Analysis
-
max time kernel
161s -
max time network
172s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 20:37
Static task
static1
Behavioral task
behavioral1
Sample
ee13f57ab03be1aba271772e54d2e900a03643cd500d2b7dfbbdc54cbfd562b2.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ee13f57ab03be1aba271772e54d2e900a03643cd500d2b7dfbbdc54cbfd562b2.dll
Resource
win10v2004-20221111-en
General
-
Target
ee13f57ab03be1aba271772e54d2e900a03643cd500d2b7dfbbdc54cbfd562b2.dll
-
Size
61KB
-
MD5
258ab919ec9ea4bc2d762e08c4e00a03
-
SHA1
451bed5855aec65514e70356eeba142fa658014a
-
SHA256
ee13f57ab03be1aba271772e54d2e900a03643cd500d2b7dfbbdc54cbfd562b2
-
SHA512
ab3c62cb8f45c9da7543eb875bfe905592fe4a0f09108bdc50161ed0fce1693324a667d89eed4dd0e693eda40d5b494f2f79ffcbb0445b53918ec0f3cc2dafe1
-
SSDEEP
768:p+wwpmhOBHrSoPCFvQMQyA5WEEN1GXgY+JN1KUfun+71Fc4vkaSoUMmQlxkIT:p+w3hS+5TQyA5W3Gw3b7Wni1FVvkuSI
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lnojuw = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ee13f57ab03be1aba271772e54d2e900a03643cd500d2b7dfbbdc54cbfd562b2.dll\",Startup" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 340 rundll32.exe 340 rundll32.exe 340 rundll32.exe 340 rundll32.exe 340 rundll32.exe 340 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1384 wrote to memory of 340 1384 rundll32.exe rundll32.exe PID 1384 wrote to memory of 340 1384 rundll32.exe rundll32.exe PID 1384 wrote to memory of 340 1384 rundll32.exe rundll32.exe PID 1384 wrote to memory of 340 1384 rundll32.exe rundll32.exe PID 1384 wrote to memory of 340 1384 rundll32.exe rundll32.exe PID 1384 wrote to memory of 340 1384 rundll32.exe rundll32.exe PID 1384 wrote to memory of 340 1384 rundll32.exe rundll32.exe PID 340 wrote to memory of 520 340 rundll32.exe rundll32.exe PID 340 wrote to memory of 520 340 rundll32.exe rundll32.exe PID 340 wrote to memory of 520 340 rundll32.exe rundll32.exe PID 340 wrote to memory of 520 340 rundll32.exe rundll32.exe PID 340 wrote to memory of 520 340 rundll32.exe rundll32.exe PID 340 wrote to memory of 520 340 rundll32.exe rundll32.exe PID 340 wrote to memory of 520 340 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ee13f57ab03be1aba271772e54d2e900a03643cd500d2b7dfbbdc54cbfd562b2.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ee13f57ab03be1aba271772e54d2e900a03643cd500d2b7dfbbdc54cbfd562b2.dll,#12⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\ee13f57ab03be1aba271772e54d2e900a03643cd500d2b7dfbbdc54cbfd562b2.dll",iep3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/340-54-0x0000000000000000-mapping.dmp
-
memory/340-55-0x0000000074FD1000-0x0000000074FD3000-memory.dmpFilesize
8KB
-
memory/340-57-0x0000000010001000-0x000000001000D000-memory.dmpFilesize
48KB
-
memory/340-56-0x0000000010000000-0x0000000010012000-memory.dmpFilesize
72KB
-
memory/340-59-0x0000000010001000-0x000000001000D000-memory.dmpFilesize
48KB
-
memory/340-60-0x0000000002071000-0x000000000207E000-memory.dmpFilesize
52KB
-
memory/520-61-0x0000000000000000-mapping.dmp
-
memory/520-67-0x0000000001C41000-0x0000000001C4E000-memory.dmpFilesize
52KB