Analysis
-
max time kernel
26s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 13:21
Static task
static1
Behavioral task
behavioral1
Sample
b237a4a02cbd9135a2ee1a245ba19dfcf294c2d9e109b45081d93d5546d7bf25.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b237a4a02cbd9135a2ee1a245ba19dfcf294c2d9e109b45081d93d5546d7bf25.dll
Resource
win10v2004-20220901-en
General
-
Target
b237a4a02cbd9135a2ee1a245ba19dfcf294c2d9e109b45081d93d5546d7bf25.dll
-
Size
65KB
-
MD5
586461220debc3120aa5aa2aa1c0a723
-
SHA1
da7df07441fc2ae51fae095845e5f6717cb3558c
-
SHA256
b237a4a02cbd9135a2ee1a245ba19dfcf294c2d9e109b45081d93d5546d7bf25
-
SHA512
c483f79af560ba9a09395fd8de5bb5497498393f0e950306e3d706e66dd7084094dfd08d46c45c9c9e9b2b35890a79c7a78e8d926f04149ab14824ccdf69dd97
-
SSDEEP
768:9dkl/S28qHqfO1YkIYkOYqgmhhhfDVevQcnCSDCOehh2vd9ayK74UAMEGzsmKQkw:9GSRqHq21UYzyok4QCJOpv7ayK7HX5
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1936 regsvr32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2008 wrote to memory of 960 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 960 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 960 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 960 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 960 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 960 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 960 2008 rundll32.exe rundll32.exe PID 960 wrote to memory of 1936 960 rundll32.exe regsvr32.exe PID 960 wrote to memory of 1936 960 rundll32.exe regsvr32.exe PID 960 wrote to memory of 1936 960 rundll32.exe regsvr32.exe PID 960 wrote to memory of 1936 960 rundll32.exe regsvr32.exe PID 960 wrote to memory of 1936 960 rundll32.exe regsvr32.exe PID 960 wrote to memory of 1936 960 rundll32.exe regsvr32.exe PID 960 wrote to memory of 1936 960 rundll32.exe regsvr32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b237a4a02cbd9135a2ee1a245ba19dfcf294c2d9e109b45081d93d5546d7bf25.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b237a4a02cbd9135a2ee1a245ba19dfcf294c2d9e109b45081d93d5546d7bf25.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\255D.tmp3⤵
- Loads dropped DLL
PID:1936
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\255D.tmpFilesize
43KB
MD5f1f31c7bdc88d7efcff63dfe6cdf2ad0
SHA17b776bebff717b610c400e4b85e758dbc5dbc511
SHA2569373e9ae157b3b25811efe441105b099047d0adf67426e42202f5d3acc5aa847
SHA5121c4c8987378d438dc988e2af4e2eadf260ff527824de0402efc6ea21db34629fa949c1464402cc4712e57802eff80661c7b1633aba4ed2cc4b9d1abf154efc9a
-
\Users\Admin\AppData\Local\Temp\255D.tmpFilesize
43KB
MD5f1f31c7bdc88d7efcff63dfe6cdf2ad0
SHA17b776bebff717b610c400e4b85e758dbc5dbc511
SHA2569373e9ae157b3b25811efe441105b099047d0adf67426e42202f5d3acc5aa847
SHA5121c4c8987378d438dc988e2af4e2eadf260ff527824de0402efc6ea21db34629fa949c1464402cc4712e57802eff80661c7b1633aba4ed2cc4b9d1abf154efc9a
-
memory/960-54-0x0000000000000000-mapping.dmp
-
memory/960-55-0x00000000753D1000-0x00000000753D3000-memory.dmpFilesize
8KB
-
memory/960-56-0x0000000000100000-0x0000000000114000-memory.dmpFilesize
80KB
-
memory/960-58-0x0000000010000000-0x0000000010013000-memory.dmpFilesize
76KB
-
memory/1936-57-0x0000000000000000-mapping.dmp