target process
PID 2292 wrote to memory of 3316	2292	0369d7a411b78495bed17e54c373d02352c079181d436dc2ac36c09cc0738605.exe	rundll32.exe
PID 2292 wrote to memory of 3316	2292	0369d7a411b78495bed17e54c373d02352c079181d436dc2ac36c09cc0738605.exe	rundll32.exe
PID 2292 wrote to memory of 3316	2292	0369d7a411b78495bed17e54c373d02352c079181d436dc2ac36c09cc0738605.exe	rundll32.exe
PID 3316 wrote to memory of 4484	3316	rundll32.exe	rundll32.exe
PID 3316 wrote to memory of 4484	3316	rundll32.exe	rundll32.exe
PID 3316 wrote to memory of 4484	3316	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\0369d7a411b78495bed17e54c373d02352c079181d436dc2ac36c09cc0738605.exe
"C:\Users\Admin\AppData\Local\Temp\0369d7a411b78495bed17e54c373d02352c079181d436dc2ac36c09cc0738605.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\imfcendo.dll",Startup
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\imfcendo.dll",iep
3⤵
- Loads dropped DLL
PID:4484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\imfcendo.dll

Filesize
51KB

MD5
258a14b3f255e9f271c8429ac853e378

SHA1
258328558ea9447d4edeac07242a2a7814a2f8b0

SHA256
c5761ba88d268edf830b27a6663bf9c8ca47d8084bde94b9d512cbe0276ce3bd

SHA512
e0a243ffd4d63a1995582b6602d36698ededd4730a9428eb15641408313317cc466ed08bced0b6aac0247dd96bc89c2b4e54bb792e95fcdc8e47e839a25ce79c

Download Submit
C:\Users\Admin\AppData\Local\imfcendo.dll

Filesize
51KB

MD5
258a14b3f255e9f271c8429ac853e378

SHA1
258328558ea9447d4edeac07242a2a7814a2f8b0

SHA256
c5761ba88d268edf830b27a6663bf9c8ca47d8084bde94b9d512cbe0276ce3bd

SHA512
e0a243ffd4d63a1995582b6602d36698ededd4730a9428eb15641408313317cc466ed08bced0b6aac0247dd96bc89c2b4e54bb792e95fcdc8e47e839a25ce79c

Download Submit
C:\Users\Admin\AppData\Local\imfcendo.dll

Filesize
51KB

MD5
258a14b3f255e9f271c8429ac853e378

SHA1
258328558ea9447d4edeac07242a2a7814a2f8b0

SHA256
c5761ba88d268edf830b27a6663bf9c8ca47d8084bde94b9d512cbe0276ce3bd

SHA512
e0a243ffd4d63a1995582b6602d36698ededd4730a9428eb15641408313317cc466ed08bced0b6aac0247dd96bc89c2b4e54bb792e95fcdc8e47e839a25ce79c

Download Submit
memory/2292-141-0x0000000002261000-0x000000000226F000-memory.dmp

Filesize
56KB

Download
memory/2292-134-0x0000000010001000-0x000000001000B000-memory.dmp

Filesize
40KB

Download
memory/2292-133-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2292-132-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3316-138-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3316-139-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3316-142-0x0000000002361000-0x000000000236F000-memory.dmp

Filesize
56KB

Download
memory/3316-135-0x0000000000000000-mapping.dmp

Download
memory/4484-143-0x0000000000000000-mapping.dmp

Download
memory/4484-148-0x0000000001371000-0x000000000137F000-memory.dmp

Filesize
56KB

Download